Re: [clamav-users] Using OnAccess scanning with Selinux

Mickey Sola Thu, 14 Feb 2019 12:59:19 -0800

Hi all,

I couldn't get this issue to reproduce on my test system, but I've put
together a very quick and dirty patch that *should* allow for clamd to
recover from an unexpected SELinux denial. It's not an ideal fix, but I'm
hoping it'll work as intended and will fit your needs until the policy is
updated. I've attached the patch here. Hoping you guys can test it out,
since I can't get the issue to reproduce reliably on a stock CentOS 7.6
install.


- Mickey

On Thu, Feb 14, 2019 at 10:54 AM Dave Lahn <david.l...@forward3d.com> wrote:

> Hi,
>
> We are also seeing the same issue. Did anyone make any progress with this?
>
> The odd thing is, we aren't even seeing any denials in the audit log for
> SELinux, and we have the SELinux booleans set for ClamAV.
>
> When we try to do exclusions, we are also seeing things like this:
>
> "Permission denied to stat /proc/1111 to exclude UIDs... perhaps SELinux
> denial?"
>
> --
> *David Lahn*
> DevOps Engineer
> Development
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

From 20ccc17c46a82cf5cdf42e26b0c25ff901ec2bb7 Mon Sep 17 00:00:00 2001
From: Mickey Sola <ms...@sourcefire.com>
Date: Thu, 14 Feb 2019 15:36:25 -0500
Subject: [PATCH] onas - adding recovery for SELinux denial

---
 clamd/onaccess_fan.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/clamd/onaccess_fan.c b/clamd/onaccess_fan.c
index 39827d3f7..c75e040d6 100644
--- a/clamd/onaccess_fan.c
+++ b/clamd/onaccess_fan.c
@@ -234,7 +234,7 @@ void *onas_fan_th(void *arg)
     } while ((ret == -1 && errno == EINTR) || reload);
 
     time_t start = time(NULL) - 30;
-    while (((bread = read(onas_fan_fd, buf, sizeof(buf))) > 0) || errno == EOVERFLOW) {
+    while (((bread = read(onas_fan_fd, buf, sizeof(buf))) > 0) || errno == EOVERFLOW || errno == EACCES) {
 
         if (errno == EOVERFLOW) {
             if (time(NULL) - start >= 30) {
@@ -247,6 +247,15 @@ void *onas_fan_th(void *arg)
             continue;
         }
 
+        if (errno == EACCES) {
+            logg("!ScanOnAccess: Internal error (failed to read data) ... %s\n", strerror(errno));
+            logg("!ScanOnAccess: Check your SELinux audit logs and consider adding an exception \
+                                    ... recovering and continuing scans...\n");
+
+            errno = 0;
+            continue;
+        }
+
         fmd = (struct fanotify_event_metadata *)buf;
         while (FAN_EVENT_OK(fmd, bread)) {
             scan = 1;
-- 
2.20.1

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Using OnAccess scanning with Selinux

Reply via email to