Bug 1172774 - SELinux is preventing /usr/bin/freshclam from 'read' accesses on the file filesystems.
Summary: SELinux is preventing /usr/bin/freshclam from 'read' accesses on the file fil...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:9d8998744ae51064c5e191e4a2c...
: 1178992 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-10 17:28 UTC by Raman Gupta
Modified: 2015-08-15 02:10 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-105.20.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-15 02:10:58 UTC
Type: ---


Attachments (Terms of Use)

Description Raman Gupta 2014-12-10 17:28:39 UTC
Description of problem:
Occurred when running /etc/cron.d/clamav-update. The message from cron was:

ERROR: During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied
SELinux is preventing /usr/bin/freshclam from 'read' accesses on the file filesystems.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow antivirus programs to read non security files on a system
Then you must tell SELinux about this by enabling the 'antivirus_can_scan_system' boolean.
You can read 'antivirus_selinux' man page for more details.
Do
setsebool -P antivirus_can_scan_system 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that freshclam should be allowed read access on the filesystems file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep freshclam /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:antivirus_t:s0-s0:c0.c1023
Target Context                system_u:object_r:proc_t:s0
Target Objects                filesystems [ file ]
Source                        freshclam
Source Path                   /usr/bin/freshclam
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           clamav-update-0.98.5-1.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-99.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.17.3-300.fc21.x86_64 #1 SMP Fri
                              Nov 14 23:36:19 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-12-10 12:25:39 EST
Last Seen                     2014-12-10 12:25:39 EST
Local ID                      fd360987-ab8b-450b-9fb6-4f2fffc3bce0

Raw Audit Messages
type=AVC msg=audit(1418232339.148:156007): avc:  denied  { read } for  pid=21142 comm="freshclam" name="filesystems" dev="proc" ino=4026532041 scontext=system_u:system_r:antivirus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1418232339.148:156007): arch=x86_64 syscall=open success=no exit=EACCES a0=33303c37d8 a1=0 a2=1b6 a3=241 items=0 ppid=21141 pid=21142 auid=0 uid=988 gid=980 euid=988 suid=988 fsuid=988 egid=980 sgid=980 fsgid=980 tty=(none) ses=5514 comm=freshclam exe=/usr/bin/freshclam subj=system_u:system_r:antivirus_t:s0-s0:c0.c1023 key=(null)

Hash: freshclam,antivirus_t,proc_t,file,read

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.3-300.fc21.x86_64
type:           libreport

Comment 1 Raman Gupta 2014-12-18 23:42:28 UTC
Description of problem:
When freshclam is run by cron...

Version-Release number of selected component:
selinux-policy-3.13.1-103.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Comment 2 Daniel Walsh 2014-12-23 19:59:29 UTC
*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow antivirus programs to read non security files on a system
Then you must tell SELinux about this by enabling the 'antivirus_can_scan_system' boolean.
You can read 'antivirus_selinux' man page for more details.
Do
setsebool -P antivirus_can_scan_system 1

Comment 3 Raman Gupta 2014-12-23 21:51:47 UTC
(In reply to Daniel Walsh from comment #2)
> *****  Plugin catchall_boolean (89.3 confidence) suggests  
> ******************
> 
> If you want to allow antivirus programs to read non security files on a
> system
> Then you must tell SELinux about this by enabling the
> 'antivirus_can_scan_system' boolean.
> You can read 'antivirus_selinux' man page for more details.
> Do
> setsebool -P antivirus_can_scan_system 1

I saw that but I don't think it applies here. Freshclam is trying to update the clamav database, not read non-security files. The message was:

ERROR: During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied

Comment 4 Daniel Walsh 2015-01-02 12:30:38 UTC
Good point.

ddbef26504553cd0a5d6822989097fffa0dde55a allows this in git.

Comment 5 Miroslav Grepl 2015-01-06 10:55:35 UTC
*** Bug 1178992 has been marked as a duplicate of this bug. ***

Comment 6 Fedora Update System 2015-01-27 16:49:14 UTC
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21

Comment 7 Fedora Update System 2015-01-30 04:32:11 UTC
Package selinux-policy-3.13.1-105.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2015-01-30 23:54:39 UTC
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Raman Gupta 2015-02-13 05:06:40 UTC
I have selinux-policy-3.13.1-105.fc21 installed, and still have this issue. Or more precisely, I still have an issue that was marked a duplicate of this one (bug #1178992).

Comment 10 Raman Gupta 2015-02-13 05:08:25 UTC
SELinux is preventing /usr/bin/freshclam from open access on the file /proc/filesystems.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow antivirus programs to read non security files on a system
Then you must tell SELinux about this by enabling the 'antivirus_can_scan_system' boolean.
You can read 'antivirus_selinux' man page for more details.
Do
setsebool -P antivirus_can_scan_system 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that freshclam should be allowed open access on the filesystems file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep freshclam /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:antivirus_t:s0-s0:c0.c1023
Target Context                system_u:object_r:proc_t:s0
Target Objects                /proc/filesystems [ file ]
Source                        freshclam
Source Path                   /usr/bin/freshclam
Port                          <Unknown>
Host                          edison
Source RPM Packages           clamav-update-0.98.6-1.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     edison
Platform                      Linux edison 3.18.3-201.fc21.x86_64 #1 SMP Mon Jan
                              19 15:59:31 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-02-12 18:25:41 EST
Last Seen                     2015-02-12 18:25:41 EST
Local ID                      416ff9d7-3f30-4297-afef-92fd2241afb9

Raw Audit Messages
type=AVC msg=audit(1423783541.982:97280): avc:  denied  { open } for  pid=15995 comm="freshclam" path="/proc/filesystems" dev="proc" ino=4026532041 scontext=system_u:system_r:antivirus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1423783541.982:97280): arch=x86_64 syscall=open success=no exit=EACCES a0=7f526c240fd8 a1=0 a2=1b6 a3=240 items=0 ppid=15993 pid=15995 auid=0 uid=988 gid=980 euid=988 suid=988 fsuid=988 egid=980 sgid=980 fsgid=980 tty=(none) ses=3805 comm=freshclam exe=/usr/bin/freshclam subj=system_u:system_r:antivirus_t:s0-s0:c0.c1023 key=(null)

Hash: freshclam,antivirus_t,proc_t,file,open

Comment 11 Raman Gupta 2015-06-12 16:43:49 UTC
Still an issue...

Comment 12 Davide Repetto 2015-06-14 06:57:36 UTC
Confirmed, but I don't know if it's really a bug or more of a "miscommunication" on the part of freshclam.

The only line I found in the logs is this:
"giu 12 18:17:50 dave.idp.it freshclam[29596]: [LibClamAV] Bytecode: disabling JIT because SELinux is preventing 'execmem' access."

And this blockage seems to be intentional and intended to limit possible attacks to be carried trough the clamav jit which allegedly uses an insecure approach.

Comment 13 Raman Gupta 2015-07-13 19:11:40 UTC
(In reply to Davide Repetto from comment #12)
> The only line I found in the logs is this:
> "giu 12 18:17:50 dave.idp.it freshclam[29596]: [LibClamAV] Bytecode:
> disabling JIT because SELinux is preventing 'execmem' access."

My logs contain a different, though similar, error message:

Jul 13 12:25:38 edison freshclam[13719]: [LibClamAV] Bytecode: disabling JIT because RWX mapping denied for unknown reason.Please report to http://bugs.clamav.net

Comment 14 Raman Gupta 2015-07-13 19:30:11 UTC
According to https://bugzilla.redhat.com/show_bug.cgi?id=573191 the JIT is disabled in Fedora/RHEL clamav for security reasons, so this SELinux denial is "correct".

However, in that case, I believe this bug should be assigned to clamav-update, since /etc/freshclam.conf downloads the bytecode for the JIT by default. In /etc/freshclam.conf:

# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: enabled
#Bytecode yes

Comment 15 Fedora Update System 2015-07-21 15:49:50 UTC
selinux-policy-3.13.1-105.20.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.20.fc21

Comment 16 Raman Gupta 2015-07-21 16:02:38 UTC
(In reply to Fedora Update System from comment #15)
> selinux-policy-3.13.1-105.20.fc21 has been submitted as an update for Fedora
> 21.
> https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.20.fc21

Eh? Can you explain what changes in the policy were made to "fix" this? I don't see any commits that reference this BZ:

http://pkgs.fedoraproject.org/cgit/selinux-policy.git/log/?h=f21&qt=grep&q=1172774

Comment 17 Fedora Update System 2015-07-29 01:59:04 UTC
Package selinux-policy-3.13.1-105.20.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.20.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-12049/selinux-policy-3.13.1-105.20.fc21
then log in and leave karma (feedback).

Comment 18 Fedora Update System 2015-08-15 02:10:58 UTC
selinux-policy-3.13.1-105.20.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.