Re: [Clamav-users] clamav-milter: unreasonable packet length

2008-01-29 Thread Nigel Horne 

Jan Hrdonka wrote:

  Hello,
I use postfix+clamav-milter on Debian 4.0 and I noticed following error
messages in the log:

postfix/smtpd[26955]: connect from mx1.atlascz.net[194.212.229.235]

postfix/smtpd[26955]: warning: milter unix:clamav/clamav-milter.ctl:
unreasonable packet length: 1281974851

postfix/smtpd[26955]: NOQUEUE: milter-reject: RCPT from
mx1.atlascz.net[194.212.229.235]: 451 4.7.1 Service unavailable - try
again later; from=<...> proto=ESMTP helo=

clamav-milter[2801]: ClamAv, mi_rd_cmd: read returned -1: Connection
reset by peer 


postfix/smtpd[26955]: lost connection after RSET from
mx1.atlascz.net[194.212.229.235]

postfix/smtpd[26955]: disconnect from mx1.atlascz.net[194.212.229.235]

  It happens only from time to time (once per cca 1000 delivered
messages). It seems that at least some of failed mails are successfully
delivered a bit later.
  These errors started after upgrade from Clamav 0.90 (stable) to Clamav
0.91 (testing). I tried to upgrade Postfix as well (from 2.3.8 to 2.4.6)
but it didn't help.


Please try 0.92, some changes were made which may help. We couldn't reproduce
the problem, so I'd like to know if the 0.92 changes have helped.



  Any idea what's wrong or how to fix it? Thank you very much in
advance.


-Nigel

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Problem with clamav on Linux

2008-01-29 Thread Jim Maul 
Török Edwin wrote:
> Quỳnh H Nguyễn wrote:
>> After remove it manual. There is still error when clamd start, it will
>> create /tmp/clamd.socket
>>
>> And this is the next error. If solve this problem, I think you fixed my
>> error. I'm so sorry because I can not understand to config and fix it by
>> myself! I'm newbie.
>>   
> 
> The policy file says the socket should be created here. Edit clamd.conf
> and move the socket here:
> 
> /var/spool/amavisd/clamd\.sock-s  
> gen_context(system_u:object_r:clamd_var_run_t,s0)
> 
>


And as such has absolutely nothing to do with clamav and everything to 
do with selinux and understanding log files.  Edwin - you have been 
extremely kind and helpful to this clueless noob who continues to post 
in the wrong mailing list.  Perhaps he should gain a better 
understanding of his system before trying to incorporate things like 
clamav - especially with selinux involved!

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] A small survey about limits (Oversized.Zip and friends)

2008-01-29 Thread James Kosin 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
aCaB wrote:
| So now the real questions are:
| 1- Do you have a real usage scenario for "Oversized.Zip" and friends?
Maybe, put a warning in the email message clarifying that the file could 
not be checked by clamav instead of flagging as an 'Oversized.Zip' 
virus.  This may be more useful for the receiver and sender to know than 
to actually cause an annoying DoS prevention.
| 2- Are you aware of what the ArchiveBlockMax option does and if so, have
| you set it to "on"? And why?
No, I'm using the default of 'no'.  Since I haven't read the 
documentation yet on that feature. (really my fault).

James
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFHn1kukNLDmnu1kSkRAgS+AKCFVvposebZtItCnl85aJmIjZrpjQCfRnRM
9IdMpUn3JQCszDhWTCWzulQ=
=jH8D
-END PGP SIGNATURE-


-- 
Scanned by ClamAV - http://www.clamav.net

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] A small survey about limits (Oversized.Zip and friends)

2008-01-29 Thread aCaB 
James Kosin wrote:
> Maybe, put a warning in the email message clarifying that the file could 
> not be checked by clamav instead of flagging as an 'Oversized.Zip' 
> virus.  This may be more useful for the receiver and sender to know than 
> to actually cause an annoying DoS prevention.

Hey James,
Thanks for the feedback.
Yeh, that the idea behind Oversized and friends.
But that, of course, requires the clamav output to be postprocessed.

So to tune my question (sorry if i wasn't clear in the first place)...
Is anybody doing that in real life? That is, do you want us to keep such
a "feature"?

Thanks,
-aCaB
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] A small survey about limits (Oversized.Zip and friends)

2008-01-29 Thread aCaB 
Hi list.
I'm in the process of redesigning the logic of limits in ClamAV.
The rewrite (scheduled for the upcoming 0.93) is aimed at solving, once
for all, the annoyances related to config options like
(clamd.conf-style): ArchiveMaxFileSize, ArchiveMaxRecursion,
ArchiveMaxFiles and so on...

All these limits are designed to avoid DoS conditions, but the many
requests we've received, the false positive reports, the threads on this
very ML, clearly showed that the actual implementation isn't
particularly smart.

Now, the new design goals I have in mind are basically: "keep safe, but
do not annoy!"
In other words, I'd like to keep the internal, configurable limits
nearly as they are (be safe from DoS), but I'd like to get rid of those
"features" that proved to be not useful and very annoying.

So now the real questions are:
1- Do you have a real usage scenario for "Oversized.Zip" and friends?
2- Are you aware of what the ArchiveBlockMax option does and if so, have
you set it to "on"? And why?

Thanks a lot for your attention and your time.

-aCaB

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Problem with clamav on Linux

2008-01-29 Thread Török Edwin 
Quỳnh H Nguyễn wrote:
> Dear Edwin,
>
> After execute your command: "fixfiles restore /var/lib/clamav", there is
> another error, but I think that you are nearly to fix my error.
>   

> Jan 30 05:21:07 home clamd[2099]: Socket file /tmp/clamd.socket exists.
> Unclean shutdown? Removing...
>
> Jan 30 05:21:08 home clamd[2099]: Socket file /tmp/clamd.socket could not be
> removed: Permission denied
>
> Jan 30 05:21:10 home setroubleshoot: SELinux is preventing the
> /usr/sbin/clamd from using potentially mislabeled files (clamd.socket). For
> complete SELinux messages. run sealert -l
> 2529b92e-97c0-460b-9f44-f56879f4
>
> Jan 30 05:21:10 home setroubleshoot: SELinux is preventing the
> /usr/sbin/clamd from using potentially mislabeled files (clamd.socket). For
> complete SELinux messages. run sealert -l
> 6677dd93-d87d-4b0f-a7e8-a9097aefc086
>
>   

Remove /tmp/clamd.socket manually. Clamd is not allowed to delete it,
because contexts don't match.

--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Problem with clamav on Linux

2008-01-29 Thread Török Edwin 
Quỳnh H Nguyễn wrote:
> Dear Edwin,
>
> Firstly thank you very much for your detail help and information.
>
> I tried to move /var/clamav to /var/lib/clamav as your suggest.
>   

Ok.

> [EMAIL PROTECTED] lib]# ls -lRZ /var/lib/clamav
> /var/lib/clamav:
> drwxr-xr-x  clamav clamav root:object_r:var_lib_t  daily.inc
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  main.cvd
> -rw---  clamav clamav root:object_r:var_lib_t  mirrors.dat
> /var/lib/clamav/daily.inc:
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  COPYING
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.cfg
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.db
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.fp
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.hdb
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.hdu
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.info
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.mdb
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.mdu
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.ndb
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.ndu
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.pdb
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.wdb
> -rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.zmd
>   

Ok, the security context is not good (it is the generic var_lib_t
instead of clamav specific context).
Try running: fixfiles restore /var/lib/clamav


Best regards,
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] clamav-milter: unreasonable packet length

2008-01-29 Thread Jan Hrdonka 

  Hello,
I use postfix+clamav-milter on Debian 4.0 and I noticed following error
messages in the log:

postfix/smtpd[26955]: connect from mx1.atlascz.net[194.212.229.235]

postfix/smtpd[26955]: warning: milter unix:clamav/clamav-milter.ctl:
unreasonable packet length: 1281974851

postfix/smtpd[26955]: NOQUEUE: milter-reject: RCPT from
mx1.atlascz.net[194.212.229.235]: 451 4.7.1 Service unavailable - try
again later; from=<...> proto=ESMTP helo=

clamav-milter[2801]: ClamAv, mi_rd_cmd: read returned -1: Connection
reset by peer 

postfix/smtpd[26955]: lost connection after RSET from
mx1.atlascz.net[194.212.229.235]

postfix/smtpd[26955]: disconnect from mx1.atlascz.net[194.212.229.235]

  It happens only from time to time (once per cca 1000 delivered
messages). It seems that at least some of failed mails are successfully
delivered a bit later.
  These errors started after upgrade from Clamav 0.90 (stable) to Clamav
0.91 (testing). I tried to upgrade Postfix as well (from 2.3.8 to 2.4.6)
but it didn't help.

  Any idea what's wrong or how to fix it? Thank you very much in
advance.

  H.
-- 
Jan Hrdonka
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Problem with clamav on Linux

2008-01-29 Thread Török Edwin 
Quỳnh H Nguyễn wrote:
> After remove it manual. There is still error when clamd start, it will
> create /tmp/clamd.socket
>
> And this is the next error. If solve this problem, I think you fixed my
> error. I'm so sorry because I can not understand to config and fix it by
> myself! I'm newbie.
>   

The policy file says the socket should be created here. Edit clamd.conf
and move the socket here:

/var/spool/amavisd/clamd\.sock  -s  
gen_context(system_u:object_r:clamd_var_run_t,s0)


--Edwin


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Problem with clamav on Linux

2008-01-29 Thread Quỳnh H Nguyễn 
After remove it manual. There is still error when clamd start, it will
create /tmp/clamd.socket

And this is the next error. If solve this problem, I think you fixed my
error. I'm so sorry because I can not understand to config and fix it by
myself! I'm newbie.

This is /var/log/clamd.log:


Wed Jan 30 05:36:53 2008 -> +++ Started at Wed Jan 30 05:36:53 2008

Wed Jan 30 05:36:53 2008 -> clamd daemon 0.92 (OS: linux-gnu, ARCH: i386,
CPU: i386)

Wed Jan 30 05:36:54 2008 -> Running as user clamav (UID 100, GID 101)

Wed Jan 30 05:36:54 2008 -> Log file size limit disabled.

Wed Jan 30 05:36:54 2008 -> Reading databases from /var/lib/clamav

Wed Jan 30 05:37:21 2008 -> Loaded 198636 signatures.

Wed Jan 30 05:37:21 2008 -> Bound to address 127.0.0.1 on tcp port 3310

Wed Jan 30 05:37:21 2008 -> Setting connection queue length to 30

Wed Jan 30 05:37:21 2008 -> ERROR: Socket file /tmp/clamd.socket could not
be bound: Permission denied
This is /var/log/messages:


Jan 30 05:37:21 home clamd[2100]: Loaded 198636 signatures.

Jan 30 05:37:21 home clamd[2100]: Bound to address 127.0.0.1 on tcp port
3310

Jan 30 05:37:21 home clamd[2100]: Setting connection queue length to 30

Jan 30 05:37:21 home clamd[2100]: Socket file /tmp/clamd.socket could not be
bound: Permission denied

Jan 30 05:37:29 home setroubleshoot: SELinux is preventing /usr/sbin/clamd
(clamd_t) "search" access to kernel (sysctl_kernel_t). For complete SELinux
messages. run sealert -l a81544c7-7a39-400f-af93-719ff8581a98

Jan 30 05:37:30 home setroubleshoot: SELinux is preventing /usr/sbin/clamd
(clamd_t) "read" access to meminfo (proc_t). For complete SELinux messages.
run sealert -l 2a69d630-6e5d-4c43-a15f-b4ffbef2a6ff

Jan 30 05:37:30 home setroubleshoot: SELinux is preventing the
/usr/sbin/clamd from using potentially mislabeled files (clamd.socket). For
complete SELinux messages. run sealert -l
5eb8ba4d-d194-45cf-b156-1b4901d7c710

This is /var/log/audit/audit.log:


type=AVC msg=audit(1201646213.824:6): avc: denied { search } for pid=2099
comm="clamd" name="kernel" dev=proc ino=-268435416
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir

type=SYSCALL msg=audit(1201646213.824:6): arch=4003 syscall=5 success=no
exit=-13 a0=c03a64 a1=0 a2=c1dff4 a3=c1f974 items=0 ppid=2098 pid=2099
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="clamd" exe="/usr/sbin/clamd"
subj=system_u:system_r:clamd_t:s0 key=(null)

type=AVC msg=audit(1201646234.743:14): avc: denied { read } for pid=2100
comm="clamd" name="meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:proc_t:s0
tclass=file

type=SYSCALL msg=audit(1201646234.743:14): arch=4003 syscall=5
success=no exit=-13 a0=c03df2 a1=0 a2=1b6 a3=9798d08 items=0 ppid=1 pid=2100
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101
sgid=101 fsgid=101 tty=(none) comm="clamd" exe="/usr/sbin/clamd"
subj=system_u:system_r:clamd_t:s0 key=(null)

type=AVC msg=audit(1201646241.893:15): avc: denied { create } for pid=2100
comm="clamd" name="clamd.socket" scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1201646241.893:15): arch=4003 syscall=102
success=no exit=-13 a0=2 a1=bff5fb10 a2=911e238 a3=6 items=0 ppid=1 pid=2100
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101
sgid=101 fsgid=101 tty=(none) comm="clamd" exe="/usr/sbin/clamd"
subj=system_u:system_r:clamd_t:s0 key=(null)
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Problem with clamav on Linux

2008-01-29 Thread Quỳnh H Nguyễn 
Dear Edwin,

After execute your command: "fixfiles restore /var/lib/clamav", there is
another error, but I think that you are nearly to fix my error.

Here is /var/log/clamav/clamd.log:


Wed Jan 30 05:20:58 2008 -> +++ Started at Wed Jan 30 05:20:58 2008

Wed Jan 30 05:20:58 2008 -> clamd daemon 0.92 (OS: linux-gnu, ARCH: i386,
CPU: i386)

Wed Jan 30 05:20:58 2008 -> Running as user clamav (UID 100, GID 101)

Wed Jan 30 05:20:58 2008 -> Log file size limit disabled.

Wed Jan 30 05:20:58 2008 -> Reading databases from /var/lib/clamav

Wed Jan 30 05:21:07 2008 -> Loaded 198636 signatures.

Wed Jan 30 05:21:07 2008 -> Bound to address 127.0.0.1 on tcp port 3310

Wed Jan 30 05:21:07 2008 -> Setting connection queue length to 30

Wed Jan 30 05:21:07 2008 -> WARNING: Socket file /tmp/clamd.socket exists.
Unclean shutdown? Removing...

Wed Jan 30 05:21:08 2008 -> ERROR: Socket file /tmp/clamd.socket could not
be removed: Permission denied

Here is /var/log/messages:


Jan 30 05:20:58 home clamd[2099]: clamd daemon 0.92 (OS: linux-gnu, ARCH:
i386, CPU: i386)

Jan 30 05:20:58 home clamd[2099]: Running as user clamav (UID 100, GID 101)

Jan 30 05:20:58 home clamd[2099]: Log file size limit disabled.

Jan 30 05:20:58 home clamd[2099]: Reading databases from /var/lib/clamav

Jan 30 05:21:02 home setroubleshoot: SELinux is preventing /usr/sbin/clamd
(clamd_t) "search" access to kernel (sysctl_kernel_t). For complete SELinux
messages. run sealert -l a81544c7-7a39-400f-af93-719ff8581a98

Jan 30 05:21:06 home setroubleshoot: SELinux is preventing /usr/sbin/clamd
(clamd_t) "read" access to meminfo (proc_t). For complete SELinux messages.
run sealert -l 2a69d630-6e5d-4c43-a15f-b4ffbef2a6ff

Jan 30 05:21:07 home clamd[2099]: Loaded 198636 signatures.

Jan 30 05:21:07 home clamd[2099]: Bound to address 127.0.0.1 on tcp port
3310

Jan 30 05:21:07 home clamd[2099]: Setting connection queue length to 30

Jan 30 05:21:07 home clamd[2099]: Socket file /tmp/clamd.socket exists.
Unclean shutdown? Removing...

Jan 30 05:21:08 home clamd[2099]: Socket file /tmp/clamd.socket could not be
removed: Permission denied

Jan 30 05:21:10 home setroubleshoot: SELinux is preventing the
/usr/sbin/clamd from using potentially mislabeled files (clamd.socket). For
complete SELinux messages. run sealert -l
2529b92e-97c0-460b-9f44-f56879f4

Jan 30 05:21:10 home setroubleshoot: SELinux is preventing the
/usr/sbin/clamd from using potentially mislabeled files (clamd.socket). For
complete SELinux messages. run sealert -l
6677dd93-d87d-4b0f-a7e8-a9097aefc086

Here is /var/log/audit/audit.log:


type=AVC msg=audit(1201645258.726:6): avc: denied { search } for pid=2098
comm="clamd" name="kernel" dev=proc ino=-268435416
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir

type=SYSCALL msg=audit(1201645258.726:6): arch=4003 syscall=5 success=no
exit=-13 a0=c03a64 a1=0 a2=ae7264 a3=c1f974 items=0 ppid=2097 pid=2098
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="clamd" exe="/usr/sbin/clamd"
subj=system_u:system_r:clamd_t:s0 key=(null)

type=AVC msg=audit(1201645263.904:7): avc: denied { read } for pid=2099
comm="clamd" name="meminfo" dev=proc ino=-268435454
scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:proc_t:s0
tclass=file

type=SYSCALL msg=audit(1201645263.904:7): arch=4003 syscall=5 success=no
exit=-13 a0=c03df2 a1=0 a2=1b6 a3=937ed08 items=0 ppid=1 pid=2099
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101
sgid=101 fsgid=101 tty=(none) comm="clamd" exe="/usr/sbin/clamd"
subj=system_u:system_r:clamd_t:s0 key=(null)

type=AVC msg=audit(1201645267.988:8): avc: denied { write } for pid=2099
comm="clamd" name="clamd.socket" dev=dm-0 ino=3473422
scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=sock_file

type=SYSCALL msg=audit(1201645267.988:8): arch=4003 syscall=102
success=no exit=-13 a0=3 a1=bf9ac3d0 a2=8d04238 a3=6 items=0 ppid=1 pid=2099
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101
sgid=101 fsgid=101 tty=(none) comm="clamd" exe="/usr/sbin/clamd"
subj=system_u:system_r:clamd_t:s0 key=(null)

type=AVC msg=audit(1201645267.995:9): avc: denied { unlink } for pid=2099
comm="clamd" name="clamd.socket" dev=dm-0 ino=3473422
scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=sock_file

type=SYSCALL msg=audit(1201645267.995:9): arch=4003 syscall=10
success=no exit=-13 a0=bf9ac44c a1=0 a2=8d04238 a3=6 items=0 ppid=1 pid=2099
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101
sgid=101 fsgid=101 tty=(none) comm="clamd" exe="/usr/sbin/clamd"
subj=system_u:system_r:clamd_t:s0 key=(null)
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] A small survey about limits (Oversized.Zip and friends)

2008-01-29 Thread Derick Centeno 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi aCaB:

Since you've clarified your meaning, I can state that I don't use  
those features.

On Jan 29, 2008, at 12:07 PM, aCaB wrote:

> James Kosin wrote:
>> Maybe, put a warning in the email message clarifying that the file  
>> could
>> not be checked by clamav instead of flagging as an 'Oversized.Zip'
>> virus.  This may be more useful for the receiver and sender to  
>> know than
>> to actually cause an annoying DoS prevention.
>
> Hey James,
> Thanks for the feedback.
> Yeh, that the idea behind Oversized and friends.
> But that, of course, requires the clamav output to be postprocessed.
>
> So to tune my question (sorry if i wasn't clear in the first place)...
> Is anybody doing that in real life? That is, do you want us to keep  
> such
> a "feature"?
>
> Thanks,
> -aCaB
> ___
> Help us build a comprehensive ClamAV guide: visit http:// 
> wiki.clamav.net
> http://lurker.clamav.net/list/clamav-users.html

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFHn2ulsfbwCDodg+ARAmDJAJ48RxhqzmtXXPwBQFBSbaP8LEynIQCg1tcR
y/qWCUA3JrKYkgCuQQaUUDA=
=aklY
-END PGP SIGNATURE-
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Problem with clamav on Linux

2008-01-29 Thread Quỳnh H Nguyễn 
Dear Edwin,

Firstly thank you very much for your detail help and information.

I tried to move /var/clamav to /var/lib/clamav as your suggest.

[EMAIL PROTECTED] lib]# ls -lRZ /var/lib/clamav
/var/lib/clamav:
drwxr-xr-x  clamav clamav root:object_r:var_lib_t  daily.inc
-rw-r--r--  clamav clamav root:object_r:var_lib_t  main.cvd
-rw---  clamav clamav root:object_r:var_lib_t  mirrors.dat
/var/lib/clamav/daily.inc:
-rw-r--r--  clamav clamav root:object_r:var_lib_t  COPYING
-rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.cfg
-rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.db
-rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.fp
-rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.hdb
-rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.hdu
-rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.info
-rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.mdb
-rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.mdu
-rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.ndb
-rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.ndu
-rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.pdb
-rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.wdb
-rw-r--r--  clamav clamav root:object_r:var_lib_t  daily.zmd
[EMAIL PROTECTED] lib]#

Modify the /etc/clamd.conf and /etc/freshclam.conf for clamd and freshclam,
and reboot the system. The error is still there.

/var/log/clamd.log:

Wed Jan 30 04:37:38 2008 -> +++ Started at Wed Jan 30 04:37:38 2008

Wed Jan 30 04:37:38 2008 -> clamd daemon 0.92 (OS: linux-gnu, ARCH: i386,
CPU: i386)

Wed Jan 30 04:37:38 2008 -> Running as user clamav (UID 100, GID 101)

Wed Jan 30 04:37:38 2008 -> Log file size limit disabled.

Wed Jan 30 04:37:38 2008 -> Reading databases from /var/lib/clamav

Wed Jan 30 04:37:38 2008 -> ERROR: Unable to open file or directory

Error in /var/log/messages:

Jan 30 04:37:38 home clamd[2100]: clamd daemon 0.92 (OS: linux-gnu, ARCH:
i386, CPU: i386)

Jan 30 04:37:38 home clamd[2100]: Running as user clamav (UID 100, GID 101)

Jan 30 04:37:38 home clamd[2100]: Log file size limit disabled.

Jan 30 04:37:38 home clamd[2100]: Reading databases from /var/lib/clamav

Jan 30 04:37:38 home clamd[2100]: Unable to open file or directory

Jan 30 04:37:42 home setroubleshoot: SELinux is preventing /usr/sbin/clamd
(clamd_t) "search" access to kernel (sysctl_kernel_t). For complete SELinux
messages. run sealert -l a81544c7-7a39-400f-af93-719ff8581a98

Jan 30 04:37:42 home setroubleshoot: SELinux is preventing /usr/sbin/clamd
(clamd_t) "write" to clamav (var_lib_t). For complete SELinux messages. run
sealert -l 3d9dbdd2-e6e9-4d61-a938-3733e05b5ab7

Jan 30 04:37:42 home setroubleshoot: SELinux is preventing /usr/sbin/clamd
(clamd_t) "read" access to clamav (var_lib_t). For complete SELinux
messages. run sealert -l 85d47553-cc29-4d53-b361-aeb35e537e1b

Error in /var/log/audit/audit.log:

type=AVC msg=audit(1201642658.094:6): avc: denied { search } for pid=2099
comm="clamd" name="kernel" dev=proc ino=-268435416
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir

type=SYSCALL msg=audit(1201642658.094:6): arch=4003 syscall=5 success=no
exit=-13 a0=c03a64 a1=0 a2=c1dff4 a3=c1f974 items=0 ppid=2098 pid=2099
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="clamd" exe="/usr/sbin/clamd"
subj=system_u:system_r:clamd_t:s0 key=(null)

type=AVC msg=audit(1201642658.244:7): avc: denied { write } for pid=2100
comm="clamd" name="clamav" dev=dm-0 ino=2195477
scontext=system_u:system_r:clamd_t:s0 tcontext=root:object_r:var_lib_t:s0
tclass=dir

type=SYSCALL msg=audit(1201642658.244:7): arch=4003 syscall=5 success=no
exit=-13 a0=8b63c7c a1=242 a2=1fc a3=8b63c78 items=0 ppid=1 pid=2100
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101
sgid=101 fsgid=101 tty=(none) comm="clamd" exe="/usr/sbin/clamd"
subj=system_u:system_r:clamd_t:s0 key=(null)

type=AVC msg=audit(1201642658.350:8): avc: denied { read } for pid=2100
comm="clamd" name="clamav" dev=dm-0 ino=2195477
scontext=system_u:system_r:clamd_t:s0 tcontext=root:object_r:var_lib_t:s0
tclass=dir

type=SYSCALL msg=audit(1201642658.350:8): arch=4003 syscall=5 success=no
exit=-13 a0=8b5f448 a1=18800 a2=0 a3=8b63d88 items=0 ppid=1 pid=2100
auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101
sgid=101 fsgid=101 tty=(none) comm="clamd" exe="/usr/sbin/clamd"
subj=system_u:system_r:clamd_t:s0 key=(null)



Please help me more! Thanks in advanced!
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Problem with clamav on Linux

2008-01-29 Thread Quỳnh H Nguyễn 
Dear Edwin and Jim,

Thank you very much for your help and messages. And I'm so sorry if I
disturb this mailing list, because I'm a newbie to learn about Linux!

After receive a series of reply from Edwin, I can understand more about
clamav. And I think it is a good case study for any newbie likes me!

And I think that Jim is right when said that problem is SELinux. However,
could you please to suggest some topics about SELinux for me to fix this
problem for clamav? I also try by myself, but if I have some instruction
from you, I think I will learn faster and fix my error sooner!

Thank you for everything!
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] A small survey about limits (Oversized.Zip and friends)

2008-01-29 Thread Brandon Perry 
The oversized zip setting can get very annoying, especially if you are
using KlamAV or some other GUI. To the second, I do not use it, though I
do know what it is.

On Tue, 2008-01-29 at 17:30 +0100, aCaB wrote:
> Hi list.
> I'm in the process of redesigning the logic of limits in ClamAV.
> The rewrite (scheduled for the upcoming 0.93) is aimed at solving, once
> for all, the annoyances related to config options like
> (clamd.conf-style): ArchiveMaxFileSize, ArchiveMaxRecursion,
> ArchiveMaxFiles and so on...
> 
> All these limits are designed to avoid DoS conditions, but the many
> requests we've received, the false positive reports, the threads on this
> very ML, clearly showed that the actual implementation isn't
> particularly smart.
> 
> Now, the new design goals I have in mind are basically: "keep safe, but
> do not annoy!"
> In other words, I'd like to keep the internal, configurable limits
> nearly as they are (be safe from DoS), but I'd like to get rid of those
> "features" that proved to be not useful and very annoying.
> 
> So now the real questions are:
> 1- Do you have a real usage scenario for "Oversized.Zip" and friends?
> 2- Are you aware of what the ArchiveBlockMax option does and if so, have
> you set it to "on"? And why?
> 
> Thanks a lot for your attention and your time.
> 
> -aCaB
> 
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://lurker.clamav.net/list/clamav-users.html

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] problem about wildcard |

2008-01-29 Thread xue wen 
To whom it may concern,

Thanks for the help from Edwin, kgd and guenther, I have solved the problem
with wildcards, such as *, ??, {n}, {n-}, {-n}, etc, in ClamAV's signatures.
But there is still a problem. When I tried to build a signature with the
wildcard of |, I still didn't succeed. The signature of mine is like this:

Worm.Yawen (Clam)=(6161|6262)

I want to use this signature to match "aa" or "bb". It is reported a
Malformed database ERROR: Malformed database.
Do you have any comments on this issue?
Thanks.

Best regards,
Xue Wen
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html