Description of problem:
SELinux is preventing freshclam from 'getattr' accesses on the filesystem /sys/fs/cgroup.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that freshclam should be allowed getattr access on the cgroup filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'freshclam' --raw | audit2allow -M my-freshclam
# semodule -X 300 -i my-freshclam.pp
Additional Information:
Source Context system_u:system_r:antivirus_t:s0
Target Context system_u:object_r:cgroup_t:s0
Target Objects /sys/fs/cgroup [ filesystem ]
Source freshclam
Source Path freshclam
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch
Local Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 5.11.15-300.fc34.x86_64 #1 SMP Fri
Apr 16 13:41:48 UTC 2021 x86_64 x86_64
Alert Count 1
First Seen 2021-04-28 08:30:01 EDT
Last Seen 2021-04-28 08:30:01 EDT
Local ID 91fa1c81-a074-4513-8ad2-34b7788cccc9
Raw Audit Messages
type=AVC msg=audit(1619613001.352:4492): avc: denied { getattr } for pid=1387 comm="freshclam" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
Hash: freshclam,antivirus_t,cgroup_t,filesystem,getattr
Version-Release number of selected component:
selinux-policy-targeted-34.3-1.fc34.noarch
Additional info:
component: selinux-policy
reporter: libreport-2.14.0
hashmarkername: setroubleshoot
kernel: 5.11.15-300.fc34.x86_64
type: libreport