SOLVED: error ClamAV daemon

Peter Lesterhuis peterlesterhuis at tiscali.nl
Wed Jun 14 22:22:24 UTC 2006 

>
> OK, I could load the module now.
> > The output of # semodule -l is:
> > # semodule -l
> > amavis  1.0.4
> > clamav  1.0.1
> > myclamd 0.1.0
> > myfreshclam     0.1.0
> > pyzor   1.0.1
> > 
> > I ran the "restorecon"-command (first line only?)
> > After this I could start clamd also in enforced mode.
>   
>
> Good.
>
>   
>> > But in /var/log/audit/audit.log there still are some "avc= denied" messages.
>> > 
>> > # cat audit.log
>>     
>
> (snip non-AVC audit messages)
>
>   
>> > type=AVC msg=audit(1150311069.037:9): avc:  denied  { search } for  
>> > pid=2352 comm="freshclam" scontext=system_u:system_r:freshclam_t:s0 
>> > tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
>> > type=SYSCALL msg=audit(1150311069.037:9): arch=40000003 syscall=149 
>> > success=no exit=-1 a0=bf8bb3c0 a1=4f32aff4 a2=4f4a1e00 a3=bf8bb3b8 
>> > items=0 pid=2352 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
>> > egid=0 sgid=0 fsgid=0 comm="freshclam" exe="/usr/bin/freshclam"
>>     
>
> Reading kernel sysctl (not sure what for)
>
>   
>> > type=AVC msg=audit(1150311069.037:10): avc:  denied  { search } for  
>> > pid=2352 comm="freshclam" name="/" dev=proc ino=1 
>> > scontext=system_u:system_r:freshclam_t:s0 
>> > tcontext=system_u:object_r:proc_t:s0 tclass=dir
>> > type=SYSCALL msg=audit(1150311069.037:10): arch=40000003 syscall=5 
>> > success=no exit=-13 a0=4f49e020 a1=0 a2=bf8bb420 a3=b7f9f6bc items=1 
>> > pid=2352 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
>> > fsgid=0 comm="freshclam" exe="/usr/bin/freshclam"
>> > type=CWD msg=audit(1150311069.037:10):  cwd="/"
>> > type=PATH msg=audit(1150311069.037:10): item=0 
>> > name="/proc/sys/kernel/version" flags=101
>>     
>
> Trying to read /proc/sys/kernel/version
>
>   
>> > type=AVC msg=audit(1150311069.037:11): avc:  denied  { read } for  
>> > pid=2352 comm="freshclam" name="freshclam.conf" dev=dm-0 ino=2736205 
>> > scontext=system_u:system_r:freshclam_t:s0 
>> > tcontext=user_u:object_r:rpm_script_tmp_t:s0 tclass=file
>> > type=SYSCALL msg=audit(1150311069.037:11): arch=40000003 syscall=5 
>> > success=no exit=-13 a0=804f7a1 a1=0 a2=1b6 a3=9796090 items=1 pid=2352 
>> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
>> > comm="freshclam" exe="/usr/bin/freshclam"
>> > type=CWD msg=audit(1150311069.037:11):  cwd="/"
>> > type=PATH msg=audit(1150311069.037:11): item=0 
>> > name="/etc/freshclam.conf" flags=101  inode=2736205 dev=fd:00 
>> > mode=0100640 ouid=0 ogid=0 rdev=00:00
>>     
>
> This looks like a labelling issue. Can you post the output of:
>
> # ls -lZ /etc/freshclam.conf
> # restorecon -v /etc/freshclam.conf
>
> Which packages are you using for clamav? I see nothing in the Extras
> version that might result in this.
>
>   
>> > type=AVC msg=audit(1150311069.037:12): avc:  denied  { search } for  
>> > pid=2352 comm="freshclam" name="/" dev=proc ino=1 
>> > scontext=system_u:system_r:freshclam_t:s0 
>> > tcontext=system_u:object_r:proc_t:s0 tclass=dir
>> > type=SYSCALL msg=audit(1150311069.037:12): arch=40000003 syscall=5 
>> > success=no exit=-13 a0=4f315039 a1=0 a2=4f32aff4 a3=9796608 items=1 
>> > pid=2352 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
>> > fsgid=0 comm="freshclam" exe="/usr/bin/freshclam"
>> > type=CWD msg=audit(1150311069.037:12):  cwd="/"
>> > type=PATH msg=audit(1150311069.037:12): item=0 
>> > name="/proc/sys/kernel/ngroups_max" flags=101
>>     
>
> Trying to read /proc/sys/kernel/ngroups_max
>
> All the remaining audit messages are not SELinux-related.
>
> Can you let me know if freshclam works OK in enforcing mode after doing
> the "restorecon" above please (also look for any more AVC messages).
>   
# ls -lZ /etc/freshclam.conf
-rw-r-----  root root user_u:object_r:rpm_script_tmp_t /etc/freshclam.conf

# restorecon -v /etc/freshclam.conf
restorecon reset /etc/freshclam.conf context 
user_u:object_r:rpm_script_tmp_t->system_u:object_r:etc_t

I am using the clamav-package from crash-hat:
 rpm -qi clamav
Name        : clamav                       Relocations: (not relocatable)
Version     : 0.88.2                            Vendor: B.O.F.H. Corp.
Release     : 1                             Build Date: Sun 30 Apr 2006 
18:22:02 CEST
Install Date: Tue 09 May 2006 17:37:55 CEST      Build Host: mr.kristof.cz
Group       : System Environment/Daemons    Source RPM: 
clamav-0.88.2-1.src.rpm
Size        : 2532231                          License: GPL
Signature   : DSA/SHA1, Sun 30 Apr 2006 18:23:38 CEST, Key ID 
707526816cdf2cc1
Packager    : Petr at Kristof.CZ
URL         : http://www.clamav.net/
Summary     : Clamav - an antivirus toolkit for Unix
Description :
...

Freshclam works all right.
There are no new AVC messages.

Peter.

More information about the fedora-list mailing list