Re: SOLVED: error ClamAV daemon

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




ith SELinux in permissive mode clamd started without problem.
>>>>>> >>> > > > In the graphical configuration tool of SELinux I found
>>>>>> SELinux >>> >>> Service Protection; there I only had to check clamd.
>>>
>>>>>> >>> > > > Clamd is now also running in enforced mode (SELinux).
>>>>>> >>> >>>
>>>> >> > >   > >
>>>> >> > > Can you post the output of:
>>>> >> > >
>>>> >> > > # getsebool -a | grep clam
>>>> >> > >
>>>> >> > > I suspect all you've done is turn off SELinux protection of
>>>> clamd (by
>>>> >> > > setting the clamd_disable_trans boolean). If that's the case,
>>>> >> >> there is a
>>
>>>> >> > > better way but it'll need more work.
>>>> >> >> > # getsebool -a | grep clam
>>
>>> >> > clamd_disable_trans --> on
>>> >> > clamscan_disable_trans --> off
>>> >> > freshclam_disable_trans --> off
>>>
>>>> >> > > As you can see I am afraid that is the case.
>>>> >> >> >> To fix it "properly" you'd need to put SELinux in permissive
>> mode, turn
>> >> off the clamd_disable_trans boolean and then find the "avc:  denied"
>> >> messages mentioning clamd in your log files when you start and use the
>> >> service. By looking at those messages, we can figure out what's wrong
>> >> and hopefully fix it.
>> >> > I started clamd with SELinux in permissive mode and with >
>> clamd_disable_trans boolean turned off. In /var/log/messages there is
>> > this error:
>> > ...
>> > Jun 12 23:45:21 cello clamd[3053]: Daemon started.
>> > Jun 12 23:45:21 cello clamd[3053]: clamd daemon 0.88.2 (OS:
>> linux-gnu, > ARCH: i386, CPU: i386)
>> > Jun 12 23:45:21 cello clamd[3053]: Log file size limit disabled.
>> > Jun 12 23:45:21 cello clamd[3053]: Reading databases from
>> /var/lib/clamav
>> > Jun 12 23:45:22 cello clamd[3053]: Protecting against 59059 viruses.
>> > Jun 12 23:45:22 cello clamd[3054]: bind() error: Address already in use
>> >> This one might be normal; sshd generates a similar error message.
>>
>>
>>> > In /var/log/audit/audit.log there are several "avc: denied" messages:
>>> > > ...
>
>>> Most of these should be fixed in the latest selinux-policy update:
>>>
>>> # yum update selinux\* policycoreutils libsepol
>>>
>>> This policy module should fix the others. Create files myclamd.fc and >>> myclamd.te in the /root/selinux.local you made last time, and run >>> "make" in that directory.
>>>
>>> ####### myclamd.fc (one long line) #######
>>> /var/log/clamav/clamd.* -- >>> gen_context(system_u:object_r:clamd_var_log_t,s0)
>>>
>>> ####### myclamd.te #######
>>> policy_module(myclamd, 0.1.0)
>>>
>>> require {
>>>          type clamd_t;
>>> };
>>>
>>> # Allow clamd to send syslog messages
>>> # This is clamav 1.0.1
>>> #logging_send_syslog_msg(clamd_t)
>>>
>>> # term_dontaudit_use_generic_ptys(clamd_t) is in clamav 1.0.1
>>> #term_dontaudit_use_generic_ptys(clamd_t)
>>>
>>> kernel_read_kernel_sysctls(clamd_t)
>>>
>>>
>>>
>>>
>>> Then load the new module:
>>> # semodule -i myclamd
>>>
>>> Check you have the required module versions
>>>
>>> # semodule -l
>>> amavis  1.0.4
>>> clamav  1.0.1
>>> myclamd 0.1.0
>>> myfreshclam, 0.1.0
>>>
>>> Fix /var/log/clamav file contexts:
>>> # restorecon -rv /var/log/clamav
>>> restorecon reset /var/log/clamav/clamd.log context >>> user_u:object_r:var_log_t->system_u:object_r:clamd_var_log_t
>>>
>>> Then try restarting clamav and see if any more AVCs appear. If not, >>> try again in enforcing mode.
>>>
>>>
> I updated selinux\* policycoreutils and libsepol. I created the files > myclamd.fc and myclamd.te and issued the "make"-command.
> Loading the new module gives me this output:
> selinux.local]# semodule -i myclamd
> semodule:  Could not read file 'myclamd':
Sorry, that should have been:

# semodule -i myclamd.pp
OK, I could load the module now.
The output of # semodule -l is:
# semodule -l
amavis  1.0.4
clamav  1.0.1
myclamd 0.1.0
myfreshclam     0.1.0
pyzor   1.0.1

I ran the "restorecon"-command (first line only?)
After this I could start clamd also in enforced mode.
But in /var/log/audit/audit.log there still are some "avc= denied" messages.

# cat audit.log
type=DAEMON_START msg=audit(1150311056.597:9161) auditd start, ver=1.1.5, format=raw, auid=4294967295 res=success, auditd pid=2036 type=CONFIG_CHANGE msg=audit(1150311056.596:3): audit_enabled=1 old=0 by auid=4294967295 type=CONFIG_CHANGE msg=audit(1150311056.740:4): audit_backlog_limit=256 old=64 by auid=4294967295 type=USER_START msg=audit(1150311065.344:5): user pid=2320 uid=0 auid=4294967295 msg='PAM: session open acct=clamav : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)' type=CRED_ACQ msg=audit(1150311065.344:6): user pid=2320 uid=0 auid=4294967295 msg='PAM: setcred acct=clamav : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)' type=CRED_DISP msg=audit(1150311068.841:7): user pid=2320 uid=0 auid=4294967295 msg='PAM: setcred acct=clamav : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)' type=USER_END msg=audit(1150311068.917:8): user pid=2320 uid=0 auid=4294967295 msg='PAM: session close acct=clamav : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)' type=AVC msg=audit(1150311069.037:9): avc: denied { search } for pid=2352 comm="freshclam" scontext=system_u:system_r:freshclam_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir type=SYSCALL msg=audit(1150311069.037:9): arch=40000003 syscall=149 success=no exit=-1 a0=bf8bb3c0 a1=4f32aff4 a2=4f4a1e00 a3=bf8bb3b8 items=0 pid=2352 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="freshclam" exe="/usr/bin/freshclam" type=AVC msg=audit(1150311069.037:10): avc: denied { search } for pid=2352 comm="freshclam" name="/" dev=proc ino=1 scontext=system_u:system_r:freshclam_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir type=SYSCALL msg=audit(1150311069.037:10): arch=40000003 syscall=5 success=no exit=-13 a0=4f49e020 a1=0 a2=bf8bb420 a3=b7f9f6bc items=1 pid=2352 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="freshclam" exe="/usr/bin/freshclam"
type=CWD msg=audit(1150311069.037:10):  cwd="/"
type=PATH msg=audit(1150311069.037:10): item=0 name="/proc/sys/kernel/version" flags=101 type=AVC msg=audit(1150311069.037:11): avc: denied { read } for pid=2352 comm="freshclam" name="freshclam.conf" dev=dm-0 ino=2736205 scontext=system_u:system_r:freshclam_t:s0 tcontext=user_u:object_r:rpm_script_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1150311069.037:11): arch=40000003 syscall=5 success=no exit=-13 a0=804f7a1 a1=0 a2=1b6 a3=9796090 items=1 pid=2352 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="freshclam" exe="/usr/bin/freshclam"
type=CWD msg=audit(1150311069.037:11):  cwd="/"
type=PATH msg=audit(1150311069.037:11): item=0 name="/etc/freshclam.conf" flags=101 inode=2736205 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1150311069.037:12): avc: denied { search } for pid=2352 comm="freshclam" name="/" dev=proc ino=1 scontext=system_u:system_r:freshclam_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir type=SYSCALL msg=audit(1150311069.037:12): arch=40000003 syscall=5 success=no exit=-13 a0=4f315039 a1=0 a2=4f32aff4 a3=9796608 items=1 pid=2352 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="freshclam" exe="/usr/bin/freshclam"
type=CWD msg=audit(1150311069.037:12):  cwd="/"
type=PATH msg=audit(1150311069.037:12): item=0 name="/proc/sys/kernel/ngroups_max" flags=101 type=USER_ERR msg=audit(1150311087.022:13): user pid=2659 uid=0 auid=4294967295 msg='PAM: bad_ident acct=? : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=pts/0 res=failed)' type=USER_AUTH msg=audit(1150311099.846:14): user pid=2694 uid=0 auid=4294967295 msg='PAM: authentication acct=peter : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_ACCT msg=audit(1150311099.846:15): user pid=2694 uid=0 auid=4294967295 msg='PAM: accounting acct=peter : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=CRED_ACQ msg=audit(1150311099.846:16): user pid=2694 uid=0 auid=4294967295 msg='PAM: setcred acct=peter : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=LOGIN msg=audit(1150311099.846:17): login pid=2694 uid=0 old auid=4294967295 new auid=500 type=USER_START msg=audit(1150311099.914:18): user pid=2694 uid=0 auid=500 msg='PAM: session open acct=peter : exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)' type=USER_LOGIN msg=audit(1150311099.914:19): user pid=2694 uid=0 auid=500 msg='uid=500: exe="/usr/sbin/gdm-binary" (hostname=cello.localdomain, addr=127.0.0.1, terminal=:0 res=success)' type=USER_AUTH msg=audit(1150311145.053:20): user pid=2978 uid=500 auid=500 msg='PAM: authentication acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)' type=USER_ACCT msg=audit(1150311145.053:21): user pid=2978 uid=500 auid=500 msg='PAM: accounting acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)' type=USER_START msg=audit(1150311145.241:22): user pid=2978 uid=500 auid=500 msg='PAM: session open acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)' type=CRED_ACQ msg=audit(1150311145.241:23): user pid=2978 uid=500 auid=500 msg='PAM: setcred acct=root : exe="/bin/su" (hostname=?, addr=?, terminal=pts/2 res=success)' type=USER_START msg=audit(1150311510.772:24): user pid=3140 uid=0 auid=500 msg='PAM: session open acct=clamav : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/2 res=success)' type=CRED_ACQ msg=audit(1150311510.776:25): user pid=3140 uid=0 auid=500 msg='PAM: setcred acct=clamav : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/2 res=success)' type=CRED_DISP msg=audit(1150311511.796:26): user pid=3140 uid=0 auid=500 msg='PAM: setcred acct=clamav : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/2 res=success)' type=USER_END msg=audit(1150311511.796:27): user pid=3140 uid=0 auid=500 msg='PAM: session close acct=clamav : exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/2 res=success)' type=USER_ACCT msg=audit(1150311661.178:28): user pid=3247 uid=0 auid=4294967295 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=LOGIN msg=audit(1150311661.178:29): login pid=3247 uid=0 old auid=4294967295 new auid=0 type=USER_START msg=audit(1150311661.178:30): user pid=3247 uid=0 auid=0 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=CRED_ACQ msg=audit(1150311661.178:31): user pid=3247 uid=0 auid=0 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=CRED_DISP msg=audit(1150311661.350:32): user pid=3247 uid=0 auid=0 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=USER_END msg=audit(1150311661.350:33): user pid=3247 uid=0 auid=0 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

Peter


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux