after cleaning up a bunch or selinux alerts, I update and wham, clamav/clamd/clamav-db make me assert contexts again to /var/clamav like... chcon -t clamd_t clamav -R which temporarily solves the problem but it would be better if it were policy and not file contexts. So I search and see for some reason, /var/clamav is ignored... # grep clam /etc/selinux/targeted/contexts/files/file_contexts /etc/clamav(/.*)? system_u:object_r:clamd_etc_t:s0 /var/run/clamd.* system_u:object_r:clamd_var_run_t:s0 /var/run/clamav.* system_u:object_r:clamd_var_run_t:s0 /var/lib/clamav(/.*)? system_u:object_r:clamd_var_lib_t:s0 /var/log/clamav(/.*)? system_u:object_r:clamd_var_log_t:s0 /var/run/amavis(d)?/clamd\.pid -- system_u:object_r:clamd_var_run_t:s0 /var/log/clamav/freshclam.* -- system_u:object_r:freshclam_var_log_t:s0 /usr/sbin/clamd -- system_u:object_r:clamd_exec_t:s0 /usr/bin/clamscan -- system_u:object_r:clamscan_exec_t:s0 /usr/bin/clamdscan -- system_u:object_r:clamscan_exec_t:s0 /usr/bin/freshclam -- system_u:object_r:freshclam_exec_t:s0 /usr/share/clamav/clamd-gen -- system_u:object_r:bin_t:s0 /var/spool/amavisd/clamd\.sock -s system_u:object_r:clamd_var_run_t:s0 /usr/share/clamav/freshclam-sleep -- system_u:object_r:bin_t:s0 Is there something I don't understand or does this need to be bugzilla'd? Upstream? Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Craig White wrote:> after cleaning up a bunch or selinux alerts, I update and wham, > clamav/clamd/clamav-db make me assert contexts again to /var/clamav > like... > > chcon -t clamd_t clamav -R > > which temporarily solves the problem but it would be better if it were > policy and not file contexts. So I search and see for some > reason, /var/clamav is ignored... > > Is there something I don't understand or does this need to be > bugzilla'd? Upstream?No, rpmforge. They package clamd to use /var/clamav and not /var/lib/clamav. There already have been discussions on their list in the last month/this months. See lists.rpmforge.net. Ralph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20090404/db6d22c2/attachment-0002.sig>
On Sat, 2009-04-04 at 14:08 +0200, Ralph Angenendt wrote:> Craig White wrote: > > after cleaning up a bunch or selinux alerts, I update and wham, > > clamav/clamd/clamav-db make me assert contexts again to /var/clamav > > like... > > > > chcon -t clamd_t clamav -R > > > > which temporarily solves the problem but it would be better if it were > > policy and not file contexts. So I search and see for some > > reason, /var/clamav is ignored... > > > > Is there something I don't understand or does this need to be > > bugzilla'd? Upstream? > > No, rpmforge. They package clamd to use /var/clamav and not /var/lib/clamav. There already have been discussions on their list in the last month/this months. See lists.rpmforge.net.---- yeah, I'm even on that list too... I was thinking that since /etc/selinux/.../file_contexts was part of the distribution, and it already contained all but one context for the various clam packages, that amendments to that file would come from upstream. ;-( As for the rpmforge list, there was a request to use a modified spec file to generate rpm's for clamav for this very same problem but it isn't getting done. I suppose if nothing else, someone who searches the CentOS list will have the appropriate command to clean it up each time a new clamav is released... chcon -t clamd_t /var/clamav -R Thanks Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.