Bug 1028681

Summary: SELinux is preventing /usr/bin/clamscan from 'getattr' accesses on the file /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfoelf.hdb.
Product: [Fedora] Fedora Reporter: Artemio <artemio.silva>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: artemio.silva, dominick.grift, dwalsh, lvrabec, matbos, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:92bcfc71e3b01674bca22a91fffe2dce8c9d080c0e8f8f8844bd6dd089b1ffb0
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-20 10:46:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Artemio 2013-11-09 13:55:17 UTC 
Description of problem:
executando o antivirus quando o erro foi apresentado
SELinux is preventing /usr/bin/clamscan from 'getattr' accesses on the file /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfoelf.hdb.

*****  Plugin restorecon (92.2 confidence) suggests  *************************

If você deseja reparar este rótulo.
/var/lib/clamav-unofficial-sigs/si-dbs/securiteinfoelf.hdb rótulo padrão deve ser var_lib_t.
Then você pode executar o restorecon.
Do
# /sbin/restorecon -v /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfoelf.hdb

*****  Plugin catchall_boolean (7.83 confidence) suggests  *******************

If você deseja allow antivirus to can scan system
Then you must tell SELinux about this by enabling the 'antivirus_can_scan_system' boolean.
You can read 'None' man page for more details.
Do
setsebool -P antivirus_can_scan_system 1

*****  Plugin catchall (1.41 confidence) suggests  ***************************

If você acredita que o clamscan deva ser permitido acesso de getattr em securiteinfoelf.hdb file  por default.
Then você precisa reportar este como um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
permitir este acesso agora executando:
# grep clamscan /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:antivirus_t:s0-s0:c0.c1023
Target Context                system_u:object_r:cron_var_lib_t:s0
Target Objects                /var/lib/clamav-unofficial-sigs/si-
                              dbs/securiteinfoelf.hdb [ file ]
Source                        clamscan
Source Path                   /usr/bin/clamscan
Port                          <Desconhecido>
Host                          (removed)
Source RPM Packages           clamav-0.98-2.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.4.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.1-200.fc19.x86_64 #1 SMP Sat
                              Sep 14 15:04:51 UTC 2013 x86_64 x86_64
Alert Count                   13
First Seen                    2013-11-09 11:49:00 BRST
Last Seen                     2013-11-09 11:49:14 BRST
Local ID                      6a1625c7-90d4-4396-8d1b-c734d7777b11

Raw Audit Messages
type=AVC msg=audit(1384004954.939:548): avc:  denied  { getattr } for  pid=7083 comm="clamscan" path="/var/lib/clamav-unofficial-sigs/si-dbs/securiteinfoelf.hdb" dev="dm-1" ino=3280713 scontext=system_u:system_r:antivirus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file


type=SYSCALL msg=audit(1384004954.939:548): arch=x86_64 syscall=stat success=no exit=EACCES a0=638300 a1=7fff6fe7e610 a2=7fff6fe7e610 a3=7fff6fe7e3b0 items=0 ppid=6700 pid=7083 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=(none) comm=clamscan exe=/usr/bin/clamscan subj=system_u:system_r:antivirus_t:s0-s0:c0.c1023 key=(null)

Hash: clamscan,antivirus_t,cron_var_lib_t,file,getattr

Additional info:
reporter:       libreport-2.1.7
hashmarkername: setroubleshoot
kernel:         3.11.1-200.fc19.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2013-11-11 11:34:32 UTC 
What does

# ls -dZ /var/lib/clamav-unofficial-sigs

# rpm -qf /var/lib/clamav-unofficial-sigs
Comment 2 mathieu 2014-01-10 22:07:23 UTC 
for me,

ls -dZ /var/lib/clamav-unofficial-sigs
drwxr-xr-x. clamupdate clamupdate system_u:object_r:var_lib_t:s0   /var/lib/clamav-unofficial-sigs


rpm -qf /var/lib/clamav-unofficial-sigs
clamav-unofficial-sigs-3.7.1-9.fc19.noarch
Comment 3 mathieu 2014-01-10 22:13:26 UTC 
have i make an error in configuration of clam scan ?
Comment 4 Miroslav Grepl 2014-01-20 10:46:33 UTC 
Please execute

# restorecon -R -v /var/lib/clamav-unofficial-sigs
Comment 5 Miroslav Grepl 2014-01-20 10:46:45 UTC 
*** Bug 1051695 has been marked as a duplicate of this bug. ***
Comment 6 mathieu 2014-01-20 12:31:44 UTC 
sudo restorecon -R -v /var/lib/clamav-unofficial-sigs

restorecon reset /var/lib/clamav-unofficial-sigs context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/winnow_malware_links.ndb.sig context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/winnow_malware_links.ndb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/junk.ndb.sig context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/spamimg.hdb.sig context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/winnow_malware.hdb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/jurlbl.ndb.sig context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/winnow_malware.hdb.sig context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/phish.ndb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/scam.ndb.sig context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/phish.ndb.sig context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/sanesecurity.ftm.sig context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/rogue.hdb.sig context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/junk.ndb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/scam.ndb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/spamimg.hdb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/jurlbl.ndb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/sanesecurity.ftm context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/rogue.hdb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/mbl-dbs context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/mbl-dbs/mbl.ndb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ham-test context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/last-mbl-update.txt context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/previous-dbs.txt context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/db-changes.txt context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/current-dbs.txt context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/scan-test.txt context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/ss-include-dbs.txt context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/last-si-update.txt context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/purge.txt context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/add-dbs context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfosh.hdb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfo.hdb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfooffice.hdb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs/honeynet.hdb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfobat.hdb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfoelf.hdb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfopdf.hdb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/gpg-key context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/gpg-key/publickey.gpg context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/gpg-key/trustdb.gpg context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/gpg-key/secring.gpg context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/gpg-key/ss-keyring.gpg context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/gpg-key/ss-keyring.gpg~ context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
Comment 7 mathieu 2014-01-20 12:33:41 UTC 
sudo restorecon -R -v /var/lib/clamav-unofficial-sigs
[sudo] password for matbos: 
restorecon reset /var/lib/clamav-unofficial-sigs context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/winnow_malware_links.ndb.sig context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/winnow_malware_links.ndb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/junk.ndb.sig context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/spamimg.hdb.sig context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/winnow_malware.hdb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/jurlbl.ndb.sig context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/winnow_malware.hdb.sig context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/phish.ndb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/scam.ndb.sig context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/phish.ndb.sig context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/sanesecurity.ftm.sig context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/rogue.hdb.sig context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/junk.ndb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/scam.ndb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/spamimg.hdb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/jurlbl.ndb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/sanesecurity.ftm context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ss-dbs/rogue.hdb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/mbl-dbs context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/mbl-dbs/mbl.ndb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/ham-test context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/last-mbl-update.txt context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/previous-dbs.txt context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/db-changes.txt context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/current-dbs.txt context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/scan-test.txt context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/ss-include-dbs.txt context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/last-si-update.txt context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/configs/purge.txt context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/add-dbs context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfosh.hdb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfo.hdb context system_u:object_r:cron_var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfooffice.hdb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs/honeynet.hdb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfobat.hdb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfoelf.hdb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/si-dbs/securiteinfopdf.hdb context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/gpg-key context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/gpg-key/publickey.gpg context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/gpg-key/trustdb.gpg context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/gpg-key/secring.gpg context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/gpg-key/ss-keyring.gpg context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0
restorecon reset /var/lib/clamav-unofficial-sigs/gpg-key/ss-keyring.gpg~ context system_u:object_r:var_lib_t:s0->system_u:object_r:antivirus_db_t:s0