SELinux prevent connection clamd_port_t:tcp_socket

Maan · ‎09-22-2021

Hello,

We have API Server (tomcat) which has clamAV configuration to scan any uploaded file to the system.

clamAV configuration will require the API server to connect to clamAV server.

SELinux is enabled on both servers and whenever we try to upload files we get the following error/exception:

tomcat: java.net.socketexception permission denied (connect failed)

This error is related to SELinux, and here the audit log for this denial:

type=AVC msg=audit(1632293242.892:403): avc:  denied  { name_connect } for  pid=2663 comm="http-nio-8780-e" dest=3310 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:clamd_port_t:s0 tclass=tcp_socket permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

We solved this by creating SELinux custom policy using Audit2Allow command.

But, we need to know if there is any other way to solve this using SELinux Booleans or any label change we can apply.

Could you please advise ?

Thanks

Forrest · ‎09-22-2021

What was the policy that audit2allow generated? I think if you post that, we can help you determine whether there is something better that you can do. My guess is that it is allowing tomcat_t to connect to clamd_port_t.

Maan · ‎09-22-2021

Here we have the files content that generated by audit2allow:

one file wiht te extension:

module mytomcat 1.0;

require {
type clamd_port_t;
type tomcat_t;
class tcp_socket name_connect;
}

#============= tomcat_t ==============
allow tomcat_t clamd_port_t:tcp_socket name_connect;

And another file with ee extension:

��|��|�SE Linux Modumytomcat1.0@
tcp_socket
name_connecobject_r@@@@tomcat_t
@clamd_port_t@@@@@@@@@@@@@@@@@@@@@@@@@@
tcp_sockeobject_tomcat_t
clamd_port_t

To active the policy I run this command:

sudo semodule -i mytomcat.pp

Maan · ‎09-23-2021

@Maan wrote:
Here we have the files content that generated by audit2allow:
one file wiht te extension:
module mytomcat 1.0;
require {
type clamd_port_t;
type tomcat_t;
class tcp_socket name_connect;
}
#============= tomcat_t ==============
allow tomcat_t clamd_port_t:tcp_socket name_connect;

And another file with ee extension:
��|��|�SE Linux Modumytomcat1.0@
tcp_socket
name_connecobject_r@@@@tomcat_t
@clamd_port_t@@@@@@@@@@@@@@@@@@@@@@@@@@
tcp_sockeobject_tomcat_t
clamd_port_t

To active the policy I run this command:
sudo semodule -i mytomcat.pp

Sorry, the second file with pp extension

Forrest · ‎09-22-2021

...also, which version of Linux are you using? RHEL8, RHEL7, Fedora 30, etc.

EmanuelHaine · ‎11-15-2021

Hello @Maan ,

I've done some research and I found some possible workarounds:

First, take a look on your boolean list and see if there is somenthing related with clamd connection.
If yes, try to enable and persist it
If not exists, try to use some httpd boolean. It might work.
If any step above didn't work, try to run this command "semanage port -a -t clamd_port_t -p tcp <port>"

Here the references:

https://linux.die.net/man/8/clamd_selinux

https://linoxide.com/use-semanage-command-selinux-policy/