Regarding the brilliant wiki site:
http://wiki.centos.org/HowTos/Amavisd?highlight=%28Amavis%29
I faced the following issue on CentOS 6.2:
"Spamassind" saves each message and its attached part in a folder in
clamd accesses the folder, creates itself a temporary folder and deletes
it afterwards. This was stopped by SELinux and caused the virus scan to
fail.
This action causes SE-Linux issues like (this is a saved message while
already in the process, the first would cause a "permission denied" on
the "parts" folder):
Sep 30 15:47:10 rose amavis[14709]: (14709-08) (!)run_av
(ClamAV-clamscan) FAILED - unexpected exit 2,
output="/var/amavis/tmp/amavis-20120930T154701-14709/parts/p002: Can't
create temporary directory
ERROR\n/var/amavis/tmp/amavis-20120930T154701-14709/parts/p001: OK"
Here is an SE Linux failure message:
Sep 30 15:54:53 (null) (null): audit(1349013293.978:90934): avc: denied
{ remove_name } for pid=19832 comm=clamscan
name=clamav-9e9d055254e79e18d8f8592eeee57a53 ino=655768 dev=dm-0
scontext=system_u:system_r:clamscan_t:s0
tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=dir
I had found two web pointer with this issue, but no solutions:
Here is my solution, which is proposed to be inserted in Chapter 5: SELinux:
* create file:
--se_clamav_amavis.te--
# ***HaO 2012-09-30: add rule to allow clamav to access amavis files
# and writes back ok file and may create temp folder
module clamscanamavis 1.0;
require {
type clamscan_t;
type amavis_var_lib_t;
class file {getattr read open write create unlink};
class dir {search read getattr open write add_name create
setattr remove_name rmdir};
}
allow clamscan_t amavis_var_lib_t:file {getattr read open write create
unlink};
allow clamscan_t amavis_var_lib_t:dir {search read getattr open write
add_name create setattr remove_name rmdir};
-EOF-
* checkmodule -M -m -o se_clamav_amavis.mod se_clamav_amavis.te
* semodule_package -o se_clamav_amavis.pp -m se_clamav_amavis.mod
* semodule -i se_clamav_amavis.pp
---
N.B. I am just migrating from SuSE to CentOS and this is my first
contact with SELinux. I have *no idea* if this is the appropriate
approach to solve the issue. I have found out this by trial and error
and not by the audit method (which sounds incredible complicated as the
whole SELinux).
---
N.B. I was not able to edit the wiki nor leave something like a
discussion comment, strange wiki...
Thank you,
Harald