Hi all, I've been having trouble with using clamdscan to scan my entire system ( 'clamdscan --multiscan --fdpass /' ) when SELinux is in Enforcing mode due to files of certain SELinux context types.
Environment: - CentOS 7 with the following packages from the yum repo: clamav-lib-0.103.2-1.el7.x86_64 clamav-data-0.103.2-1.el7.noarch clamd-0.103.2-1.el7.x86_64 clamav-filesystem-0.103.2-1.el7.noarch clamav-0.103.2-1.el7.x86_64 clamav-update-0.103.2-1.el7.x86_64 - Oracle Enterprise Linux 8 with the following packages from the yum repo: clamav-lib-0.103.2-1.el8.x86_64 clamav-data-0.103.2-1.el8.noarch clamd-0.103.2-1.el8.x86_64 clamav-filesystem-0.103.2-1.el8.noarch clamav-0.103.2-1.el8.x86_64 clamav-update-0.103.2-1.el8.x86_64 - clamd runs as the clamscan user, but the same problem exsts even if I run clamd as root 1. My /etc/clamd.d/scan.conf: # egrep -v "^#|^$" /etc/clamd.d/scan.conf LogSyslog yes LocalSocket /run/clamd.scan/clamd.sock LocalSocketMode 660 ExcludePath ^/proc/ ExcludePath ^/sys/ ExcludePath ^/dev/ User clamscan 2. SELinux is in Enforcing mode, and I've got the SELinux booleans set apropriately to allow ClamAV to scan the system: # getenforce Enforcing # getsebool -a | grep antivirus antivirus_can_scan_system --> on antivirus_use_jit --> on 3. When I run a full system scan, it finishes way too fast and doesn't catch the EICAR file that I know is on the system: # clamdscan --multiscan --fdpass / 2>/dev/null /dev: Excluded /proc: Excluded /sys: Excluded ----------- SCAN SUMMARY ----------- Infected files: 0 Total errors: 30 Time: 6.298 sec (0 m 6 s) Start Date: 2021:06:14 18:02:09 End Date: 2021:06:14 18:02:16 4. This is what /var/log/messages showed after the scan: Jun 14 18:02:10 centos7-server clamd[2972]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?) Jun 14 18:02:10 centos7-server clamd[2972]: Error condition on fd 10 5. I was able to narrow down which files & directories clamdscan was having trouble with, so I reran the scan on just those: # clamdscan --multiscan --fdpass /var/log/audit /etc/*shadow* /etc/security/opasswd /etc/selinux/ /etc/audit/ /var/log/audit/audit.log.4: no reply from clamd /etc/gshadow: no reply from clamd /etc/gshadow-: no reply from clamd /etc/shadow: no reply from clamd /etc/shadow-: no reply from clamd /etc/security/opasswd: no reply from clamd /etc/selinux/semanage.conf: no reply from clamd /etc/audit/audit.rules: no reply from clamd ----------- SCAN SUMMARY ----------- Infected files: 0 Total errors: 8 Time: 0.006 sec (0 m 0 s) Start Date: 2021:06:14 14:30:02 End Date: 2021:06:14 14:30:02 6. This is what /var/log/messages showed after the scan: Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?) Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10 Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?) Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10 Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?) Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10 Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?) Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10 Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?) Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10 Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?) Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10 Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?) Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10 Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?) Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10 Jun 14 14:30:02 centos7-server jdoe: root 192.168.0.10 [23471]: Jun 14 14:30:02 clamdscan --fdpass /var/log/audit /etc/*shadow* /etc/security/opasswd /etc/selinux/ /etc/audit/ [2] 7. When I checked audit.log to see why SELinux was blocking the scan, it came back with nothing: # ausearch -ts recent | audit2why Nothing to do 8. If I set SELinux to Permissive mode, clamdscan is able to scan those files & directories and finds the EICAR file: # setenforce 0 # clamdscan --fdpass /var/log/audit /etc/*shadow* /etc/security/opasswd /etc/selinux/ /etc/audit/ /var/log/audit/eicar.txt: Eicar-Signature FOUND /etc/gshadow: OK /etc/gshadow-: OK /etc/shadow: OK /etc/shadow-: OK /etc/security/opasswd: OK /etc/selinux: OK /etc/audit: OK ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 24.001 sec (0 m 24 s) Start Date: 2021:06:14 14:34:37 End Date: 2021:06:14 14:35:01 9. Again, audit.log doesn't show what would've been blocked if SELinux was in Enforcing mode: # ausearch -ts recent | audit2why Nothing to do 10. Looking at the SELinux context of the files & directories, I narrowed it down to 4 types that seem to be problematic for clamdscan and SElinux: # ls -lZ /var/log/audit /etc/*shadow* /etc/security/opasswd /etc/selinux/ /etc/audit/ | grep '_t' | cut -d: -f3 | sort -u auditd_etc_t auditd_log_t selinux_config_t shadow_t ----- QUESTIONS ----- Is this a bug with ClamAV or just SELinux working as designed? Is there a way for clamdscan to scan files with SELinux context types auditd_etc_t, auditd_log_t, selinux_config_t, and shadow_t using file descriptor passing? It boggles me that auditd isn't logging anything, otherwise I could try to create a local policy module to allow it. As a workaround, this is how I'm currently performing a full system scan: 1. Exclude /var/log/audit and /etc from clamd scans: /etc/clamd.d/scan.conf: ExcludePath ^/var/log/audit/ # Excluding all of /etc/ because of Bug 12676 - Segmentation fault with regex, multiscan and fdpass ( https://bugzilla.clamav.net/show_bug.cgi?id=12676) ExcludePath ^/etc/ 2. Run clamdscan on / first: clamdscan --multiscan --fdpass / 3. As root, run clamscan separately on /etc & /var/log/audit: clamscan --infected --recursive /etc /var/log/audit Kind Regards, Ray -- Notice: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy the message and attachments without retaining a copy.
_______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
