Quỳnh H Nguyễn wrote:
> Linux distribution is: Redhat Linux 5.1 (Tikanga)
>
> This is the command result that you asked:
>
> [EMAIL PROTECTED] ~]# ls -IRZ /var/clamav
> daily.inc main.cvd mirrors.dat
>
I asked for ls -lRZ not -IRZ. Please run that command.
> [EMAIL PROTECTED] ~]#
>
> Error message in /var/log/messages:
>
Thanks, these messages tell whats the problem.
Short story: your databases should be in /var/lib/clamav instead of
/var/clamav.
> type=AVC msg=audit(1201570795.547:6): avc: denied { search } for pid=2098
> comm="clamd" name="kernel" dev=proc ino=-268435416
> scontext=system_u:system_r:clamd_t:s0
> tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir
>
Not sure why clamd has to do this, but this is not fatal error.
> type=SYSCALL msg=audit(1201570795.547:6): arch=40000003 syscall=5 success=no
> exit=-13 a0=c03a64 a1=0 a2=c1dff4 a3=c1f974 items=0 ppid=2097 pid=2098
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) comm="clamd" exe="/usr/sbin/clamd"
> subj=system_u:system_r:clamd_t:s0 key=(null)
>
> type=AVC msg=audit(1201570795.731:7): avc: denied { write } for pid=2099
> comm="clamd" name="clamav" dev=dm-0 ino=2195478
> scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=dir
>
DB locking failed, non-fatal.
> type=SYSCALL msg=audit(1201570795.731:7): arch=40000003 syscall=5 success=no
> exit=-13 a0=8f0fc74 a1=242 a2=1fc a3=8f0fc70 items=0 ppid=1 pid=2099
> auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101
> sgid=101 fsgid=101 tty=(none) comm="clamd" exe="/usr/sbin/clamd"
> subj=system_u:system_r:clamd_t:s0 key=(null)
>
> type=AVC msg=audit(1201570795.828:8): avc: denied { read } for pid=2099
> comm="clamd" name="clamav" dev=dm-0 ino=2195478
> scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:var_t:s0
> tclass=dir
>
Reading DB fails. The SELinux security context is wrong.
It has been a while since I've written an SELinux policy, but this seems
to be the right place to look for the policy:
http://oss.tresys.com/repos/refpolicy/trunk/policy/modules/services/clamav.te
# var/lib files together with clamd
manage_dirs_pattern(freshclam_t,clamd_var_lib_t,clamd_var_lib_t)
manage_files_pattern(freshclam_t,clamd_var_lib_t,clamd_var_lib_t)
Ok, this is a rule for accessing /var/lib, and you've got your database in
/var/clamav.
Lets look at the patterns:
http://oss.tresys.com/repos/refpolicy/trunk/policy/modules/services/clamav.fc
It contains:
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
But nothing about /var/clamav.
So try putting your database in /var/lib/clamav, then check with ls -Z
that they have right security context.
(If security context is wrong, you may need to relabel that directory)
If the .rpm package has chosen /var/clamav for you, then there is an
inconsistency between the clamav rpm package, and the selinux policy
package.
Please open a bugreport with redhat about this.
P.S.: check the other pattern in clamav.fc, and make sure your other
settings are right.
Best regards,
--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
