Robert Moskowitz
2013-Jan-24 03:16 UTC
[CentOS] permission problems with avamis and Centos 6.3
I am trying to follow: http://wiki.centos.org/HowTos/Amavisd Which seems to really be written for Centos 5, with just some selinux references for Centos 6. There are real problems here for Centos 6 with the userids section. It gives the following command and result: cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam Anti Virus Checker:/var/clamav:/sbin/nologin amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh But my Centos 6.3 has: clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin amavis:x:493:489::/var/spool/amavisd:/sbin/nologin Note the difference in userid clam instead of clamav. So this causes problems with the group recommendation: In addition, the clamav user should automatically have been added to the amavis group: # groups clamav clamav : clamav amavis If not, you can manually add clamav to the amavis group: gpasswd -a clamav amavis so I did: gpasswd -a clam amavis So far, it seems just changing what userid is now used by clamav... But in testing for spam I see the following in /var/log/maillog Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: lstat() failed: Permission denied. ERROR\n" I checked this directory tree and all along the tree the permissions are to amavis:amavis So where is my permission problem?
usermod -a -G amavis clam service clamd restart be happy On 24.01.2013, at 04:16, Robert Moskowitz <rgm at htt-consult.com> wrote:> I am trying to follow: > > http://wiki.centos.org/HowTos/Amavisd > > Which seems to really be written for Centos 5, with just some selinux > references for Centos 6. There are real problems here for Centos 6 with > the userids section. > > It gives the following command and result: > > cat /etc/passwd | grep "amavis\|clamav" > clamav:x:101:102:Clam Anti Virus Checker:/var/clamav:/sbin/nologin > amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh > > But my Centos 6.3 has: > > clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin > amavis:x:493:489::/var/spool/amavisd:/sbin/nologin > > Note the difference in userid clam instead of clamav. So this causes > problems with the group recommendation: > > In addition, the clamav user should automatically have been added to the > amavis group: > > # groups clamav > clamav : clamav amavis > > If not, you can manually add clamav to the amavis group: > > gpasswd -a clamav amavis > > > so I did: > > gpasswd -a clam amavis > > > So far, it seems just changing what userid is now used by clamav... > > But in testing for spam I see the following in /var/log/maillog > > Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av (ClamAV-clamd) > FAILED - unexpected , > output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: > lstat() failed: Permission denied. ERROR\n" > > I checked this directory tree and all along the tree the permissions are > to amavis:amavis > > So where is my permission problem? > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
Robert Moskowitz
2013-Jan-24 18:15 UTC
[CentOS] permission problems with avamis and Centos 6.3
Thank you for your suggestion, but it did not fix the permissions problem. On 01/24/2013 10:13 AM, Rob wrote:> usermod -a -G amavis clamHow is this different from: gpasswd -a clam amavis And I am still getting the permissions error.> service clamd restart > > be happy > > On 24.01.2013, at 04:16, Robert Moskowitz <rgm at htt-consult.com> wrote: > >> I am trying to follow: >> >> http://wiki.centos.org/HowTos/Amavisd >> >> Which seems to really be written for Centos 5, with just some selinux >> references for Centos 6. There are real problems here for Centos 6 with >> the userids section. >> >> It gives the following command and result: >> >> cat /etc/passwd | grep "amavis\|clamav" >> clamav:x:101:102:Clam Anti Virus Checker:/var/clamav:/sbin/nologin >> amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh >> >> But my Centos 6.3 has: >> >> clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin >> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin >> >> Note the difference in userid clam instead of clamav. So this causes >> problems with the group recommendation: >> >> In addition, the clamav user should automatically have been added to the >> amavis group: >> >> # groups clamav >> clamav : clamav amavis >> >> If not, you can manually add clamav to the amavis group: >> >> gpasswd -a clamav amavis >> >> >> so I did: >> >> gpasswd -a clam amavis >> >> >> So far, it seems just changing what userid is now used by clamav... >> >> But in testing for spam I see the following in /var/log/maillog >> >> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av (ClamAV-clamd) >> FAILED - unexpected , >> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: >> lstat() failed: Permission denied. ERROR\n" >> >> I checked this directory tree and all along the tree the permissions are >> to amavis:amavis >> >> So where is my permission problem? >> >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
On 24.01.2013, at 19:15, Robert Moskowitz <rgm at htt-consult.com> wrote:> Thank you for your suggestion, but it did not fix the permissions problem. > > On 01/24/2013 10:13 AM, Rob wrote: >> usermod -a -G amavis clam > > How is this different from: > > gpasswd -a clam amavis > > And I am still getting the permissions error. > >> service clamd restart >> >> be happy >> >> On 24.01.2013, at 04:16, Robert Moskowitz <rgm at htt-consult.com> wrote: >> >>> I am trying to follow: >>> >>> http://wiki.centos.org/HowTos/Amavisd >>> >>> Which seems to really be written for Centos 5, with just some selinux >>> references for Centos 6. There are real problems here for Centos 6 with >>> the userids section. >>> >>> It gives the following command and result: >>> >>> cat /etc/passwd | grep "amavis\|clamav" >>> clamav:x:101:102:Clam Anti Virus Checker:/var/clamav:/sbin/nologin >>> amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh >>> >>> But my Centos 6.3 has: >>> >>> clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin >>> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin >>> >>> Note the difference in userid clam instead of clamav. So this causes >>> problems with the group recommendation: >>> >>> In addition, the clamav user should automatically have been added to the >>> amavis group: >>> >>> # groups clamav >>> clamav : clamav amavis >>> >>> If not, you can manually add clamav to the amavis group: >>> >>> gpasswd -a clamav amavis >>> >>> >>> so I did: >>> >>> gpasswd -a clam amavis >>> >>> >>> So far, it seems just changing what userid is now used by clamav... >>> >>> But in testing for spam I see the following in /var/log/maillog >>> >>> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av (ClamAV-clamd) >>> FAILED - unexpected , >>> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: >>> lstat() failed: Permission denied. ERROR\n" >>> >>> I checked this directory tree and all along the tree the permissions are >>> to amavis:amavis >>> >>> So where is my permission problem? >>> >>> >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> http://lists.centos.org/mailman/listinfo/centos >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos >What are the permission for /var/spool/amavisd. Did you try: service clam stop service clam start Instead of: restart? (it is not the same)
Daniel J Walsh
2013-Jan-24 19:48 UTC
[CentOS] permission problems with avamis and Centos 6.3
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/24/2013 01:15 PM, Robert Moskowitz wrote:> Thank you for your suggestion, but it did not fix the permissions problem. > > On 01/24/2013 10:13 AM, Rob wrote: >> usermod -a -G amavis clam > > How is this different from: > > gpasswd -a clam amavis > > And I am still getting the permissions error. > >> service clamd restart >> >> be happy >> >> On 24.01.2013, at 04:16, Robert Moskowitz <rgm at htt-consult.com> wrote: >> >>> I am trying to follow: >>> >>> http://wiki.centos.org/HowTos/Amavisd >>> >>> Which seems to really be written for Centos 5, with just some selinux >>> references for Centos 6. There are real problems here for Centos 6 >>> with the userids section. >>> >>> It gives the following command and result: >>> >>> cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam Anti >>> Virus Checker:/var/clamav:/sbin/nologin amavis:x:102:103:Amavis email >>> scan user:/var/amavis:/bin/sh >>> >>> But my Centos 6.3 has: >>> >>> clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin >>> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin >>> >>> Note the difference in userid clam instead of clamav. So this causes >>> problems with the group recommendation: >>> >>> In addition, the clamav user should automatically have been added to >>> the amavis group: >>> >>> # groups clamav clamav : clamav amavis >>> >>> If not, you can manually add clamav to the amavis group: >>> >>> gpasswd -a clamav amavis >>> >>> >>> so I did: >>> >>> gpasswd -a clam amavis >>> >>> >>> So far, it seems just changing what userid is now used by clamav... >>> >>> But in testing for spam I see the following in /var/log/maillog >>> >>> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av >>> (ClamAV-clamd) FAILED - unexpected , >>> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: >>> lstat() failed: Permission denied. ERROR\n" >>> >>> I checked this directory tree and all along the tree the permissions >>> are to amavis:amavis >>> >>> So where is my permission problem? >>> >>> >>> _______________________________________________ CentOS mailing list >>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >> _______________________________________________ CentOS mailing list >> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >> > > _______________________________________________ CentOS mailing list > CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >Can you attach the AVC messages from audit log. ausearch -m avc -ts recent -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlEBkB4ACgkQrlYvE4MpobPzzwCeLiolKq7hzthQKuWaLtLHmQIO zVYAoOnEBvhNGxlPjIoptc7S5ueP2ev4 =YNrJ -----END PGP SIGNATURE-----
Robert Moskowitz
2013-Jan-25 05:09 UTC
[CentOS] permission problems with avamis and Centos 6.3
On hold until monday. It was decided we (family) would pack up and go to Chicago for the weekend. Will work on this when I get back. Thanks for the pointer. On 01/24/2013 02:48 PM, Daniel J Walsh wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/24/2013 01:15 PM, Robert Moskowitz wrote: >> Thank you for your suggestion, but it did not fix the permissions problem. >> >> On 01/24/2013 10:13 AM, Rob wrote: >>> usermod -a -G amavis clam >> How is this different from: >> >> gpasswd -a clam amavis >> >> And I am still getting the permissions error. >> >>> service clamd restart >>> >>> be happy >>> >>> On 24.01.2013, at 04:16, Robert Moskowitz <rgm at htt-consult.com> wrote: >>> >>>> I am trying to follow: >>>> >>>> http://wiki.centos.org/HowTos/Amavisd >>>> >>>> Which seems to really be written for Centos 5, with just some selinux >>>> references for Centos 6. There are real problems here for Centos 6 >>>> with the userids section. >>>> >>>> It gives the following command and result: >>>> >>>> cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam Anti >>>> Virus Checker:/var/clamav:/sbin/nologin amavis:x:102:103:Amavis email >>>> scan user:/var/amavis:/bin/sh >>>> >>>> But my Centos 6.3 has: >>>> >>>> clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin >>>> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin >>>> >>>> Note the difference in userid clam instead of clamav. So this causes >>>> problems with the group recommendation: >>>> >>>> In addition, the clamav user should automatically have been added to >>>> the amavis group: >>>> >>>> # groups clamav clamav : clamav amavis >>>> >>>> If not, you can manually add clamav to the amavis group: >>>> >>>> gpasswd -a clamav amavis >>>> >>>> >>>> so I did: >>>> >>>> gpasswd -a clam amavis >>>> >>>> >>>> So far, it seems just changing what userid is now used by clamav... >>>> >>>> But in testing for spam I see the following in /var/log/maillog >>>> >>>> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av >>>> (ClamAV-clamd) FAILED - unexpected , >>>> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: >>>> lstat() failed: Permission denied. ERROR\n" >>>> >>>> I checked this directory tree and all along the tree the permissions >>>> are to amavis:amavis >>>> >>>> So where is my permission problem? >>>> >>>> >>>> _______________________________________________ CentOS mailing list >>>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >>> _______________________________________________ CentOS mailing list >>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >>> >> _______________________________________________ CentOS mailing list >> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >> > Can you attach the AVC messages from audit log. > > ausearch -m avc -ts recent > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlEBkB4ACgkQrlYvE4MpobPzzwCeLiolKq7hzthQKuWaLtLHmQIO > zVYAoOnEBvhNGxlPjIoptc7S5ueP2ev4 > =YNrJ > -----END PGP SIGNATURE----- > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
Robert Moskowitz
2013-Jan-28 16:29 UTC
[CentOS] permission problems with avamis and Centos 6.3
On 01/24/2013 02:48 PM, Daniel J Walsh wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/24/2013 01:15 PM, Robert Moskowitz wrote: >> Thank you for your suggestion, but it did not fix the permissions problem. >> >> On 01/24/2013 10:13 AM, Rob wrote: >>> usermod -a -G amavis clam >> How is this different from: >> >> gpasswd -a clam amavis >> >> And I am still getting the permissions error. >> >>> service clamd restart >>> >>> be happy >>> >>> On 24.01.2013, at 04:16, Robert Moskowitz <rgm at htt-consult.com> wrote: >>> >>>> I am trying to follow: >>>> >>>> http://wiki.centos.org/HowTos/Amavisd >>>> >>>> Which seems to really be written for Centos 5, with just some selinux >>>> references for Centos 6. There are real problems here for Centos 6 >>>> with the userids section. >>>> >>>> It gives the following command and result: >>>> >>>> cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam Anti >>>> Virus Checker:/var/clamav:/sbin/nologin amavis:x:102:103:Amavis email >>>> scan user:/var/amavis:/bin/sh >>>> >>>> But my Centos 6.3 has: >>>> >>>> clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin >>>> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin >>>> >>>> Note the difference in userid clam instead of clamav. So this causes >>>> problems with the group recommendation: >>>> >>>> In addition, the clamav user should automatically have been added to >>>> the amavis group: >>>> >>>> # groups clamav clamav : clamav amavis >>>> >>>> If not, you can manually add clamav to the amavis group: >>>> >>>> gpasswd -a clamav amavis >>>> >>>> >>>> so I did: >>>> >>>> gpasswd -a clam amavis >>>> >>>> >>>> So far, it seems just changing what userid is now used by clamav... >>>> >>>> But in testing for spam I see the following in /var/log/maillog >>>> >>>> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av >>>> (ClamAV-clamd) FAILED - unexpected , >>>> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: >>>> lstat() failed: Permission denied. ERROR\n" >>>> >>>> I checked this directory tree and all along the tree the permissions >>>> are to amavis:amavis >>>> >>>> So where is my permission problem? >>>> >>>> >>>> _______________________________________________ CentOS mailing list >>>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >>> _______________________________________________ CentOS mailing list >>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >>> >> _______________________________________________ CentOS mailing list >> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >> > Can you attach the AVC messages from audit log. > > ausearch -m avc -ts recentBack home and booted up test system (thus no questions about clamav state): ---- time->Mon Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.446:25): arch=40000003 syscall=5 success=yes exit=3 a0=92de9d8 a1=98800 a2=92de9d8 a3=92ba620 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC msg=audit(1359389906.446:25): avc: denied { read } for pid=3045 comm="clamscan" name="parts" dev=dm-0 ino=2624185 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.490:26): arch=40000003 syscall=39 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 a3=92e64f8 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC msg=audit(1359389906.490:26): avc: denied { create } for pid=3045 comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC msg=audit(1359389906.490:26): avc: denied { add_name } for pid=3045 comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC msg=audit(1359389906.490:26): avc: denied { write } for pid=3045 comm="clamscan" name="tmp" dev=dm-0 ino=2624119 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.528:27): arch=40000003 syscall=5 success=yes exit=5 a0=92f1810 a1=2c2 a2=1c0 a3=bfdb5d2c items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC msg=audit(1359389906.528:27): avc: denied { write } for pid=3045 comm="clamscan" name="clamav-308541af5e7a69c500ba0757a9644b91" dev=dm-0 ino=2753728 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file type=AVC msg=audit(1359389906.528:27): avc: denied { create } for pid=3045 comm="clamscan" name="clamav-308541af5e7a69c500ba0757a9644b91" scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file ---- time->Mon Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:28): arch=40000003 syscall=15 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 a3=92e64f8 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC msg=audit(1359389906.529:28): avc: denied { setattr } for pid=3045 comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" dev=dm-0 ino=2753586 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:29): arch=40000003 syscall=40 success=no exit=-39 a0=92e64f8 a1=5106a4d2 a2=a36cd8 a3=92fee08 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC msg=audit(1359389906.529:29): avc: denied { rmdir } for pid=3045 comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" dev=dm-0 ino=2753586 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC msg=audit(1359389906.529:29): avc: denied { remove_name } for pid=3045 comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" dev=dm-0 ino=2753586 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:30): arch=40000003 syscall=10 success=yes exit=0 a0=92f1910 a1=5106a4d2 a2=a36cd8 a3=92fee08 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC msg=audit(1359389906.529:30): avc: denied { unlink } for pid=3045 comm="clamscan" name="clamav-fcdca25df759de4e1da6dab82a8439a5" dev=dm-0 ino=2753729 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file Hope this helps!
Robert Moskowitz
2013-Jan-28 16:31 UTC
[CentOS] permission problems with avamis and Centos 6.3
On 01/24/2013 02:22 PM, Rob wrote:> > On 24.01.2013, at 19:15, Robert Moskowitz <rgm at htt-consult.com> wrote: > >> Thank you for your suggestion, but it did not fix the permissions problem. >> >> On 01/24/2013 10:13 AM, Rob wrote: >>> usermod -a -G amavis clam >> How is this different from: >> >> gpasswd -a clam amavis >> >> And I am still getting the permissions error. >> >>> service clamd restart >>> >>> be happy >>> >>> On 24.01.2013, at 04:16, Robert Moskowitz <rgm at htt-consult.com> wrote: >>> >>>> I am trying to follow: >>>> >>>> http://wiki.centos.org/HowTos/Amavisd >>>> >>>> Which seems to really be written for Centos 5, with just some selinux >>>> references for Centos 6. There are real problems here for Centos 6 with >>>> the userids section. >>>> >>>> It gives the following command and result: >>>> >>>> cat /etc/passwd | grep "amavis\|clamav" >>>> clamav:x:101:102:Clam Anti Virus Checker:/var/clamav:/sbin/nologin >>>> amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh >>>> >>>> But my Centos 6.3 has: >>>> >>>> clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin >>>> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin >>>> >>>> Note the difference in userid clam instead of clamav. So this causes >>>> problems with the group recommendation: >>>> >>>> In addition, the clamav user should automatically have been added to the >>>> amavis group: >>>> >>>> # groups clamav >>>> clamav : clamav amavis >>>> >>>> If not, you can manually add clamav to the amavis group: >>>> >>>> gpasswd -a clamav amavis >>>> >>>> >>>> so I did: >>>> >>>> gpasswd -a clam amavis >>>> >>>> >>>> So far, it seems just changing what userid is now used by clamav... >>>> >>>> But in testing for spam I see the following in /var/log/maillog >>>> >>>> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av (ClamAV-clamd) >>>> FAILED - unexpected , >>>> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: >>>> lstat() failed: Permission denied. ERROR\n" >>>> >>>> I checked this directory tree and all along the tree the permissions are >>>> to amavis:amavis >>>> >>>> So where is my permission problem? >>>> >>>> >>>> _______________________________________________ >>>> CentOS mailing list >>>> CentOS at centos.org >>>> http://lists.centos.org/mailman/listinfo/centos >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> http://lists.centos.org/mailman/listinfo/centos > What are the permission for /var/spool/amavisd.amavis:amavis> > Did you try: > service clam stop > service clam start > Instead of: > restart? (it is not the same)Does boot count? ;) Yes this was from a clean boot. And I just powered up the system again today and it repeated the permissions problem.>
Daniel J Walsh
2013-Jan-28 18:15 UTC
[CentOS] permission problems with avamis and Centos 6.3
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/28/2013 11:29 AM, Robert Moskowitz wrote:> > On 01/24/2013 02:48 PM, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 01/24/2013 01:15 PM, Robert Moskowitz wrote: >>> Thank you for your suggestion, but it did not fix the permissions >>> problem. >>> >>> On 01/24/2013 10:13 AM, Rob wrote: >>>> usermod -a -G amavis clam >>> How is this different from: >>> >>> gpasswd -a clam amavis >>> >>> And I am still getting the permissions error. >>> >>>> service clamd restart >>>> >>>> be happy >>>> >>>> On 24.01.2013, at 04:16, Robert Moskowitz <rgm at htt-consult.com> >>>> wrote: >>>> >>>>> I am trying to follow: >>>>> >>>>> http://wiki.centos.org/HowTos/Amavisd >>>>> >>>>> Which seems to really be written for Centos 5, with just some >>>>> selinux references for Centos 6. There are real problems here for >>>>> Centos 6 with the userids section. >>>>> >>>>> It gives the following command and result: >>>>> >>>>> cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam Anti >>>>> Virus Checker:/var/clamav:/sbin/nologin amavis:x:102:103:Amavis >>>>> email scan user:/var/amavis:/bin/sh >>>>> >>>>> But my Centos 6.3 has: >>>>> >>>>> clam:x:494:490:Clam Anti Virus >>>>> Checker:/var/lib/clamav:/sbin/nologin >>>>> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin >>>>> >>>>> Note the difference in userid clam instead of clamav. So this >>>>> causes problems with the group recommendation: >>>>> >>>>> In addition, the clamav user should automatically have been added >>>>> to the amavis group: >>>>> >>>>> # groups clamav clamav : clamav amavis >>>>> >>>>> If not, you can manually add clamav to the amavis group: >>>>> >>>>> gpasswd -a clamav amavis >>>>> >>>>> >>>>> so I did: >>>>> >>>>> gpasswd -a clam amavis >>>>> >>>>> >>>>> So far, it seems just changing what userid is now used by >>>>> clamav... >>>>> >>>>> But in testing for spam I see the following in /var/log/maillog >>>>> >>>>> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av >>>>> (ClamAV-clamd) FAILED - unexpected , >>>>> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: >>>>> lstat() failed: Permission denied. ERROR\n" >>>>> >>>>> I checked this directory tree and all along the tree the >>>>> permissions are to amavis:amavis >>>>> >>>>> So where is my permission problem? >>>>> >>>>> >>>>> _______________________________________________ CentOS mailing >>>>> list CentOS at centos.org >>>>> http://lists.centos.org/mailman/listinfo/centos >>>> _______________________________________________ CentOS mailing list >>>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >>>> >>> _______________________________________________ CentOS mailing list >>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >>> >> Can you attach the AVC messages from audit log. >> >> ausearch -m avc -ts recent > > Back home and booted up test system (thus no questions about clamav > state): > > ---- time->Mon Jan 28 11:18:26 2013 type=SYSCALL > msg=audit(1359389906.446:25): arch=40000003 syscall=5 success=yes exit=3 > a0=92de9d8 a1=98800 a2=92de9d8 a3=92ba620 items=0 ppid=2211 pid=3045 > auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 > sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" > exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) > type=AVC msg=audit(1359389906.446:25): avc: denied { read } for pid=3045 > comm="clamscan" name="parts" dev=dm-0 ino=2624185 > scontext=system_u:system_r:clamscan_t:s0 > tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan > 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.490:26): arch=40000003 > syscall=39 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 a3=92e64f8 > items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 > suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 > comm="clamscan" exe="/usr/bin/clamscan" > subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC > msg=audit(1359389906.490:26): avc: denied { create } for pid=3045 > comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" > scontext=system_u:system_r:clamscan_t:s0 > tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC > msg=audit(1359389906.490:26): avc: denied { add_name } for pid=3045 > comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" > scontext=system_u:system_r:clamscan_t:s0 > tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC > msg=audit(1359389906.490:26): avc: denied { write } for pid=3045 > comm="clamscan" name="tmp" dev=dm-0 ino=2624119 > scontext=system_u:system_r:clamscan_t:s0 > tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan > 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.528:27): arch=40000003 > syscall=5 success=yes exit=5 a0=92f1810 a1=2c2 a2=1c0 a3=bfdb5d2c items=0 > ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 > fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 > comm="clamscan" exe="/usr/bin/clamscan" > subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC > msg=audit(1359389906.528:27): avc: denied { write } for pid=3045 > comm="clamscan" name="clamav-308541af5e7a69c500ba0757a9644b91" dev=dm-0 > ino=2753728 scontext=system_u:system_r:clamscan_t:s0 > tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file type=AVC > msg=audit(1359389906.528:27): avc: denied { create } for pid=3045 > comm="clamscan" name="clamav-308541af5e7a69c500ba0757a9644b91" > scontext=system_u:system_r:clamscan_t:s0 > tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file ---- time->Mon Jan > 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:28): arch=40000003 > syscall=15 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 a3=92e64f8 > items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 > suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 > comm="clamscan" exe="/usr/bin/clamscan" > subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC > msg=audit(1359389906.529:28): avc: denied { setattr } for pid=3045 > comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" dev=dm-0 > ino=2753586 scontext=system_u:system_r:clamscan_t:s0 > tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan > 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:29): arch=40000003 > syscall=40 success=no exit=-39 a0=92e64f8 a1=5106a4d2 a2=a36cd8 a3=92fee08 > items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 > suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 > comm="clamscan" exe="/usr/bin/clamscan" > subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC > msg=audit(1359389906.529:29): avc: denied { rmdir } for pid=3045 > comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" dev=dm-0 > ino=2753586 scontext=system_u:system_r:clamscan_t:s0 > tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC > msg=audit(1359389906.529:29): avc: denied { remove_name } for pid=3045 > comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" dev=dm-0 > ino=2753586 scontext=system_u:system_r:clamscan_t:s0 > tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan > 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:30): arch=40000003 > syscall=10 success=yes exit=0 a0=92f1910 a1=5106a4d2 a2=a36cd8 a3=92fee08 > items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 > suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 > comm="clamscan" exe="/usr/bin/clamscan" > subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC > msg=audit(1359389906.529:30): avc: denied { unlink } for pid=3045 > comm="clamscan" name="clamav-fcdca25df759de4e1da6dab82a8439a5" dev=dm-0 > ino=2753729 scontext=system_u:system_r:clamscan_t:s0 > tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file > > Hope this helps! > >Try policy on people.redhat.com/dwalsh/SELinux/RHEL6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlEGwFgACgkQrlYvE4MpobNuAgCgkc5n8hf985N8GgOqvqQi1kgw VNkAoJWW0Kphua8vZXziHZRGNjiUWadE =ZWMG -----END PGP SIGNATURE-----
Robert Moskowitz
2013-Jan-28 19:39 UTC
[CentOS] permission problems with avamis and Centos 6.3
On 01/28/2013 01:15 PM, Daniel J Walsh wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/28/2013 11:29 AM, Robert Moskowitz wrote: >> On 01/24/2013 02:48 PM, Daniel J Walsh wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>> >>> On 01/24/2013 01:15 PM, Robert Moskowitz wrote: >>>> Thank you for your suggestion, but it did not fix the permissions >>>> problem. >>>> >>>> On 01/24/2013 10:13 AM, Rob wrote: >>>>> usermod -a -G amavis clam >>>> How is this different from: >>>> >>>> gpasswd -a clam amavis >>>> >>>> And I am still getting the permissions error. >>>> >>>>> service clamd restart >>>>> >>>>> be happy >>>>> >>>>> On 24.01.2013, at 04:16, Robert Moskowitz <rgm at htt-consult.com> >>>>> wrote: >>>>> >>>>>> I am trying to follow: >>>>>> >>>>>> http://wiki.centos.org/HowTos/Amavisd >>>>>> >>>>>> Which seems to really be written for Centos 5, with just some >>>>>> selinux references for Centos 6. There are real problems here for >>>>>> Centos 6 with the userids section. >>>>>> >>>>>> It gives the following command and result: >>>>>> >>>>>> cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam Anti >>>>>> Virus Checker:/var/clamav:/sbin/nologin amavis:x:102:103:Amavis >>>>>> email scan user:/var/amavis:/bin/sh >>>>>> >>>>>> But my Centos 6.3 has: >>>>>> >>>>>> clam:x:494:490:Clam Anti Virus >>>>>> Checker:/var/lib/clamav:/sbin/nologin >>>>>> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin >>>>>> >>>>>> Note the difference in userid clam instead of clamav. So this >>>>>> causes problems with the group recommendation: >>>>>> >>>>>> In addition, the clamav user should automatically have been added >>>>>> to the amavis group: >>>>>> >>>>>> # groups clamav clamav : clamav amavis >>>>>> >>>>>> If not, you can manually add clamav to the amavis group: >>>>>> >>>>>> gpasswd -a clamav amavis >>>>>> >>>>>> >>>>>> so I did: >>>>>> >>>>>> gpasswd -a clam amavis >>>>>> >>>>>> >>>>>> So far, it seems just changing what userid is now used by >>>>>> clamav... >>>>>> >>>>>> But in testing for spam I see the following in /var/log/maillog >>>>>> >>>>>> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av >>>>>> (ClamAV-clamd) FAILED - unexpected , >>>>>> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: >>>>>> lstat() failed: Permission denied. ERROR\n" >>>>>> >>>>>> I checked this directory tree and all along the tree the >>>>>> permissions are to amavis:amavis >>>>>> >>>>>> So where is my permission problem? >>>>>> >>>>>> >>>>>> _______________________________________________ CentOS mailing >>>>>> list CentOS at centos.org >>>>>> http://lists.centos.org/mailman/listinfo/centos >>>>> _______________________________________________ CentOS mailing list >>>>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >>>>> >>>> _______________________________________________ CentOS mailing list >>>> CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos >>>> >>> Can you attach the AVC messages from audit log. >>> >>> ausearch -m avc -ts recent >> Back home and booted up test system (thus no questions about clamav >> state): >> >> ---- time->Mon Jan 28 11:18:26 2013 type=SYSCALL >> msg=audit(1359389906.446:25): arch=40000003 syscall=5 success=yes exit=3 >> a0=92de9d8 a1=98800 a2=92de9d8 a3=92ba620 items=0 ppid=2211 pid=3045 >> auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 >> sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" >> exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) >> type=AVC msg=audit(1359389906.446:25): avc: denied { read } for pid=3045 >> comm="clamscan" name="parts" dev=dm-0 ino=2624185 >> scontext=system_u:system_r:clamscan_t:s0 >> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan >> 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.490:26): arch=40000003 >> syscall=39 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 a3=92e64f8 >> items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 >> suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 >> comm="clamscan" exe="/usr/bin/clamscan" >> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC >> msg=audit(1359389906.490:26): avc: denied { create } for pid=3045 >> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" >> scontext=system_u:system_r:clamscan_t:s0 >> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC >> msg=audit(1359389906.490:26): avc: denied { add_name } for pid=3045 >> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" >> scontext=system_u:system_r:clamscan_t:s0 >> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC >> msg=audit(1359389906.490:26): avc: denied { write } for pid=3045 >> comm="clamscan" name="tmp" dev=dm-0 ino=2624119 >> scontext=system_u:system_r:clamscan_t:s0 >> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan >> 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.528:27): arch=40000003 >> syscall=5 success=yes exit=5 a0=92f1810 a1=2c2 a2=1c0 a3=bfdb5d2c items=0 >> ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 >> fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 >> comm="clamscan" exe="/usr/bin/clamscan" >> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC >> msg=audit(1359389906.528:27): avc: denied { write } for pid=3045 >> comm="clamscan" name="clamav-308541af5e7a69c500ba0757a9644b91" dev=dm-0 >> ino=2753728 scontext=system_u:system_r:clamscan_t:s0 >> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file type=AVC >> msg=audit(1359389906.528:27): avc: denied { create } for pid=3045 >> comm="clamscan" name="clamav-308541af5e7a69c500ba0757a9644b91" >> scontext=system_u:system_r:clamscan_t:s0 >> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file ---- time->Mon Jan >> 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:28): arch=40000003 >> syscall=15 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 a3=92e64f8 >> items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 >> suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 >> comm="clamscan" exe="/usr/bin/clamscan" >> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC >> msg=audit(1359389906.529:28): avc: denied { setattr } for pid=3045 >> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" dev=dm-0 >> ino=2753586 scontext=system_u:system_r:clamscan_t:s0 >> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan >> 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:29): arch=40000003 >> syscall=40 success=no exit=-39 a0=92e64f8 a1=5106a4d2 a2=a36cd8 a3=92fee08 >> items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 >> suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 >> comm="clamscan" exe="/usr/bin/clamscan" >> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC >> msg=audit(1359389906.529:29): avc: denied { rmdir } for pid=3045 >> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" dev=dm-0 >> ino=2753586 scontext=system_u:system_r:clamscan_t:s0 >> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC >> msg=audit(1359389906.529:29): avc: denied { remove_name } for pid=3045 >> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" dev=dm-0 >> ino=2753586 scontext=system_u:system_r:clamscan_t:s0 >> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon Jan >> 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:30): arch=40000003 >> syscall=10 success=yes exit=0 a0=92f1910 a1=5106a4d2 a2=a36cd8 a3=92fee08 >> items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 >> suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 >> comm="clamscan" exe="/usr/bin/clamscan" >> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC >> msg=audit(1359389906.529:30): avc: denied { unlink } for pid=3045 >> comm="clamscan" name="clamav-fcdca25df759de4e1da6dab82a8439a5" dev=dm-0 >> ino=2753729 scontext=system_u:system_r:clamscan_t:s0 >> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file >> >> Hope this helps! >> >> > Try policy on people.redhat.com/dwalsh/SELinux/RHEL6This is a little too cryptic for me. I went to this url and since my system is i386 architecture, I went to the i686 directory. There I find a number of RPMs and a number that start with policy. I assume I can add this to my yum.repo over whatever I normally get for Centos, but what do I install or update?
Daniel J Walsh
2013-Jan-28 19:46 UTC
[CentOS] permission problems with avamis and Centos 6.3
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/28/2013 02:39 PM, Robert Moskowitz wrote:> > On 01/28/2013 01:15 PM, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 01/28/2013 11:29 AM, Robert Moskowitz wrote: >>> On 01/24/2013 02:48 PM, Daniel J Walsh wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>> >>>> On 01/24/2013 01:15 PM, Robert Moskowitz wrote: >>>>> Thank you for your suggestion, but it did not fix the permissions >>>>> problem. >>>>> >>>>> On 01/24/2013 10:13 AM, Rob wrote: >>>>>> usermod -a -G amavis clam >>>>> How is this different from: >>>>> >>>>> gpasswd -a clam amavis >>>>> >>>>> And I am still getting the permissions error. >>>>> >>>>>> service clamd restart >>>>>> >>>>>> be happy >>>>>> >>>>>> On 24.01.2013, at 04:16, Robert Moskowitz <rgm at htt-consult.com> >>>>>> wrote: >>>>>> >>>>>>> I am trying to follow: >>>>>>> >>>>>>> http://wiki.centos.org/HowTos/Amavisd >>>>>>> >>>>>>> Which seems to really be written for Centos 5, with just some >>>>>>> selinux references for Centos 6. There are real problems here >>>>>>> for Centos 6 with the userids section. >>>>>>> >>>>>>> It gives the following command and result: >>>>>>> >>>>>>> cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam >>>>>>> Anti Virus Checker:/var/clamav:/sbin/nologin >>>>>>> amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh >>>>>>> >>>>>>> But my Centos 6.3 has: >>>>>>> >>>>>>> clam:x:494:490:Clam Anti Virus >>>>>>> Checker:/var/lib/clamav:/sbin/nologin >>>>>>> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin >>>>>>> >>>>>>> Note the difference in userid clam instead of clamav. So this >>>>>>> causes problems with the group recommendation: >>>>>>> >>>>>>> In addition, the clamav user should automatically have been >>>>>>> added to the amavis group: >>>>>>> >>>>>>> # groups clamav clamav : clamav amavis >>>>>>> >>>>>>> If not, you can manually add clamav to the amavis group: >>>>>>> >>>>>>> gpasswd -a clamav amavis >>>>>>> >>>>>>> >>>>>>> so I did: >>>>>>> >>>>>>> gpasswd -a clam amavis >>>>>>> >>>>>>> >>>>>>> So far, it seems just changing what userid is now used by >>>>>>> clamav... >>>>>>> >>>>>>> But in testing for spam I see the following in >>>>>>> /var/log/maillog >>>>>>> >>>>>>> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av >>>>>>> (ClamAV-clamd) FAILED - unexpected , >>>>>>> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: >>>>>>> >>>>>>>lstat() failed: Permission denied. ERROR\n">>>>>>> >>>>>>> I checked this directory tree and all along the tree the >>>>>>> permissions are to amavis:amavis >>>>>>> >>>>>>> So where is my permission problem? >>>>>>> >>>>>>> >>>>>>> _______________________________________________ CentOS mailing >>>>>>> list CentOS at centos.org >>>>>>> http://lists.centos.org/mailman/listinfo/centos >>>>>> _______________________________________________ CentOS mailing >>>>>> list CentOS at centos.org >>>>>> http://lists.centos.org/mailman/listinfo/centos >>>>>> >>>>> _______________________________________________ CentOS mailing >>>>> list CentOS at centos.org >>>>> http://lists.centos.org/mailman/listinfo/centos >>>>> >>>> Can you attach the AVC messages from audit log. >>>> >>>> ausearch -m avc -ts recent >>> Back home and booted up test system (thus no questions about clamav >>> state): >>> >>> ---- time->Mon Jan 28 11:18:26 2013 type=SYSCALL >>> msg=audit(1359389906.446:25): arch=40000003 syscall=5 success=yes >>> exit=3 a0=92de9d8 a1=98800 a2=92de9d8 a3=92ba620 items=0 ppid=2211 >>> pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 >>> egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" >>> exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 >>> key=(null) type=AVC msg=audit(1359389906.446:25): avc: denied { read >>> } for pid=3045 comm="clamscan" name="parts" dev=dm-0 ino=2624185 >>> scontext=system_u:system_r:clamscan_t:s0 >>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon >>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.490:26): >>> arch=40000003 syscall=39 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 >>> a3=92e64f8 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 >>> euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) >>> ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" >>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC >>> msg=audit(1359389906.490:26): avc: denied { create } for pid=3045 >>> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" >>> scontext=system_u:system_r:clamscan_t:s0 >>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC >>> msg=audit(1359389906.490:26): avc: denied { add_name } for pid=3045 >>> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" >>> scontext=system_u:system_r:clamscan_t:s0 >>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC >>> msg=audit(1359389906.490:26): avc: denied { write } for pid=3045 >>> comm="clamscan" name="tmp" dev=dm-0 ino=2624119 >>> scontext=system_u:system_r:clamscan_t:s0 >>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon >>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.528:27): >>> arch=40000003 syscall=5 success=yes exit=5 a0=92f1810 a1=2c2 a2=1c0 >>> a3=bfdb5d2c items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 >>> euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) >>> ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" >>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC >>> msg=audit(1359389906.528:27): avc: denied { write } for pid=3045 >>> comm="clamscan" name="clamav-308541af5e7a69c500ba0757a9644b91" >>> dev=dm-0 ino=2753728 scontext=system_u:system_r:clamscan_t:s0 >>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file type=AVC >>> msg=audit(1359389906.528:27): avc: denied { create } for pid=3045 >>> comm="clamscan" name="clamav-308541af5e7a69c500ba0757a9644b91" >>> scontext=system_u:system_r:clamscan_t:s0 >>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file ---- time->Mon >>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:28): >>> arch=40000003 syscall=15 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 >>> a3=92e64f8 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 >>> euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) >>> ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" >>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC >>> msg=audit(1359389906.529:28): avc: denied { setattr } for pid=3045 >>> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" >>> dev=dm-0 ino=2753586 scontext=system_u:system_r:clamscan_t:s0 >>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon >>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:29): >>> arch=40000003 syscall=40 success=no exit=-39 a0=92e64f8 a1=5106a4d2 >>> a2=a36cd8 a3=92fee08 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 >>> gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 >>> tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" >>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC >>> msg=audit(1359389906.529:29): avc: denied { rmdir } for pid=3045 >>> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" >>> dev=dm-0 ino=2753586 scontext=system_u:system_r:clamscan_t:s0 >>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC >>> msg=audit(1359389906.529:29): avc: denied { remove_name } for >>> pid=3045 comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" >>> dev=dm-0 ino=2753586 scontext=system_u:system_r:clamscan_t:s0 >>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir ---- time->Mon >>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.529:30): >>> arch=40000003 syscall=10 success=yes exit=0 a0=92f1910 a1=5106a4d2 >>> a2=a36cd8 a3=92fee08 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 >>> gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 >>> tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" >>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC >>> msg=audit(1359389906.529:30): avc: denied { unlink } for pid=3045 >>> comm="clamscan" name="clamav-fcdca25df759de4e1da6dab82a8439a5" >>> dev=dm-0 ino=2753729 scontext=system_u:system_r:clamscan_t:s0 >>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=file >>> >>> Hope this helps! >>> >>> >> Try policy on people.redhat.com/dwalsh/SELinux/RHEL6 > > This is a little too cryptic for me. I went to this url and since my > system is i386 architecture, I went to the i686 directory. There I find a > number of RPMs and a number that start with policy. I assume I can add > this to my yum.repo over whatever I normally get for Centos, but what do I > install or update? > >You want the selinux-policy packes from the noarch directory. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlEG1akACgkQrlYvE4MpobNKRgCg12KRkQdjwugmCKai9zXPBKuZ NmAAoMTwoGQjmun22cWZYfqWIz64Wo1V =Xjr4 -----END PGP SIGNATURE-----