SOLVED: error ClamAV daemon

Peter Lesterhuis peterlesterhuis at tiscali.nl
Mon Jun 12 22:08:25 UTC 2006


>
> ith SELinux in permissive mode clamd started without problem. 
>   
>> > > > In the graphical configuration tool of SELinux I found SELinux Service Protection; there I only had to check clamd.
>> > > > Clamd is now also running in enforced mode (SELinux).
>>     
> > >   
> > >
> > > Can you post the output of:
> > >
> > > # getsebool -a | grep clam
> > >
> > > I suspect all you've done is turn off SELinux protection of clamd (by
> > > setting the clamd_disable_trans boolean). If that's the case, there is a
> > > better way but it'll need more work.
>   
> > # getsebool -a | grep clam
> > clamd_disable_trans --> on
> > clamscan_disable_trans --> off
> > freshclam_disable_trans --> off
> > 
> > As you can see I am afraid that is the case.
>   
>
> To fix it "properly" you'd need to put SELinux in permissive mode, turn
> off the clamd_disable_trans boolean and then find the "avc:  denied"
> messages mentioning clamd in your log files when you start and use the
> service. By looking at those messages, we can figure out what's wrong
> and hopefully fix it.
>   
I started clamd with SELinux in permissive mode and with 
clamd_disable_trans boolean turned off. In /var/log/messages there is 
this error:
...
Jun 12 23:45:21 cello clamd[3053]: Daemon started.
Jun 12 23:45:21 cello clamd[3053]: clamd daemon 0.88.2 (OS: linux-gnu, 
ARCH: i386, CPU: i386)
Jun 12 23:45:21 cello clamd[3053]: Log file size limit disabled.
Jun 12 23:45:21 cello clamd[3053]: Reading databases from /var/lib/clamav
Jun 12 23:45:22 cello clamd[3053]: Protecting against 59059 viruses.
Jun 12 23:45:22 cello clamd[3054]: bind() error: Address already in use

In /var/log/audit/audit.log there are several "avc: denied" messages:

...
type=AVC msg=audit(1150148721.544:181): avc:  denied  { read write } 
for  pid=3053 comm="clamd" name="1" dev=devpts ino=3 
scontext=user_u:system_r:clamd_t:s0 tcontext=user_u:object_r:devpts_t:s0 
tclass=chr_file
type=SYSCALL msg=audit(1150148721.544:181): arch=40000003 syscall=11 
success=yes exit=0 a0=a063550 a1=a066c98 a2=a06aaa0 a3=a062d50 items=2 
pid=3053 auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 
fsgid=46 comm="clamd" exe="/usr/sbin/clamd"
type=AVC_PATH msg=audit(1150148721.544:181):  path="/dev/pts/1"
type=CWD msg=audit(1150148721.544:181):  cwd="/tmp"
type=PATH msg=audit(1150148721.544:181): item=0 name="/usr/sbin/clamd" 
flags=101  inode=1115221 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1150148721.544:181): item=1 flags=101  inode=3424499 
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150148721.548:182): avc:  denied  { search } for  
pid=3053 comm="clamd" scontext=user_u:system_r:clamd_t:s0 
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=AVC msg=audit(1150148721.548:182): avc:  denied  { read } for  
pid=3053 comm="clamd" scontext=user_u:system_r:clamd_t:s0 
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
type=SYSCALL msg=audit(1150148721.548:182): arch=40000003 syscall=149 
success=yes exit=0 a0=bfd15ea0 a1=4f32aff4 a2=4f4a1e00 a3=bfd15e98 
items=0 pid=3053 auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 
sgid=46 fsgid=46 comm="clamd" exe="/usr/sbin/clamd"
type=AVC msg=audit(1150148721.548:183): avc:  denied  { append } for  
pid=3053 comm="clamd" name="clamd.log" dev=dm-0 ino=65542 
scontext=user_u:system_r:clamd_t:s0 
tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1150148721.548:183): arch=40000003 syscall=5 
success=yes exit=3 a0=8b40190 a1=441 a2=1b6 a3=8b405a8 items=1 pid=3053 
auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 
comm="clamd" exe="/usr/sbin/clamd"
type=CWD msg=audit(1150148721.548:183):  cwd="/tmp"
type=PATH msg=audit(1150148721.548:183): item=0 
name="/var/log/clamav/clamd.log" flags=310  inode=65664 dev=fd:00 
mode=040755 ouid=46 ogid=46 rdev=00:00
type=AVC msg=audit(1150148721.548:184): avc:  denied  { getattr } for  
pid=3053 comm="clamd" name="clamd.log" dev=dm-0 ino=65542 
scontext=user_u:system_r:clamd_t:s0 
tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1150148721.548:184): arch=40000003 syscall=197 
success=yes exit=0 a0=3 a1=bfd159f4 a2=4f32aff4 a3=3 items=0 pid=3053 
auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 
comm="clamd" exe="/usr/sbin/clamd"
type=AVC_PATH msg=audit(1150148721.548:184):  
path="/var/log/clamav/clamd.log"
type=AVC msg=audit(1150148721.548:185): avc:  denied  { write } for  
pid=3053 comm="clamd" name="log" dev=tmpfs ino=6732 
scontext=user_u:system_r:clamd_t:s0 
tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
type=AVC msg=audit(1150148721.548:185): avc:  denied  { sendto } for  
pid=3053 comm="clamd" name="log" scontext=user_u:system_r:clamd_t:s0 
tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1150148721.548:185): arch=40000003 syscall=102 
success=yes exit=0 a0=3 a1=bfd15fc0 a2=4f32aff4 a3=15 items=1 pid=3053 
auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 
comm="clamd" exe="/usr/sbin/clamd"
type=AVC_PATH msg=audit(1150148721.548:185):  path="/dev/log"
type=SOCKADDR msg=audit(1150148721.548:185): 
saddr=01002F6465762F6C6F6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SOCKETCALL msg=audit(1150148721.548:185): nargs=3 a0=4 a1=4f32cbe0 
a2=6e
type=PATH msg=audit(1150148721.548:185): item=0 flags=1  inode=6732 
dev=00:0f mode=0140666 ouid=0 ogid=0 rdev=00:00
type=CRED_DISP msg=audit(1150148722.536:186): user pid=3036 uid=0 
auid=500 msg='PAM: setcred acct=clamav : exe="/sbin/runuser" 
(hostname=?, addr=?, terminal=pts/1 res=success)'
type=USER_END msg=audit(1150148722.536:187): user pid=3036 uid=0 
auid=500 msg='PAM: session close acct=clamav : exe="/sbin/runuser" 
(hostname=?, addr=?, terminal=pts/1 res=success)'

Peter





More information about the fedora-list mailing list