Bug 1449616

Summary: Still references obsolete SELinux boolean - Run 'setsebool -P clamd_use_jit on'.
Product: [Fedora] Fedora EPEL Reporter: "Linux" Dan White <d_e_white>
Component: clamavAssignee: Robert Scheck <redhat-bugzilla>
Status: POST --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: epel7CC: bugzilla, fedoraproject, janfrode, orion, redhat-bugzilla, rhbugs, sergio, steve
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description "Linux" Dan White 2017-05-10 11:22:44 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Install clamav-db-0.99.2-2.el6.x86_64 clamd-0.99.2-2.el6.x86_64 clamav-0.99.2-2.el6.x86_64
2. setsebool -P antivirus_can_scan_system 1
3. service clamd start

Actual results:
Starting Clam AntiVirus Daemon: LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied
LibClamAV Warning: Bytecode: disabling JIT because SELinux is preventing 'execmem' access.
Run  'setsebool -P clamd_use_jit on'.


Expected results:
None of the above

Additional info:
According to https://bugzilla.redhat.com/show_bug.cgi?id=1295473
this should have been fixed
Comment 1 Jason Tibbitts 2017-05-10 22:55:57 UTC 
There's a patch included which was an attempt to change that message in the source, except that it doesn't do anything.  The code it changes wrapped in "#if 0/#endif".

The actual message comes from the builtin bytecode startup sequence, which is basically a precompiled string.  Fixing this properly would involve building the bytecode compiler, recompiling buildin_bc_startup to bytecode, and patching that in.  Personally I think that's a rather excessive and fragile amount of work to get one string changed and would honestly just close this WONTFIX but maybe someone wants to have a go.
Comment 2 Davide Repetto 2017-12-12 19:17:42 UTC 
FYI the same happens in clamav-0.99.2-13.fc27.x86_64
Comment 3 Sergio Basto 2018-01-08 02:17:32 UTC 
*** Bug 1523184 has been marked as a duplicate of this bug. ***
Comment 4 Sergio Basto 2018-07-26 01:13:11 UTC 
As reference in [0] we need run [1] to avoid [2] but as directory was already created I had to run also [3], conclusion "setsebool -P clamd_use_jit on" is correct but we also need "setsebool -P antivirus_can_scan_system on" 

[0]
https://blog.fsecurity.co.nz/linux-install-clamav-centos-7/

[1]
setsebool -P clamd_use_jit 1 
setsebool -P antivirus_can_scan_system 1 

[2]
system_u:system_r:antivirus_t:s0 49 sock_file create system_u:object_r:var_run_t:s0 denied 

[3]
restorecon -R -v  /var/run/clamd.scan
Comment 5 Sergio Basto 2018-07-26 02:21:29 UTC 
clamd_use_jit (in epel7) is an alias to antivirus_use_jit

but after [1] I don't see any SELinux refusal , so seems [2]  is enough . Maybe I should report upstream .

[1]
setsebool -P antivirus_use_jit 0

[2]
setsebool -P antivirus_can_scan_system 1
Comment 6 Fedora Update System 2018-10-06 17:04:36 UTC 
clamav-0.100.2-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-b6e8b488d2
Comment 7 Sergio Basto 2018-10-07 03:21:20 UTC 
Sorry my mistake when choosing the bugs fixed on clamav-0.100.2-2.el7 and clamav-0.100.2-2.el7 doesn't fix this bug .
Comment 8 Orion Poplawski 2019-08-07 14:56:41 UTC 
Filed upstream: https://bugzilla.clamav.net/show_bug.cgi?id=12372