SOLVED: error ClamAV daemon
Paul Howarth
paul at city-fan.org
Wed Jun 14 17:40:53 UTC 2006
Peter Lesterhuis wrote:
>>
>> ith SELinux in permissive mode clamd started without problem.
>>>>>> >>> > > > In the graphical configuration tool of SELinux I found
>>>>>> SELinux
>>> >>> Service Protection; there I only had to check clamd.
>>>
>>>>>> >>> > > > Clamd is now also running in enforced mode (SELinux).
>>>>>>
>>> >>>
>>>> >> > > > >
>>>> >> > > Can you post the output of:
>>>> >> > >
>>>> >> > > # getsebool -a | grep clam
>>>> >> > >
>>>> >> > > I suspect all you've done is turn off SELinux protection of
>>>> clamd (by
>>>> >> > > setting the clamd_disable_trans boolean). If that's the case,
>>>>
>> >> there is a
>>
>>>> >> > > better way but it'll need more work.
>>>>
>> >> > # getsebool -a | grep clam
>>
>>> >> > clamd_disable_trans --> on
>>> >> > clamscan_disable_trans --> off
>>> >> > freshclam_disable_trans --> off
>>>
>>>> >> > > As you can see I am afraid that is the case.
>>>>
>> >> >> To fix it "properly" you'd need to put SELinux in permissive
>> mode, turn
>> >> off the clamd_disable_trans boolean and then find the "avc: denied"
>> >> messages mentioning clamd in your log files when you start and use the
>> >> service. By looking at those messages, we can figure out what's wrong
>> >> and hopefully fix it.
>> >> > I started clamd with SELinux in permissive mode and with >
>> clamd_disable_trans boolean turned off. In /var/log/messages there is
>> > this error:
>> > ...
>> > Jun 12 23:45:21 cello clamd[3053]: Daemon started.
>> > Jun 12 23:45:21 cello clamd[3053]: clamd daemon 0.88.2 (OS:
>> linux-gnu, > ARCH: i386, CPU: i386)
>> > Jun 12 23:45:21 cello clamd[3053]: Log file size limit disabled.
>> > Jun 12 23:45:21 cello clamd[3053]: Reading databases from
>> /var/lib/clamav
>> > Jun 12 23:45:22 cello clamd[3053]: Protecting against 59059 viruses.
>> > Jun 12 23:45:22 cello clamd[3054]: bind() error: Address already in use
>>
>> This one might be normal; sshd generates a similar error message.
>>
>>
>>> > In /var/log/audit/audit.log there are several "avc: denied" messages:
>>> > > ...
>
>>> Most of these should be fixed in the latest selinux-policy update:
>>>
>>> # yum update selinux\* policycoreutils libsepol
>>>
>>> This policy module should fix the others. Create files myclamd.fc and
>>> myclamd.te in the /root/selinux.local you made last time, and run
>>> "make" in that directory.
>>>
>>> ####### myclamd.fc (one long line) #######
>>> /var/log/clamav/clamd.* --
>>> gen_context(system_u:object_r:clamd_var_log_t,s0)
>>>
>>> ####### myclamd.te #######
>>> policy_module(myclamd, 0.1.0)
>>>
>>> require {
>>> type clamd_t;
>>> };
>>>
>>> # Allow clamd to send syslog messages
>>> # This is clamav 1.0.1
>>> #logging_send_syslog_msg(clamd_t)
>>>
>>> # term_dontaudit_use_generic_ptys(clamd_t) is in clamav 1.0.1
>>> #term_dontaudit_use_generic_ptys(clamd_t)
>>>
>>> kernel_read_kernel_sysctls(clamd_t)
>>>
>>>
>>>
>>>
>>> Then load the new module:
>>> # semodule -i myclamd
>>>
>>> Check you have the required module versions
>>>
>>> # semodule -l
>>> amavis 1.0.4
>>> clamav 1.0.1
>>> myclamd 0.1.0
>>> myfreshclam, 0.1.0
>>>
>>> Fix /var/log/clamav file contexts:
>>> # restorecon -rv /var/log/clamav
>>> restorecon reset /var/log/clamav/clamd.log context
>>> user_u:object_r:var_log_t->system_u:object_r:clamd_var_log_t
>>>
>>> Then try restarting clamav and see if any more AVCs appear. If not,
>>> try again in enforcing mode.
>>>
>>>
> I updated selinux\* policycoreutils and libsepol. I created the files
> myclamd.fc and myclamd.te and issued the "make"-command.
> Loading the new module gives me this output:
> selinux.local]# semodule -i myclamd
> semodule: Could not read file 'myclamd':
Sorry, that should have been:
# semodule -i myclamd.pp
> I wish I could be more helpfull, but this is way beyond my understanding
> of SELinux (and clamav). So I simply follow your suggestions and report
> what is happening.
Keep it up - some people would have given up by now :-)
Paul.
More information about the fedora-list
mailing list