SOLVED: error ClamAV daemon

Paul Howarth paul at city-fan.org
Tue Jun 13 10:02:28 UTC 2006 

Peter Lesterhuis wrote:
>>
>> ith SELinux in permissive mode clamd started without problem.  
>>> > > > In the graphical configuration tool of SELinux I found SELinux 
>>> Service Protection; there I only had to check clamd.
>>> > > > Clamd is now also running in enforced mode (SELinux).
>>>     
>> > >   > >
>> > > Can you post the output of:
>> > >
>> > > # getsebool -a | grep clam
>> > >
>> > > I suspect all you've done is turn off SELinux protection of clamd (by
>> > > setting the clamd_disable_trans boolean). If that's the case, 
>> there is a
>> > > better way but it'll need more work.
>>   > # getsebool -a | grep clam
>> > clamd_disable_trans --> on
>> > clamscan_disable_trans --> off
>> > freshclam_disable_trans --> off
>> > > As you can see I am afraid that is the case.
>>  
>> To fix it "properly" you'd need to put SELinux in permissive mode, turn
>> off the clamd_disable_trans boolean and then find the "avc:  denied"
>> messages mentioning clamd in your log files when you start and use the
>> service. By looking at those messages, we can figure out what's wrong
>> and hopefully fix it.
>>   
> I started clamd with SELinux in permissive mode and with 
> clamd_disable_trans boolean turned off. In /var/log/messages there is 
> this error:
> ...
> Jun 12 23:45:21 cello clamd[3053]: Daemon started.
> Jun 12 23:45:21 cello clamd[3053]: clamd daemon 0.88.2 (OS: linux-gnu, 
> ARCH: i386, CPU: i386)
> Jun 12 23:45:21 cello clamd[3053]: Log file size limit disabled.
> Jun 12 23:45:21 cello clamd[3053]: Reading databases from /var/lib/clamav
> Jun 12 23:45:22 cello clamd[3053]: Protecting against 59059 viruses.
> Jun 12 23:45:22 cello clamd[3054]: bind() error: Address already in use

This one might be normal; sshd generates a similar error message.

> In /var/log/audit/audit.log there are several "avc: denied" messages:
> 
> ...
> type=AVC msg=audit(1150148721.544:181): avc:  denied  { read write } 
> for  pid=3053 comm="clamd" name="1" dev=devpts ino=3 
> scontext=user_u:system_r:clamd_t:s0 tcontext=user_u:object_r:devpts_t:s0 
> tclass=chr_file
> type=SYSCALL msg=audit(1150148721.544:181): arch=40000003 syscall=11 
> success=yes exit=0 a0=a063550 a1=a066c98 a2=a06aaa0 a3=a062d50 items=2 
> pid=3053 auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 
> fsgid=46 comm="clamd" exe="/usr/sbin/clamd"
> type=AVC_PATH msg=audit(1150148721.544:181):  path="/dev/pts/1"
> type=CWD msg=audit(1150148721.544:181):  cwd="/tmp"
> type=PATH msg=audit(1150148721.544:181): item=0 name="/usr/sbin/clamd" 
> flags=101  inode=1115221 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
> type=PATH msg=audit(1150148721.544:181): item=1 flags=101  inode=3424499 
> dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1150148721.548:182): avc:  denied  { search } for  
> pid=3053 comm="clamd" scontext=user_u:system_r:clamd_t:s0 
> tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
> type=AVC msg=audit(1150148721.548:182): avc:  denied  { read } for  
> pid=3053 comm="clamd" scontext=user_u:system_r:clamd_t:s0 
> tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
> type=SYSCALL msg=audit(1150148721.548:182): arch=40000003 syscall=149 
> success=yes exit=0 a0=bfd15ea0 a1=4f32aff4 a2=4f4a1e00 a3=bfd15e98 
> items=0 pid=3053 auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 
> sgid=46 fsgid=46 comm="clamd" exe="/usr/sbin/clamd"
> type=AVC msg=audit(1150148721.548:183): avc:  denied  { append } for  
> pid=3053 comm="clamd" name="clamd.log" dev=dm-0 ino=65542 
> scontext=user_u:system_r:clamd_t:s0 
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
> type=SYSCALL msg=audit(1150148721.548:183): arch=40000003 syscall=5 
> success=yes exit=3 a0=8b40190 a1=441 a2=1b6 a3=8b405a8 items=1 pid=3053 
> auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 
> comm="clamd" exe="/usr/sbin/clamd"
> type=CWD msg=audit(1150148721.548:183):  cwd="/tmp"
> type=PATH msg=audit(1150148721.548:183): item=0 
> name="/var/log/clamav/clamd.log" flags=310  inode=65664 dev=fd:00 
> mode=040755 ouid=46 ogid=46 rdev=00:00
> type=AVC msg=audit(1150148721.548:184): avc:  denied  { getattr } for  
> pid=3053 comm="clamd" name="clamd.log" dev=dm-0 ino=65542 
> scontext=user_u:system_r:clamd_t:s0 
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
> type=SYSCALL msg=audit(1150148721.548:184): arch=40000003 syscall=197 
> success=yes exit=0 a0=3 a1=bfd159f4 a2=4f32aff4 a3=3 items=0 pid=3053 
> auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 
> comm="clamd" exe="/usr/sbin/clamd"
> type=AVC_PATH msg=audit(1150148721.548:184):  
> path="/var/log/clamav/clamd.log"
> type=AVC msg=audit(1150148721.548:185): avc:  denied  { write } for  
> pid=3053 comm="clamd" name="log" dev=tmpfs ino=6732 
> scontext=user_u:system_r:clamd_t:s0 
> tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
> type=AVC msg=audit(1150148721.548:185): avc:  denied  { sendto } for  
> pid=3053 comm="clamd" name="log" scontext=user_u:system_r:clamd_t:s0 
> tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
> type=SYSCALL msg=audit(1150148721.548:185): arch=40000003 syscall=102 
> success=yes exit=0 a0=3 a1=bfd15fc0 a2=4f32aff4 a3=15 items=1 pid=3053 
> auid=500 uid=46 gid=46 euid=46 suid=46 fsuid=46 egid=46 sgid=46 fsgid=46 
> comm="clamd" exe="/usr/sbin/clamd"
> type=AVC_PATH msg=audit(1150148721.548:185):  path="/dev/log"
> type=SOCKADDR msg=audit(1150148721.548:185): 
> saddr=01002F6465762F6C6F6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 
> 
> type=SOCKETCALL msg=audit(1150148721.548:185): nargs=3 a0=4 a1=4f32cbe0 
> a2=6e
> type=PATH msg=audit(1150148721.548:185): item=0 flags=1  inode=6732 
> dev=00:0f mode=0140666 ouid=0 ogid=0 rdev=00:00
> type=CRED_DISP msg=audit(1150148722.536:186): user pid=3036 uid=0 
> auid=500 msg='PAM: setcred acct=clamav : exe="/sbin/runuser" 
> (hostname=?, addr=?, terminal=pts/1 res=success)'
> type=USER_END msg=audit(1150148722.536:187): user pid=3036 uid=0 
> auid=500 msg='PAM: session close acct=clamav : exe="/sbin/runuser" 
> (hostname=?, addr=?, terminal=pts/1 res=success)'

Most of these should be fixed in the latest selinux-policy update:

# yum update selinux\* policycoreutils libsepol

This policy module should fix the others. Create files myclamd.fc and 
myclamd.te in the /root/selinux.local you made last time, and run "make" 
in that directory.

####### myclamd.fc (one long line) #######
/var/log/clamav/clamd.*         -- 
gen_context(system_u:object_r:clamd_var_log_t,s0)

####### myclamd.te #######
policy_module(myclamd, 0.1.0)

require {
         type clamd_t;
};

# Allow clamd to send syslog messages
# This is clamav 1.0.1
#logging_send_syslog_msg(clamd_t)

# term_dontaudit_use_generic_ptys(clamd_t) is in clamav 1.0.1
#term_dontaudit_use_generic_ptys(clamd_t)

kernel_read_kernel_sysctls(clamd_t)




Then load the new module:
# semodule -i myclamd

Check you have the required module versions

# semodule -l
amavis  1.0.4
clamav  1.0.1
myclamd 0.1.0
myfreshclam, 0.1.0

Fix /var/log/clamav file contexts:
# restorecon -rv /var/log/clamav
restorecon reset /var/log/clamav/clamd.log context 
user_u:object_r:var_log_t->system_u:object_r:clamd_var_log_t

Then try restarting clamav and see if any more AVCs appear. If not, try 
again in enforcing mode.

Paul.

More information about the fedora-list mailing list