Clamd - again...

Dominick Grift domg472 at gmail.com
Mon Aug 23 11:22:57 UTC 2010 

On 08/23/2010 01:18 PM, Arthur Dent wrote:
> On Mon, 2010-08-23 at 12:12 +0100, Arthur Dent wrote:
>> On Mon, 2010-08-23 at 13:01 +0200, Dominick Grift wrote:
>>> On 08/23/2010 12:57 PM, Arthur Dent wrote:
>>>> On Mon, 2010-08-23 at 12:31 +0200, Dominick Grift wrote:
>>>>> On 08/23/2010 12:20 PM, Arthur Dent wrote:
>>>>>> On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
>>>>>>> On 08/23/2010 10:47 AM, Arthur Dent wrote:
>>>>>>>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
>>>>>>>>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>>>>>>>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote:
>>>>>>>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>>>>>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote:
>>>>>>>>>>>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote:
>>>>>>>>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent wrote:
>>>>>>>>>>>>>
>>>>>
>>>>> Looks like clamd again/or still runs in the init script domain.
>>>>> Therefore clamdscan cannot connect to it
>>>>>
>>>>> ps -auxZ | grep initrc_t
>>>>
>>>> # ps -auxZ | grep initrc_t
>>>> Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
>>>> system_u:system_r:initrc_t:s0   ddclient  1141  0.0  0.1   9148  1824 ?        S    Aug21   0:02 ddclient - sleeping for 20 seconds
>>>> unconfined_u:system_r:initrc_t:s0 clamav 19801  0.2 27.6 309276 279772 ?       Ssl  Aug22   4:01 /usr/local/sbin/clamd
>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 25217 0.0  0.0 4312 728 pts/0 S+ 11:55   0:00 grep initrc_t
>>>
>>> So clamd runs in the wrong domain:
>>>
>>> try:
>>>
>>> matchpathcon /usr/local/sbin/clamd
>>> chcon -t clamd_exec_t /usr/local/sbin/clamd
>>> service clamd restart
>>
>> Not quite sure what went wrong here...
>>
>> # matchpathcon /usr/local/sbin/clamd
>> /usr/local/sbin/clamd	system_u:object_r:bin_t:s0
>> # chcon -t clamd_exec_t /usr/local/sbin/clamd
>> # service clamd restart
>> Stopping clamd:                                            [  OK  ]
>> Starting clamd:                                            [FAILED]
>>
> 
> Addendum:
> 
> Just after I sent this message I saw this:
> 
> Should I try the setsebool command?
> 

Yes but that may have a bug as well (recently fixed) and we can manually
implement it aswell.

But also implement the patch in my previous post to make fallback to non
execmem work.



> 
>      *************************
>      *     !!! ALERT !!!     *
>      * CLAMD IS NOT RUNNING! *
>      *************************
> 
>     Attempting to start ClamD...
> 
> libclamav JIT: Can't allocate RWX Memory: Permission denied
> libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P clamd_use_jit on' to allow access
> libclamav JIT: falling back to interpreter mode
> LibClamAV Error: cli_load(): Can't open file /usr/local/share/clamav/phish.ndb
> ERROR: Can't open file or directory
>      *************************
>      *     !!! PANIC !!!     *
>      * CLAMD FAILED TO START *
>      *************************
> 
> Check to confirm that the clamd start process defined for
> the 'start_clamd' variable in the 'USER EDIT SECTION' is
> set correctly for your particular distro.  If it is, then
> check your logs to determine why clamd failed to start.
> 
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100823/bf67fe61/attachment.bin

More information about the selinux mailing list