| Summary: | trying to reopen old bug 566090 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Paul <pnewell0705> | ||||||
| Component: | clamav | Assignee: | Enrico Scholz <rh-bugzilla> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | low | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 16 | CC: | nb, ondrejj, redhat-bugzilla, rh-bugzilla, steve | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-01-23 15:58:14 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
|
Description
Paul
2012-01-20 06:22:42 UTC
I can not reproduce it and can not say anything about it without more information (e.g. file modes and ownership of logfile, uids/gids of related users, SELinux acls, perhaps an strace log) Enrico: No problem, I was waiting on sending this until I knew there was an open channel as I have no idea how to reopen a bug and didn't know if it would get read once closed. Two machines: +++ yoyo (F14): kernel: 2.6.35.14-106.fc14.x86_64 clamav: 0.97.3-1400.fc14 chalupa (F16): kernel: 3.1.9-1.fc16.i686 clamav: 0.97.3-1600.fc16 +++ Chalupa is a fresh install of F16, not an upgrade from prior release. I modified the freshclam script (which looks like it is yours?) to send an email with extra information. Hopefully it catches what you need to know. To make sure there wasn't an issue of actually updating involved, I ran freshclam on both machines to make sure that further executions would just "report that things are up-to-date" so the issue could stay focused on appending to the log file. My version of your script is executed by a cron job and I waited for it to happen. I will be attaching the full output from both yoyo (good) and chalupa (bad). I then ran the scripts manually as root and got no appending/permission problems. The only difference is id's context isn't cron. So it looks like it is only when being executed as a cron job that the problem occurs. One interesting note is that it takes 6-8 times longer to run on chalupa/F16 than it does on yoyo/F14. They were about the same speed when both were F14. The differences in the output probably show what the problem is (I hope). First, root belongs to a whole bunch of groups on F14 and only itself on F16. Second, the protections on clam-update.log are a bit more open on F16 as I wanted to see if I could catch it as a group issue. If the issue is root's membership in various groups, then I will need a bit of guidance on what to do (I have been following Fedora's user lists regarding all the apparent things one has to do with F16 systemd that used to be "given" F14's service and therefore am prepared to believe that I might have to do things I didn't used to have to do (though I am still trying to understand what is really being said by that thread. Please let me know if there is anything more that I can give you to help determine if this is an issue or my pilot error Thanks, Paul Created attachment 556736 [details]
yoyo (F14)
This shows a happy execution ... the item to note is the output of "id" (or at least that is what I think is the item of note)
Created attachment 556737 [details]
chalupa (F16)
This shows an unhappy execution ... the item to note is the output of "id" (or at least that is what I think is the item of note)
are there selinux avcs? Enrico: First, I wanted to note that I "thought" Bug 720223 had been fixed (or magically disappeared) as I wasn't seeing any SELinux pop-ups about "wanting to see warnings in SELinux Alert Browser" when doing a clamscan. I've discovered that this is incorrect, the issue was that the warnings happened but there was no pop-up. I asked that the bug be reopened and I've got to figure out what I need to do to get that pop-up in F16 Xfce. Actually, when I explicitly open SELinux Troubleshooter, it seems to indicate there are no warnings. I've got some debugging / understanding to do here which isn't related to clamav ... As for your request, to be double-sure I am getting correct info, as root I edited in a marker tag in both machines /var/log/audit/audit.log and then did a "tail -f /var/log/audit/audit.log". I am seeing no avc: denied during the cron's execution of freshclam on both machines. I have a cron job handling clamscan and it doesn't produce any log messages. Where I do see warnings is when clamscan is called by rc.local (Bug 720223). On both F14 and F16. I am also seeing what appears to be a warning when freshclam is called by rc.local. But I think they are different warnings (?). So there is some other issue not involving cron that I need to figure out what I am seeing and get info to you. For what it is worth, the freshclam in rc.local behaves just like cron (yoyo/F14 can append to /var/log/clam-update.log and chalupa/F16 cannot with same "permissions" error). I wanted to get this to you now as I can assert that, in the cron job situation, there appear to be no SELinux avcs for F14 or F16. Thanks, Paul I found that the avc: denied messages were different between F14 and F16 when freshclam is called from rc.local, so cut-and-pasted the sections out to give to you. The one for chalupa (F16) clearly shows a problem with clam-update.log and there is no reference to clam-update.log anywhere in yoyo's (F14) /var/log/audit/audit.log
I am spotting one other reference to freshclam in the F16 log that I am trying to track who is calling it. It doesn't look like the cron.d as it is only one occurance rather than one every time cron job is called. Guess I'll be doing more debug statements ...
Hope this helps,
Paul
===============================================================================
yoyo (F14) -- call to freshclam inside rc.local:
+++
type=AVC msg=audit(1327266820.871:152): avc: denied { getattr } for pid=2398 comm="clamscan" path="/usr/bin/freshclam" dev=dm-0 ino=2501033 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:freshclam_exec_t:s0 tclass=file
type=AVC msg=audit(1327266820.871:153): avc: denied { read } for pid=2398 comm="clamscan" name="freshclam" dev=dm-0 ino=2501033 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:freshclam_exec_t:s0 tclass=file
type=AVC msg=audit(1327266820.871:153): avc: denied { open } for pid=2398 comm="clamscan" name="freshclam" dev=dm-0 ino=2501033 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:freshclam_exec_t:s0 tclass=file
+++
===============================================================================
chalupa (F16) -- call to freshclam inside rc.local:
+++
type=AVC msg=audit(1327266692.927:35): avc: denied { open } for pid=927 comm="freshclam" name="clam-update.log" dev=dm-1 ino=394523 scontext=system_u:system_r:freshclam_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1327266692.927:35): arch=40000003 syscall=5 success=no exit=-13 a0=824d578 a1=441 a2=1b6 a3=0 items=0 ppid=922 pid=927 auid=4294967295 uid=992 gid=986 euid=992 suid=992 fsuid=992 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="freshclam" exe="/usr/bin/freshclam" subj=system_u:system_r:freshclam_t:s0 key=(null)
+++
===============================================================================
Two more things. I think I figured out that the "extra call to freshclam" in /var/log/audit/audit.log is part of the bit enclosed above right before it gives up and sends me the email saying it couldn't do it. Remember I said that it takes alot longer on F16. I also was able to confirm today that when there is an update available, the cron job will not do the update. I can only get the update if I run freshclam directly. Do you need me to sort out any debug info on this to give to you? Paul | type=AVC msg=audit(1327266692.927:35): avc: denied { open } for pid=927 comm="freshclam" name="clam-update.log" dev=dm-1 ino=394523 scontext=system_u:system_r:freshclam_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
When using other file names than the preconfigured ones (clam-update.log
vs. freshclam.log), you have to adjust your local SELinux policy.
Thanks for the reply. I did as suggested and used the existing /var/log/freshclam.log and got the same failures. I tried using the default root::clamupdate with 664. I tried using what worked on F14 for my clam-update.log (clamupdate::root with 600 ... and 664). I would like to reopen this bug as your suggestion seems to not resolve the problem I'd also like you to tell me what uid::gid and permissions you want /var/log/freshclam.log to have. I will then capture info from the script that calls it and cut-and-paste the selinux avcs from /var/log/audit/audit.log. I want to make sure I have things the way you would expect them before confirming that the problem is still there and giving you useful info. Thanks in advance, Paul Try /sbin/restorecon /var/log/freshclam.log which will be done by https://admin.fedoraproject.org/updates/clamav-0.97.3-1601.fc16 for new installations. That seems to do the trick. I am seeing no errors about appending to the log when running freshclam through rc.local or cronjob. My thanks to you for your help (and patience!) Paul |