On 08/23/2010 01:18 PM, Arthur Dent wrote:
On Mon, 2010-08-23 at 12:12 +0100, Arthur Dent wrote:
> On Mon, 2010-08-23 at 13:01 +0200, Dominick Grift wrote:
>> On 08/23/2010 12:57 PM, Arthur Dent wrote:
>>> On Mon, 2010-08-23 at 12:31 +0200, Dominick Grift wrote:
>>>> On 08/23/2010 12:20 PM, Arthur Dent wrote:
>>>>> On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote:
>>>>>> On 08/23/2010 10:47 AM, Arthur Dent wrote:
>>>>>>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote:
>>>>>>>> On 08/23/2010 10:40 AM, Arthur Dent wrote:
>>>>>>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift
wrote:
>>>>>>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote:
>>>>>>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur
Dent wrote:
>>>>>>>>>>>> On Sun, 2010-08-22 at 23:07 +0200,
Dominick Grift wrote:
>>>>>>>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent
wrote:
>>>>>>>>>>>>
>>>>
>>>> Looks like clamd again/or still runs in the init script domain.
>>>> Therefore clamdscan cannot connect to it
>>>>
>>>> ps -auxZ | grep initrc_t
>>>
>>> # ps -auxZ | grep initrc_t
>>> Warning: bad syntax, perhaps a bogus '-'? See
/usr/share/doc/procps-3.2.8/FAQ
>>> system_u:system_r:initrc_t:s0 ddclient 1141 0.0 0.1 9148 1824 ?
S Aug21 0:02 ddclient - sleeping for 20 seconds
>>> unconfined_u:system_r:initrc_t:s0 clamav 19801 0.2 27.6 309276 279772 ?
Ssl Aug22 4:01 /usr/local/sbin/clamd
>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 25217 0.0 0.0
4312 728 pts/0 S+ 11:55 0:00 grep initrc_t
>>
>> So clamd runs in the wrong domain:
>>
>> try:
>>
>> matchpathcon /usr/local/sbin/clamd
>> chcon -t clamd_exec_t /usr/local/sbin/clamd
>> service clamd restart
>
> Not quite sure what went wrong here...
>
> # matchpathcon /usr/local/sbin/clamd
> /usr/local/sbin/clamd system_u:object_r:bin_t:s0
> # chcon -t clamd_exec_t /usr/local/sbin/clamd
> # service clamd restart
> Stopping clamd: [ OK ]
> Starting clamd: [FAILED]
>
Addendum:
Just after I sent this message I saw this:
Should I try the setsebool command?
Yes but that may have a bug as well (recently fixed) and we can manually
implement it aswell.
But also implement the patch in my previous post to make fallback to non
execmem work.
*************************
* !!! ALERT !!! *
* CLAMD IS NOT RUNNING! *
*************************
Attempting to start ClamD...
libclamav JIT: Can't allocate RWX Memory: Permission denied
libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P
clamd_use_jit on' to allow access
libclamav JIT: falling back to interpreter mode
LibClamAV Error: cli_load(): Can't open file /usr/local/share/clamav/phish.ndb
ERROR: Can't open file or directory
*************************
* !!! PANIC !!! *
* CLAMD FAILED TO START *
*************************
Check to confirm that the clamd start process defined for
the 'start_clamd' variable in the 'USER EDIT SECTION' is
set correctly for your particular distro. If it is, then
check your logs to determine why clamd failed to start.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux