SOLVED: error ClamAV daemon

Wed Jun 14 17:22:25 UTC 2006

>
> ith SELinux in permissive mode clamd started without problem.  
>   
>>>>> >>> > > > In the graphical configuration tool of SELinux I found SELinux 
>>>>>           
>> >>> Service Protection; there I only had to check clamd.
>>     
>>>>> >>> > > > Clamd is now also running in enforced mode (SELinux).
>>>>>           
>> >>>     
>>     
>>> >> > >   > >
>>> >> > > Can you post the output of:
>>> >> > >
>>> >> > > # getsebool -a | grep clam
>>> >> > >
>>> >> > > I suspect all you've done is turn off SELinux protection of clamd (by
>>> >> > > setting the clamd_disable_trans boolean). If that's the case, 
>>>       
> >> there is a
>   
>>> >> > > better way but it'll need more work.
>>>       
> >>   > # getsebool -a | grep clam
>   
>> >> > clamd_disable_trans --> on
>> >> > clamscan_disable_trans --> off
>> >> > freshclam_disable_trans --> off
>>     
>>> >> > > As you can see I am afraid that is the case.
>>>       
> >>  
> >> To fix it "properly" you'd need to put SELinux in permissive mode, turn
> >> off the clamd_disable_trans boolean and then find the "avc:  denied"
> >> messages mentioning clamd in your log files when you start and use the
> >> service. By looking at those messages, we can figure out what's wrong
> >> and hopefully fix it.
> >>   
>   
> > I started clamd with SELinux in permissive mode and with 
> > clamd_disable_trans boolean turned off. In /var/log/messages there is 
> > this error:
> > ...
> > Jun 12 23:45:21 cello clamd[3053]: Daemon started.
> > Jun 12 23:45:21 cello clamd[3053]: clamd daemon 0.88.2 (OS: linux-gnu, 
> > ARCH: i386, CPU: i386)
> > Jun 12 23:45:21 cello clamd[3053]: Log file size limit disabled.
> > Jun 12 23:45:21 cello clamd[3053]: Reading databases from /var/lib/clamav
> > Jun 12 23:45:22 cello clamd[3053]: Protecting against 59059 viruses.
> > Jun 12 23:45:22 cello clamd[3054]: bind() error: Address already in use
>   
>
> This one might be normal; sshd generates a similar error message.
>
>   
>> > In /var/log/audit/audit.log there are several "avc: denied" messages:
>> > 
>> > ...

>> Most of these should be fixed in the latest selinux-policy update:
>>
>> # yum update selinux\* policycoreutils libsepol
>>
>> This policy module should fix the others. Create files myclamd.fc and 
>> myclamd.te in the /root/selinux.local you made last time, and run "make" 
>> in that directory.
>>
>> ####### myclamd.fc (one long line) #######
>> /var/log/clamav/clamd.*         -- 
>> gen_context(system_u:object_r:clamd_var_log_t,s0)
>>
>> ####### myclamd.te #######
>> policy_module(myclamd, 0.1.0)
>>
>> require {
>>          type clamd_t;
>> };
>>
>> # Allow clamd to send syslog messages
>> # This is clamav 1.0.1
>> #logging_send_syslog_msg(clamd_t)
>>
>> # term_dontaudit_use_generic_ptys(clamd_t) is in clamav 1.0.1
>> #term_dontaudit_use_generic_ptys(clamd_t)
>>
>> kernel_read_kernel_sysctls(clamd_t)
>>
>>
>>
>>
>> Then load the new module:
>> # semodule -i myclamd
>>
>> Check you have the required module versions
>>
>> # semodule -l
>> amavis  1.0.4
>> clamav  1.0.1
>> myclamd 0.1.0
>> myfreshclam, 0.1.0
>>
>> Fix /var/log/clamav file contexts:
>> # restorecon -rv /var/log/clamav
>> restorecon reset /var/log/clamav/clamd.log context 
>> user_u:object_r:var_log_t->system_u:object_r:clamd_var_log_t
>>
>> Then try restarting clamav and see if any more AVCs appear. If not, try 
>> again in enforcing mode.
>>
>>     
I updated selinux\* policycoreutils and libsepol. I created the files 
myclamd.fc and myclamd.te and issued the "make"-command.
Loading the new module gives me this output:
selinux.local]# semodule -i myclamd
semodule:  Could not read file 'myclamd':

I wish I could be more helpfull, but this is way beyond my understanding 
of SELinux (and clamav). So I simply follow your suggestions and report 
what is happening.
Peter