Description of problem: Occurred when running /etc/cron.d/clamav-update. The message from cron was: ERROR: During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied SELinux is preventing /usr/bin/freshclam from 'read' accesses on the file filesystems. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow antivirus programs to read non security files on a system Then you must tell SELinux about this by enabling the 'antivirus_can_scan_system' boolean. You can read 'antivirus_selinux' man page for more details. Do setsebool -P antivirus_can_scan_system 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that freshclam should be allowed read access on the filesystems file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep freshclam /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:antivirus_t:s0-s0:c0.c1023 Target Context system_u:object_r:proc_t:s0 Target Objects filesystems [ file ] Source freshclam Source Path /usr/bin/freshclam Port <Unknown> Host (removed) Source RPM Packages clamav-update-0.98.5-1.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-99.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.17.3-300.fc21.x86_64 #1 SMP Fri Nov 14 23:36:19 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-12-10 12:25:39 EST Last Seen 2014-12-10 12:25:39 EST Local ID fd360987-ab8b-450b-9fb6-4f2fffc3bce0 Raw Audit Messages type=AVC msg=audit(1418232339.148:156007): avc: denied { read } for pid=21142 comm="freshclam" name="filesystems" dev="proc" ino=4026532041 scontext=system_u:system_r:antivirus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1418232339.148:156007): arch=x86_64 syscall=open success=no exit=EACCES a0=33303c37d8 a1=0 a2=1b6 a3=241 items=0 ppid=21141 pid=21142 auid=0 uid=988 gid=980 euid=988 suid=988 fsuid=988 egid=980 sgid=980 fsgid=980 tty=(none) ses=5514 comm=freshclam exe=/usr/bin/freshclam subj=system_u:system_r:antivirus_t:s0-s0:c0.c1023 key=(null) Hash: freshclam,antivirus_t,proc_t,file,read Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.3-300.fc21.x86_64 type: libreport
Description of problem: When freshclam is run by cron... Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow antivirus programs to read non security files on a system Then you must tell SELinux about this by enabling the 'antivirus_can_scan_system' boolean. You can read 'antivirus_selinux' man page for more details. Do setsebool -P antivirus_can_scan_system 1
(In reply to Daniel Walsh from comment #2) > ***** Plugin catchall_boolean (89.3 confidence) suggests > ****************** > > If you want to allow antivirus programs to read non security files on a > system > Then you must tell SELinux about this by enabling the > 'antivirus_can_scan_system' boolean. > You can read 'antivirus_selinux' man page for more details. > Do > setsebool -P antivirus_can_scan_system 1 I saw that but I don't think it applies here. Freshclam is trying to update the clamav database, not read non-security files. The message was: ERROR: During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied
Good point. ddbef26504553cd0a5d6822989097fffa0dde55a allows this in git.
*** Bug 1178992 has been marked as a duplicate of this bug. ***
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21
Package selinux-policy-3.13.1-105.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
I have selinux-policy-3.13.1-105.fc21 installed, and still have this issue. Or more precisely, I still have an issue that was marked a duplicate of this one (bug #1178992).
SELinux is preventing /usr/bin/freshclam from open access on the file /proc/filesystems. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow antivirus programs to read non security files on a system Then you must tell SELinux about this by enabling the 'antivirus_can_scan_system' boolean. You can read 'antivirus_selinux' man page for more details. Do setsebool -P antivirus_can_scan_system 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that freshclam should be allowed open access on the filesystems file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep freshclam /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:antivirus_t:s0-s0:c0.c1023 Target Context system_u:object_r:proc_t:s0 Target Objects /proc/filesystems [ file ] Source freshclam Source Path /usr/bin/freshclam Port <Unknown> Host edison Source RPM Packages clamav-update-0.98.6-1.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-105.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name edison Platform Linux edison 3.18.3-201.fc21.x86_64 #1 SMP Mon Jan 19 15:59:31 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-02-12 18:25:41 EST Last Seen 2015-02-12 18:25:41 EST Local ID 416ff9d7-3f30-4297-afef-92fd2241afb9 Raw Audit Messages type=AVC msg=audit(1423783541.982:97280): avc: denied { open } for pid=15995 comm="freshclam" path="/proc/filesystems" dev="proc" ino=4026532041 scontext=system_u:system_r:antivirus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1423783541.982:97280): arch=x86_64 syscall=open success=no exit=EACCES a0=7f526c240fd8 a1=0 a2=1b6 a3=240 items=0 ppid=15993 pid=15995 auid=0 uid=988 gid=980 euid=988 suid=988 fsuid=988 egid=980 sgid=980 fsgid=980 tty=(none) ses=3805 comm=freshclam exe=/usr/bin/freshclam subj=system_u:system_r:antivirus_t:s0-s0:c0.c1023 key=(null) Hash: freshclam,antivirus_t,proc_t,file,open
Still an issue...
Confirmed, but I don't know if it's really a bug or more of a "miscommunication" on the part of freshclam. The only line I found in the logs is this: "giu 12 18:17:50 dave.idp.it freshclam[29596]: [LibClamAV] Bytecode: disabling JIT because SELinux is preventing 'execmem' access." And this blockage seems to be intentional and intended to limit possible attacks to be carried trough the clamav jit which allegedly uses an insecure approach.
(In reply to Davide Repetto from comment #12) > The only line I found in the logs is this: > "giu 12 18:17:50 dave.idp.it freshclam[29596]: [LibClamAV] Bytecode: > disabling JIT because SELinux is preventing 'execmem' access." My logs contain a different, though similar, error message: Jul 13 12:25:38 edison freshclam[13719]: [LibClamAV] Bytecode: disabling JIT because RWX mapping denied for unknown reason.Please report to http://bugs.clamav.net
According to https://bugzilla.redhat.com/show_bug.cgi?id=573191 the JIT is disabled in Fedora/RHEL clamav for security reasons, so this SELinux denial is "correct". However, in that case, I believe this bug should be assigned to clamav-update, since /etc/freshclam.conf downloads the bytecode for the JIT by default. In /etc/freshclam.conf: # This option enables downloading of bytecode.cvd, which includes additional # detection mechanisms and improvements to the ClamAV engine. # Default: enabled #Bytecode yes
selinux-policy-3.13.1-105.20.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.20.fc21
(In reply to Fedora Update System from comment #15) > selinux-policy-3.13.1-105.20.fc21 has been submitted as an update for Fedora > 21. > https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.20.fc21 Eh? Can you explain what changes in the policy were made to "fix" this? I don't see any commits that reference this BZ: http://pkgs.fedoraproject.org/cgit/selinux-policy.git/log/?h=f21&qt=grep&q=1172774
Package selinux-policy-3.13.1-105.20.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.20.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-12049/selinux-policy-3.13.1-105.20.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.20.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.