SOLVED: error ClamAV daemon
Peter Lesterhuis
peterlesterhuis at tiscali.nl
Wed Jun 14 19:19:20 UTC 2006
>
> ith SELinux in permissive mode clamd started without problem.
>
>>>>>>>>>>> >>>>>> >>> > > > In the graphical configuration tool of SELinux I found
>>>>>>>>>>>
>>>>> >>>>>> SELinux
>>>>> >>> >>> Service Protection; there I only had to check clamd.
>>>>>
>> >>>
>>
>>>>>>>>>>> >>>>>> >>> > > > Clamd is now also running in enforced mode (SELinux).
>>>>>>>>>>>
>>>>> >>>>>>
>>>>> >>> >>>
>>>>>
>>>>>>> >>>> >> > > > >
>>>>>>> >>>> >> > > Can you post the output of:
>>>>>>> >>>> >> > >
>>>>>>> >>>> >> > > # getsebool -a | grep clam
>>>>>>> >>>> >> > >
>>>>>>> >>>> >> > > I suspect all you've done is turn off SELinux protection of
>>>>>>>
>>> >>>> clamd (by
>>>
>>>>>>> >>>> >> > > setting the clamd_disable_trans boolean). If that's the case,
>>>>>>>
>>> >>>>
>>> >> >> there is a
>>>
> >>
>
>>>>>>> >>>> >> > > better way but it'll need more work.
>>>>>>>
>>> >>>>
>>> >> >> > # getsebool -a | grep clam
>>>
> >>
>
>>>>> >>> >> > clamd_disable_trans --> on
>>>>> >>> >> > clamscan_disable_trans --> off
>>>>> >>> >> > freshclam_disable_trans --> off
>>>>>
>> >>>
>>
>>>>>>> >>>> >> > > As you can see I am afraid that is the case.
>>>>>>>
>>> >>>>
>>> >> >> >> To fix it "properly" you'd need to put SELinux in permissive
>>>
> >> mode, turn
>
>>> >> >> off the clamd_disable_trans boolean and then find the "avc: denied"
>>> >> >> messages mentioning clamd in your log files when you start and use the
>>> >> >> service. By looking at those messages, we can figure out what's wrong
>>> >> >> and hopefully fix it.
>>> >> >> > I started clamd with SELinux in permissive mode and with >
>>>
> >> clamd_disable_trans boolean turned off. In /var/log/messages there is
>
>> >> > this error:
>> >> > ...
>> >> > Jun 12 23:45:21 cello clamd[3053]: Daemon started.
>> >> > Jun 12 23:45:21 cello clamd[3053]: clamd daemon 0.88.2 (OS:
>>
> >> linux-gnu, > ARCH: i386, CPU: i386)
>
>> >> > Jun 12 23:45:21 cello clamd[3053]: Log file size limit disabled.
>> >> > Jun 12 23:45:21 cello clamd[3053]: Reading databases from
>>
> >> /var/lib/clamav
>
>> >> > Jun 12 23:45:22 cello clamd[3053]: Protecting against 59059 viruses.
>> >> > Jun 12 23:45:22 cello clamd[3054]: bind() error: Address already in use
>>
> >>
> >> This one might be normal; sshd generates a similar error message.
> >>
> >>
>
>>> >>> > In /var/log/audit/audit.log there are several "avc: denied" messages:
>>>
>>>> >>> > > ...
>>>>
> >
>
>>> >>> Most of these should be fixed in the latest selinux-policy update:
>>> >>>
>>> >>> # yum update selinux\* policycoreutils libsepol
>>> >>>
>>> >>> This policy module should fix the others. Create files myclamd.fc and
>>> >>> myclamd.te in the /root/selinux.local you made last time, and run
>>> >>> "make" in that directory.
>>> >>>
>>> >>> ####### myclamd.fc (one long line) #######
>>> >>> /var/log/clamav/clamd.* --
>>> >>> gen_context(system_u:object_r:clamd_var_log_t,s0)
>>> >>>
>>> >>> ####### myclamd.te #######
>>> >>> policy_module(myclamd, 0.1.0)
>>> >>>
>>> >>> require {
>>> >>> type clamd_t;
>>> >>> };
>>> >>>
>>> >>> # Allow clamd to send syslog messages
>>> >>> # This is clamav 1.0.1
>>> >>> #logging_send_syslog_msg(clamd_t)
>>> >>>
>>> >>> # term_dontaudit_use_generic_ptys(clamd_t) is in clamav 1.0.1
>>> >>> #term_dontaudit_use_generic_ptys(clamd_t)
>>> >>>
>>> >>> kernel_read_kernel_sysctls(clamd_t)
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>> Then load the new module:
>>> >>> # semodule -i myclamd
>>> >>>
>>> >>> Check you have the required module versions
>>> >>>
>>> >>> # semodule -l
>>> >>> amavis 1.0.4
>>> >>> clamav 1.0.1
>>> >>> myclamd 0.1.0
>>> >>> myfreshclam, 0.1.0
>>> >>>
>>> >>> Fix /var/log/clamav file contexts:
>>> >>> # restorecon -rv /var/log/clamav
>>> >>> restorecon reset /var/log/clamav/clamd.log context
>>> >>> user_u:object_r:var_log_t->system_u:object_r:clamd_var_log_t
>>> >>>
>>> >>> Then try restarting clamav and see if any more AVCs appear. If not,
>>> >>> try again in enforcing mode.
>>> >>>
>>> >>>
>>>
> > I updated selinux\* policycoreutils and libsepol. I created the files
> > myclamd.fc and myclamd.te and issued the "make"-command.
> > Loading the new module gives me this output:
> > selinux.local]# semodule -i myclamd
> > semodule: Could not read file 'myclamd':
>
>
> Sorry, that should have been:
>
> # semodule -i myclamd.pp
>
OK, I could load the module now.
The output of # semodule -l is:
# semodule -l
amavis 1.0.4
clamav 1.0.1
myclamd 0.1.0
myfreshclam 0.1.0
pyzor 1.0.1
I ran the "restorecon"-command (first line only?)
After this I could start clamd also in enforced mode.
But in /var/log/audit/audit.log there still are some "avc= denied" messages.
# cat audit.log
type=DAEMON_START msg=audit(1150311056.597:9161) auditd start,
ver=1.1.5, format=raw, auid=4294967295 res=success, auditd pid=2036
type=CONFIG_CHANGE msg=audit(1150311056.596:3): audit_enabled=1 old=0 by
auid=4294967295
type=CONFIG_CHANGE msg=audit(1150311056.740:4): audit_backlog_limit=256
old=64 by auid=4294967295
type=USER_START msg=audit(1150311065.344:5): user pid=2320 uid=0
auid=4294967295 msg='PAM: session open acct=clamav : exe="/sbin/runuser"
(hostname=?, addr=?, terminal=pts/0 res=success)'
type=CRED_ACQ msg=audit(1150311065.344:6): user pid=2320 uid=0
auid=4294967295 msg='PAM: setcred acct=clamav : exe="/sbin/runuser"
(hostname=?, addr=?, terminal=pts/0 res=success)'
type=CRED_DISP msg=audit(1150311068.841:7): user pid=2320 uid=0
auid=4294967295 msg='PAM: setcred acct=clamav : exe="/sbin/runuser"
(hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_END msg=audit(1150311068.917:8): user pid=2320 uid=0
auid=4294967295 msg='PAM: session close acct=clamav :
exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=AVC msg=audit(1150311069.037:9): avc: denied { search } for
pid=2352 comm="freshclam" scontext=system_u:system_r:freshclam_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
type=SYSCALL msg=audit(1150311069.037:9): arch=40000003 syscall=149
success=no exit=-1 a0=bf8bb3c0 a1=4f32aff4 a2=4f4a1e00 a3=bf8bb3b8
items=0 pid=2352 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 comm="freshclam" exe="/usr/bin/freshclam"
type=AVC msg=audit(1150311069.037:10): avc: denied { search } for
pid=2352 comm="freshclam" name="/" dev=proc ino=1
scontext=system_u:system_r:freshclam_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=dir
type=SYSCALL msg=audit(1150311069.037:10): arch=40000003 syscall=5
success=no exit=-13 a0=4f49e020 a1=0 a2=bf8bb420 a3=b7f9f6bc items=1
pid=2352 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="freshclam" exe="/usr/bin/freshclam"
type=CWD msg=audit(1150311069.037:10): cwd="/"
type=PATH msg=audit(1150311069.037:10): item=0
name="/proc/sys/kernel/version" flags=101
type=AVC msg=audit(1150311069.037:11): avc: denied { read } for
pid=2352 comm="freshclam" name="freshclam.conf" dev=dm-0 ino=2736205
scontext=system_u:system_r:freshclam_t:s0
tcontext=user_u:object_r:rpm_script_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1150311069.037:11): arch=40000003 syscall=5
success=no exit=-13 a0=804f7a1 a1=0 a2=1b6 a3=9796090 items=1 pid=2352
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="freshclam" exe="/usr/bin/freshclam"
type=CWD msg=audit(1150311069.037:11): cwd="/"
type=PATH msg=audit(1150311069.037:11): item=0
name="/etc/freshclam.conf" flags=101 inode=2736205 dev=fd:00
mode=0100640 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150311069.037:12): avc: denied { search } for
pid=2352 comm="freshclam" name="/" dev=proc ino=1
scontext=system_u:system_r:freshclam_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=dir
type=SYSCALL msg=audit(1150311069.037:12): arch=40000003 syscall=5
success=no exit=-13 a0=4f315039 a1=0 a2=4f32aff4 a3=9796608 items=1
pid=2352 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 comm="freshclam" exe="/usr/bin/freshclam"
type=CWD msg=audit(1150311069.037:12): cwd="/"
type=PATH msg=audit(1150311069.037:12): item=0
name="/proc/sys/kernel/ngroups_max" flags=101
type=USER_ERR msg=audit(1150311087.022:13): user pid=2659 uid=0
auid=4294967295 msg='PAM: bad_ident acct=? : exe="/usr/sbin/gdm-binary"
(hostname=?, addr=?, terminal=pts/0 res=failed)'
type=USER_AUTH msg=audit(1150311099.846:14): user pid=2694 uid=0
auid=4294967295 msg='PAM: authentication acct=peter :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=USER_ACCT msg=audit(1150311099.846:15): user pid=2694 uid=0
auid=4294967295 msg='PAM: accounting acct=peter :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=CRED_ACQ msg=audit(1150311099.846:16): user pid=2694 uid=0
auid=4294967295 msg='PAM: setcred acct=peter :
exe="/usr/sbin/gdm-binary" (hostname=?, addr=?, terminal=:0 res=success)'
type=LOGIN msg=audit(1150311099.846:17): login pid=2694 uid=0 old
auid=4294967295 new auid=500
type=USER_START msg=audit(1150311099.914:18): user pid=2694 uid=0
auid=500 msg='PAM: session open acct=peter : exe="/usr/sbin/gdm-binary"
(hostname=?, addr=?, terminal=:0 res=success)'
type=USER_LOGIN msg=audit(1150311099.914:19): user pid=2694 uid=0
auid=500 msg='uid=500: exe="/usr/sbin/gdm-binary"
(hostname=cello.localdomain, addr=127.0.0.1, terminal=:0 res=success)'
type=USER_AUTH msg=audit(1150311145.053:20): user pid=2978 uid=500
auid=500 msg='PAM: authentication acct=root : exe="/bin/su" (hostname=?,
addr=?, terminal=pts/2 res=success)'
type=USER_ACCT msg=audit(1150311145.053:21): user pid=2978 uid=500
auid=500 msg='PAM: accounting acct=root : exe="/bin/su" (hostname=?,
addr=?, terminal=pts/2 res=success)'
type=USER_START msg=audit(1150311145.241:22): user pid=2978 uid=500
auid=500 msg='PAM: session open acct=root : exe="/bin/su" (hostname=?,
addr=?, terminal=pts/2 res=success)'
type=CRED_ACQ msg=audit(1150311145.241:23): user pid=2978 uid=500
auid=500 msg='PAM: setcred acct=root : exe="/bin/su" (hostname=?,
addr=?, terminal=pts/2 res=success)'
type=USER_START msg=audit(1150311510.772:24): user pid=3140 uid=0
auid=500 msg='PAM: session open acct=clamav : exe="/sbin/runuser"
(hostname=?, addr=?, terminal=pts/2 res=success)'
type=CRED_ACQ msg=audit(1150311510.776:25): user pid=3140 uid=0 auid=500
msg='PAM: setcred acct=clamav : exe="/sbin/runuser" (hostname=?, addr=?,
terminal=pts/2 res=success)'
type=CRED_DISP msg=audit(1150311511.796:26): user pid=3140 uid=0
auid=500 msg='PAM: setcred acct=clamav : exe="/sbin/runuser"
(hostname=?, addr=?, terminal=pts/2 res=success)'
type=USER_END msg=audit(1150311511.796:27): user pid=3140 uid=0 auid=500
msg='PAM: session close acct=clamav : exe="/sbin/runuser" (hostname=?,
addr=?, terminal=pts/2 res=success)'
type=USER_ACCT msg=audit(1150311661.178:28): user pid=3247 uid=0
auid=4294967295 msg='PAM: accounting acct=root : exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron res=success)'
type=LOGIN msg=audit(1150311661.178:29): login pid=3247 uid=0 old
auid=4294967295 new auid=0
type=USER_START msg=audit(1150311661.178:30): user pid=3247 uid=0 auid=0
msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1150311661.178:31): user pid=3247 uid=0 auid=0
msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=CRED_DISP msg=audit(1150311661.350:32): user pid=3247 uid=0 auid=0
msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=USER_END msg=audit(1150311661.350:33): user pid=3247 uid=0 auid=0
msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
Peter
More information about the fedora-list
mailing list