Created attachment 1450355 [details] Clamd config file Description of problem: With selinux enabled clamdscan produses the following error [ian@WM-ADVMSTECH-03 ~]$ clamdscan . /home/ian/.: lstat() failed: Permission denied. ERROR Version-Release number of selected component (if applicable): This appears only to be a problem with server edition. The KDE spin does not exhibit the same problem How reproducible: Steps to Reproduce: 1. Install clamd and clamav 2. run clamdscan . Actual results: [ian@WM-ADVMSTECH-03 ~]$ sudo setenforce 1 [ian@WM-ADVMSTECH-03 ~]$ clamdscan . /home/ian/.: lstat() failed: Permission denied. ERROR ----------- SCAN SUMMARY ----------- Infected files: 0 Total errors: 1 Time: 0.001 sec (0 m 0 s) Expected results: [ian@WM-ADVMSTECH-03 ~]$ clamdscan . /home/ian/.: OK ----------- SCAN SUMMARY ----------- Infected files: 0 Time: 24.393 sec (0 m 24 s) [ian@WM-ADVMSTECH-03 ~]$ Additional info: The expected results were obtained after the following command. sudo setenforce 0
The following command ausearch -m avc --start recent gives ---- time->Tue Jun 12 09:28:52 2018 type=AVC msg=audit(1528792132.849:796): avc: denied { open } for pid=2598 comm="clamd" path="/home/ian/.ssh" dev="dm-0" ino=16807248 scontext=system_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 ---- time->Tue Jun 12 09:28:52 2018 type=AVC msg=audit(1528792132.849:795): avc: denied { read } for pid=2598 comm="clamd" name=".ssh" dev="dm-0" ino=16807248 scontext=system_u:system_r:antivirus_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1
This is not something we would want to allow by default. This basically allows a tool that is reading untrusted content to read valuable secrets in users home directories. If you want to allow this then you need to create a custom policy and load it. ausearch -m avc --start recent | audit2allow -M myantivirus semodule -i myantivirus.pp