Yet Another Way To Configure DAZ

One morning, after drinking my first cup of coffee at this day I decided to try DAZ. In handbook appeared that was required to run as root, but with the strength given by my breakfast I decided, not I will not. Here you have the result:

Preparation

I'm one hardened gentoo user so I decided emerge clamav (in case you weren't you must be sure that your clamav is not compiled with –disable-clamuko). Into its configuration file (/etc/clamd.conf) I set this options in (one of them, the interesting one):

User clamav

UM RELATED STUFF

After setting up UM clamav user properly with (as secoff or bofh in my system):

  bofh@orion~$rsbac_useradd -m -r -P -i 20 -d /adm/clamav -g 700 -u 700 

The user was added with its own password by separation of duties concern.

I proceed to configure AUTH properly:

AUTH RELATED STUFF

 bofh@orion~$auth_set_cap FD add /usr/sbin/clamd 0/700
 bofh@orion~$auth_set_cap -e FD add /usr/sbin/clamd 0/700
 bofh@orion~$auth_set_cap -f FD add /usr/sbin/clamd 0/700

Above commands with -e and -f flags are only required if you have CONFIG_RSBAC_AUTH_DAC_OWNER in you kernel config if not omit them.

Other question you have to keep in mind is that if you enabled CONFIG_RSBAC_AUTH_GROUP you have to add the AUTH capabilities to its group (-G -E -F flags to auth_set_cap).

And then I start granting clamd the privileges required to work (in capabilities):

CAP RELATED STUFF

In my tests, clamd needs CHOWN DAC_READ_SEARCH FOWNER SETGID and SETUID as minimal capabilities. So I grant them as minimal caps:

bofh@orion~$attr_set_file_dir FD /usr/sbin/clamd min_caps CHOWN DAC_READ_SEARCH FOWNER SETGID SETUID

and of course as I granted minimal caps I forbid passing LD environment variables

bofh@orion~$attr_set_file_dir FD /usr/sbin/clamd cap_ld_env 0

RC RELATED STUFF

If you use Role Compatibility module, you should grant required permissions, and create required roles and types. In particular you should grant R to clamav config files, RW to clamav_log file and clamav home dir, and MAP_EXEC and EXECUTE to required libraries. Grant “R” to every type of files that clamav should scan.

Clamav should access to dazuko device, grant it READ READ_WRITE_OPEN READ_OPEN WRITE and WRITE_OPEN and READ_WRITE_OPEN READ_OPEN WRITE_OPEN to common devices (as could be /dev/zero, /dev/null etc…)

It's a good idea to create its own IPC and grant clamav_r CLOSE CREATE READ WRITE LISTEN SEND RECEIVE and MAP_EXEC.

This can be a resume. Adapt number types to suit your needs

*Type creation

bofh@orion~$ rc_set_item TYPE 100 type_fd_name "bindir_t"
bofh@orion~$ rc_set_item TYPE 102 type_fd_name "sbindir_t"
bofh@orion~$ rc_set_item TYPE 103 type_fd_name "logdir_t"
bofh@orion~$ rc_set_item TYPE 104 type_fd_name "devdir_t"
bofh@orion~$ rc_set_item TYPE 105 type_fd_name "genusrdatadirt"
bofh@orion~$ rc_set_item TYPE 109 type_fd_name "libdir_t"
bofh@orion~$ rc_set_item TYPE 113 type_fd_name "varlibdir_t"
bofh@orion~$ rc_set_item TYPE 114 type_fd_name "varrundir_t"
bofh@orion~$ rc_set_item TYPE 115 type_fd_name "tmpdir_t"
bofh@orion~$ rc_set_item TYPE 116 type_fd_name "vartmpdir_t"
bofh@orion~$ rc_set_item TYPE 125 type_fd_name "globaletcdir_t"
bofh@orion~$ rc_set_item TYPE 135 type_fd_name "usrdir_t"
bofh@orion~$ rc_set_item TYPE 200 type_fd_name "clamav_t"
bofh@orion~$ rc_set_item TYPE 3 type_dev_name "dazuko"
bofh@orion~$ rc_set_item TYPE 4 type_dev_name "tty_t"
bofh@orion~$ rc_set_item TYPE 9 type_dev_name "common_t"
bofh@orion~$ rc_set_item TYPE 17 type_dev_name "console_t"

PaX RELATED STUFF

In order to get DAZ working you must disable PAX_UDEREF and PAX_USERCOPY options in your kernel config, it must be tested if UDEREF can be changed by some gcc plugin

If you wish to come back: https://www.rsbac.org/wiki/experiences/tazok