Hello all.
> cat /etc/os-release
...
PRETTY_NAME="Fedora Linux 39.20240610.0 (Silverblue)"
...
> getenforce
Enforcing
> rpm -qa|grep clamav
clamav-lib-1.0.6-1.fc39.x86_64
clamav-filesystem-1.0.6-1.fc39.noarch
clamav-freshclam-1.0.6-1.fc39.x86_64
clamav-1.0.6-1.fc39.x86_64
I have configured
/etc/freshclam.conf with:
DNSDatabaseInfo current.cvd.clamav.net.XXX
DatabaseMirror database.clamav.net.XXX
OnErrorExecute echo "$(/usr/bin/hostname) Freshclam updating viruses signatures database failed." > /tmp/err
But SELinux blocks OnErrorExecute:
> sudo ausearch --context antivirus_t -m avc
show entries like:
----
time->Thu Jun 13 20:26:32 2024 type=AVC msg=audit(1718303192.373:1558): avc: denied { execute } for pid=20747 comm="sh" name="hostname" dev="dm-0" ino=671942 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
----
time->Thu Jun 13 20:24:46 2024
type=AVC msg=audit(1718303086.010:1519): avc: denied { map } for pid=20568 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=671942 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
----
time->Thu Jun 13 20:16:02 2024
type=AVC msg=audit(1718302562.264:1328): avc: denied { execute_no_trans } for pid=19633 comm="sh" path="/usr/bin/hostname" dev="dm-0" ino=671942 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
====================
Is there some way to give some setting to clamav-freshclam.service that will make it work ?
May by SELinuxContext=, or some other, but if so then how to set it ?
Comment 1Fedora Admin user for bugzilla script actions
2025-06-21 03:41:00 UTC
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Hello all. > cat /etc/os-release ... PRETTY_NAME="Fedora Linux 39.20240610.0 (Silverblue)" ... > getenforce Enforcing > rpm -qa|grep clamav clamav-lib-1.0.6-1.fc39.x86_64 clamav-filesystem-1.0.6-1.fc39.noarch clamav-freshclam-1.0.6-1.fc39.x86_64 clamav-1.0.6-1.fc39.x86_64 I have configured /etc/freshclam.conf with: DNSDatabaseInfo current.cvd.clamav.net.XXX DatabaseMirror database.clamav.net.XXX OnErrorExecute echo "$(/usr/bin/hostname) Freshclam updating viruses signatures database failed." > /tmp/err But SELinux blocks OnErrorExecute: > sudo ausearch --context antivirus_t -m avc show entries like: ---- time->Thu Jun 13 20:26:32 2024 type=AVC msg=audit(1718303192.373:1558): avc: denied { execute } for pid=20747 comm="sh" name="hostname" dev="dm-0" ino=671942 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 ---- time->Thu Jun 13 20:24:46 2024 type=AVC msg=audit(1718303086.010:1519): avc: denied { map } for pid=20568 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=671942 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 ---- time->Thu Jun 13 20:16:02 2024 type=AVC msg=audit(1718302562.264:1328): avc: denied { execute_no_trans } for pid=19633 comm="sh" path="/usr/bin/hostname" dev="dm-0" ino=671942 scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0 ==================== Is there some way to give some setting to clamav-freshclam.service that will make it work ? May by SELinuxContext=, or some other, but if so then how to set it ?