I've got a CentOS 7 box configured as a Squid proxy, with clamav and Squidclamav. Normally I would just disable SELINUX, but I am attempting to understand and setup allow rules properly. I've managed to create several to fix issues identified with squid however, one error related to sockets with clamd is causing problems.
type=AVC msg=audit(1436899859.808:9282): avc: denied { unlink } for pid=22802 comm="clamd" name="clamd.sock" dev="tmpfs" ino=729382 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
What module/allow rule do I need to fix this entry being reported in the audit.log?
Best Answer
The clamd socket file
/var/run/clamd.scan/clamd.sockhas somehow gotten mislabeled. It has the typevar_run_t, but it should beantivirus_var_run_tin current SELinux policy. Anything matching/var/run/clamd.*should be labeledantivirus_var_run_t.This could be because the socket was created while an older version of the policy was installed, or a program or user could have manually mislabeled it.
Since you say the system is up to date, I would recommend relabeling the file (and, for that matter, the entire system, just to be sure), to correct any mislabeled files, and then restarting.