Re: SOLVED: error ClamAV daemon

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Peter Lesterhuis wrote:
ith SELinux in permissive mode clamd started without problem.
> > > In the graphical configuration tool of SELinux I found SELinux Service Protection; there I only had to check clamd. 
> > > Clamd is now also running in enforced mode (SELinux).

> >   > >
> > Can you post the output of:
> >
> > # getsebool -a | grep clam
> >
> > I suspect all you've done is turn off SELinux protection of clamd (by
> > setting the clamd_disable_trans boolean). If that's the case, there is a 
> > better way but it'll need more work.
  > # getsebool -a | grep clam
> clamd_disable_trans --> on
> clamscan_disable_trans --> off
> freshclam_disable_trans --> off
> > As you can see I am afraid that is the case.
To fix it "properly" you'd need to put SELinux in permissive mode, turn 
off the clamd_disable_trans boolean and then find the "avc:  denied"
messages mentioning clamd in your log files when you start and use the
service. By looking at those messages, we can figure out what's wrong
and hopefully fix it.
I started clamd with SELinux in permissive mode and with clamd_disable_trans boolean turned off. In /var/log/messages there is this error: 
...
Jun 12 23:45:21 cello clamd[3053]: Daemon started.
Jun 12 23:45:21 cello clamd[3053]: clamd daemon 0.88.2 (OS: linux-gnu, ARCH: i386, CPU: i386) 
Jun 12 23:45:21 cello clamd[3053]: Log file size limit disabled.
Jun 12 23:45:21 cello clamd[3053]: Reading databases from /var/lib/clamav
Jun 12 23:45:22 cello clamd[3053]: Protecting against 59059 viruses.
Jun 12 23:45:22 cello clamd[3054]: bind() error: Address already in use


This one might be normal; sshd generates a similar error message.


In /var/log/audit/audit.log there are several "avc: denied" messages:

...
type=AVC msg=audit(1150148721.544:181): avc: denied { read write } for pid=3053 comm="clamd" name="1" dev=devpts ino=3 scontext=user_u:system_r:clamd_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1150148721.544:181): arch=40000003 syscall=11 success=yes exit=0 a0=a063550 a1=a066c98 a2=a06aaa0 a3=a062d50 items=2 pid=3053 auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 comm="clamd" exe="/usr/sbin/clamd" 
type=AVC_PATH msg=audit(1150148721.544:181):  path="/dev/pts/1"
type=CWD msg=audit(1150148721.544:181):  cwd="/tmp"
type=PATH msg=audit(1150148721.544:181): item=0 name="/usr/sbin/clamd" flags=101 inode=1115221 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1150148721.544:181): item=1 flags=101 inode=3424499 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1150148721.548:182): avc: denied { search } for pid=3053 comm="clamd" scontext=user_u:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir type=AVC msg=audit(1150148721.548:182): avc: denied { read } for pid=3053 comm="clamd" scontext=user_u:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file type=SYSCALL msg=audit(1150148721.548:182): arch=40000003 syscall=149 success=yes exit=0 a0=bfd15ea0 a1=4f32aff4 a2=4f4a1e00 a3=bfd15e98 items=0 pid=3053 auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 comm="clamd" exe="/usr/sbin/clamd" type=AVC msg=audit(1150148721.548:183): avc: denied { append } for pid=3053 comm="clamd" name="clamd.log" dev=dm-0 ino=65542 scontext=user_u:system_r:clamd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1150148721.548:183): arch=40000003 syscall=5 success=yes exit=3 a0=8b40190 a1=441 a2=1b6 a3=8b405a8 items=1 pid=3053 auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 comm="clamd" exe="/usr/sbin/clamd" 
type=CWD msg=audit(1150148721.548:183):  cwd="/tmp"
type=PATH msg=audit(1150148721.548:183): item=0 name="/var/log/clamav/clamd.log" flags=310 inode=65664 dev=fd:00 mode=040755 ouid=46 ogid=46 rdev=00:00 type=AVC msg=audit(1150148721.548:184): avc: denied { getattr } for pid=3053 comm="clamd" name="clamd.log" dev=dm-0 ino=65542 scontext=user_u:system_r:clamd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1150148721.548:184): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfd159f4 a2=4f32aff4 a3=3 items=0 pid=3053 auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 comm="clamd" exe="/usr/sbin/clamd" type=AVC_PATH msg=audit(1150148721.548:184): path="/var/log/clamav/clamd.log" type=AVC msg=audit(1150148721.548:185): avc: denied { write } for pid=3053 comm="clamd" name="log" dev=tmpfs ino=6732 scontext=user_u:system_r:clamd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file type=AVC msg=audit(1150148721.548:185): avc: denied { sendto } for pid=3053 comm="clamd" name="log" scontext=user_u:system_r:clamd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1150148721.548:185): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfd15fc0 a2=4f32aff4 a3=15 items=1 pid=3053 auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 comm="clamd" exe="/usr/sbin/clamd" 
type=AVC_PATH msg=audit(1150148721.548:185):  path="/dev/log"
type=SOCKADDR msg=audit(1150148721.548:185): saddr=01002F6465762F6C6F6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SOCKETCALL msg=audit(1150148721.548:185): nargs=3 a0=4 a1=4f32cbe0 a2=6e type=PATH msg=audit(1150148721.548:185): item=0 flags=1 inode=6732 dev=00:0f mode=0140666 ouid=0 ogid=0 rdev=00:00 type=CRED_DISP msg=audit(1150148722.536:186): user pid=3036 uid=0 auid=500 msg='PAM: setcred acct=clamav : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)' type=USER_END msg=audit(1150148722.536:187): user pid=3036 uid=0 auid=500 msg='PAM: session close acct=clamav : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/1 res=success)' 

Most of these should be fixed in the latest selinux-policy update:

# yum update selinux\* policycoreutils libsepol
This policy module should fix the others. Create files myclamd.fc and myclamd.te in the /root/selinux.local you made last time, and run "make" in that directory. 

####### myclamd.fc (one long line) #######
/var/log/clamav/clamd.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) 

####### myclamd.te #######
policy_module(myclamd, 0.1.0)

require {
        type clamd_t;
};

# Allow clamd to send syslog messages
# This is clamav 1.0.1
#logging_send_syslog_msg(clamd_t)

# term_dontaudit_use_generic_ptys(clamd_t) is in clamav 1.0.1
#term_dontaudit_use_generic_ptys(clamd_t)

kernel_read_kernel_sysctls(clamd_t)




Then load the new module:
# semodule -i myclamd

Check you have the required module versions

# semodule -l
amavis  1.0.4
clamav  1.0.1
myclamd 0.1.0
myfreshclam, 0.1.0

Fix /var/log/clamav file contexts:
# restorecon -rv /var/log/clamav
restorecon reset /var/log/clamav/clamd.log context user_u:object_r:var_log_t->system_u:object_r:clamd_var_log_t
Then try restarting clamav and see if any more AVCs appear. If not, try again in enforcing mode. 

Paul.
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux