cancel
Showing results for 
Search instead for 
Did you mean: 
Maan
Mission Specialist
Mission Specialist
  • 3,895 Views

SELinux prevent connection clamd_port_t:tcp_socket

Hello,

We have API Server (tomcat) which has clamAV configuration to scan any uploaded file to the system.

clamAV configuration will require the API server to connect to clamAV server.

SELinux is enabled on both servers and whenever we try to upload files we get the following error/exception:

tomcat: java.net.socketexception permission denied (connect failed)

This error is related to SELinux, and here the audit log for this denial:

type=AVC msg=audit(1632293242.892:403): avc:  denied  { name_connect } for  pid=2663 comm="http-nio-8780-e" dest=3310 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:clamd_port_t:s0 tclass=tcp_socket permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

We solved this by creating SELinux custom policy using Audit2Allow command.

But, we need to know if there is any other way to solve this using SELinux Booleans or any label change we can apply.

Could you please advise ?

Thanks

0 Kudos
5 Replies
Forrest
Flight Engineer Flight Engineer
Flight Engineer
  • 3,869 Views

What was the policy that audit2allow generated?  I think if you post that, we can help you determine whether there is something better that you can do.  My guess is that it is allowing tomcat_t to connect to clamd_port_t.

 

 

0 Kudos
Maan
Mission Specialist
Mission Specialist
  • 3,866 Views

Here we have the files content that generated by audit2allow:

one file wiht te extension:

module mytomcat 1.0;

require {
type clamd_port_t;
type tomcat_t;
class tcp_socket name_connect;
}

#============= tomcat_t ==============
allow tomcat_t clamd_port_t:tcp_socket name_connect;

 

 

And another file with ee extension:

��|���|�SE Linux Modumytomcat1.0@
tcp_socket
name_connecobject_r@@@@tomcat_t
@clamd_port_t@@@@@@@@@@@@@@@@@@@@@@@@@@
tcp_sockeobject_tomcat_t
clamd_port_t

 

 

To active the policy I run this command:

sudo semodule -i mytomcat.pp

0 Kudos
Maan
Mission Specialist
Mission Specialist
  • 3,851 Views


@Maan wrote:

Here we have the files content that generated by audit2allow:

one file wiht te extension:

module mytomcat 1.0;

require {
type clamd_port_t;
type tomcat_t;
class tcp_socket name_connect;
}

#============= tomcat_t ==============
allow tomcat_t clamd_port_t:tcp_socket name_connect;

 

 

And another file with ee extension:

��|���|�SE Linux Modumytomcat1.0@
tcp_socket
name_connecobject_r@@@@tomcat_t
@clamd_port_t@@@@@@@@@@@@@@@@@@@@@@@@@@
tcp_sockeobject_tomcat_t
clamd_port_t

 

 

To active the policy I run this command:

sudo semodule -i mytomcat.pp


 

Sorry, the second file with pp extension

0 Kudos
Forrest
Flight Engineer Flight Engineer
Flight Engineer
  • 3,867 Views

...also, which version of Linux are you using?  RHEL8, RHEL7, Fedora 30, etc.

 

0 Kudos
EmanuelHaine
Flight Engineer
Flight Engineer
  • 3,634 Views

Hello @Maan ,

I've done some research and I found some possible workarounds:

  1. First, take a look on your boolean list and see if there is somenthing related with clamd connection.
  2. If yes, try to enable and persist it
  3. If not exists, try to use some httpd boolean. It might work.
  4. If any step above didn't work, try to run this command "semanage port -a -t clamd_port_t -p tcp <port>"

Here the references:

https://linux.die.net/man/8/clamd_selinux

https://linoxide.com/use-semanage-command-selinux-policy/

0 Kudos
Join the discussion
You must log in to join this conversation.