Bug 799781 - SELinux having problems during clamscan
SELinux having problems during clamscan
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
16
i686 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-04 20:59 EST by Paul
Modified: 2012-07-09 16:35 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-27 23:25:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
copy of /var/log/messages (160.09 KB, application/octet-stream)
2012-03-04 21:08 EST, Paul
no flags Details
cut-and-paste of the 8 SELinux alert detalks (19.27 KB, text/plain)
2012-03-04 21:09 EST, Paul
no flags Details
script that rc.local calls to do a clamscan (as requested) (7.45 KB, application/octet-stream)
2012-03-08 00:40 EST, Paul
no flags Details
the top half of the SEliunx Alert (107.61 KB, image/png)
2012-07-02 05:02 EDT, Paul
no flags Details
the bottom half of the SElinux Alert (96.84 KB, image/png)
2012-07-02 05:03 EDT, Paul
no flags Details
summary list of all 4 alerts from 05jul12 (25.28 KB, image/png)
2012-07-05 20:02 EDT, Paul
no flags Details
details of alert 1 (102.46 KB, image/png)
2012-07-05 20:02 EDT, Paul
no flags Details
details of alert 2 (102.07 KB, image/png)
2012-07-05 20:03 EDT, Paul
no flags Details
details of alert 3 (102.22 KB, image/png)
2012-07-05 20:03 EDT, Paul
no flags Details
details of alert 4 (102.12 KB, image/png)
2012-07-05 20:04 EDT, Paul
no flags Details

  None (edit)
Description Paul 2012-03-04 20:59:00 EST
Description of problem:
In various bugs to Fedora, I'd noted that running a clamscan via rc.local generated lots of warnings in SELinux. At some point while mentioning this on the user list, Dan Walsh responded about trying "setsebool -P clamscan_read_user_content 1" which seemed to work.

Today when I powered up, I got 8 warnings and tried to understand them through the alerts and /var/log/messages. One caught my eye as it was "nocomment.html" which sure sounded unfamiliar. A bit of a search showed that a good number of the alerts were coming from /tmp of files owned by root ... including nocmment.html which appeared to be in a clamscan created directory.

I was unable to figure much more out.

I did a yum update and a reboot and saw the same errors (actually more).

I think this may have been going on for awhile as SELinux seems to only display an alert icon if I have logged in and have an active session when the clamscan (hence alerts) happens. If I power up and log in after its happened, the alert isn't there and I only can see that it happened by pulling up SELinux troubleshooter.

Once this bug is submitted, I will attach a copy of /var/log/message and a cut-and-paste of the contents of the details of the eight alerts.


Version-Release number of selected component (if applicable):
F16 under Xfce (uname -a gives 3.2.7-1.fc16.i686.PAW
selinux-policy 3.10.9-75.fc16
clamav 0.97.3-1600.fc16

How reproducible:
Looking like every time I power up / reboot and rc.local fires off a clamscan

Steps to Reproduce:
1. see description
2.
3.
  
Actual results:
SELinux alerts about actions during the clamscan, especially root owned material in tmp


Expected results:
No SELinux alerts related to the act of clamscaning (of course, there is probably a case where there would be a legit alert but I am not aware of it)


Additional info:

Please let me know if there is anything else I can provide.

I put this under SELinux and not clamav as it seemed that prior fixes/suggestions I have gotten on these issues have come from the SELinux pov

Thanks,
Paul
Comment 1 Paul 2012-03-04 21:08:25 EST
Created attachment 567444 [details]
copy of /var/log/messages
Comment 2 Paul 2012-03-04 21:09:20 EST
Created attachment 567445 [details]
cut-and-paste of the 8 SELinux alert detalks
Comment 3 Miroslav Grepl 2012-03-05 06:43:53 EST
You are scanning /tmp directory. The problem is you can scan whatever you want (I mean a location). But I don't see an init script/systemd unit file by default. Basically I would say this is more a local modification.
Comment 4 Paul 2012-03-05 18:25:54 EST
Miroslav:

Thanks for the prompt reply.

I apologize for not making myself clear. I am aware that I am requesting that /tmp be scanned, the issue is that SELinux is barking on root material. It doesn't seem to be doing it for user material.

Not certain what you mean by init script/systemd unit file. I'm running F16 on Xfce pretty much "as is". The only local modification I am aware of is the setsebool that Dan suggested. Is there something I am missing? (I've seen enough posts about systemd and "things that the user has to do that used to be done for them" (???) that I could believe the default install misses something).

Another way to put it is that I don't know enough to even consider anything but trivial changes and only to my user account ... certainly not root / the system.

Paul
Comment 5 Miroslav Grepl 2012-03-07 02:24:45 EST
SELinux cares only about SELinux contexts.

Ok, how do you start clamscan?
Comment 6 Paul 2012-03-08 00:40:06 EST
Miroslav:

Sorry for the delay in getting back. In my rc.local, I first call freshclam and then go to a custom script for doing the virus-scan. It notes that it is being called by rc.local and throws a delay to make sure freshclam has done its thing. If from rc.local, I drop setenforce to 0 for the duration of the scan to make sure SElinux doesn't have do anything if there are any issues.

The script also makes sure that no other requests happen until the machine has been up for awhile to prevent collision. There is a post-process to filter out any dupes that have been quarentined which you can ignore as the problems are only during the actual clamscan

The script looks ugly but most of it is a combination of debug versions and the ability that all actions send out an email to my home account.

I will not be offended if you go "ick" ... I've not been prepared to get rid of debug stuff until I can see that everything is behaving and I've been having issues since F14 when I first tried clamav (most resolved by now, many with clamav and SElinux help on Bugzilla and the user-lists).

If it is too confusing, let me know and I prep up a stripped down version.

I will attach after I send this post.

To help, this is what the email I get says when it runs the virus-scan from rc.local:
+++
Starting time: Wed Mar 7 21:32:35 PST 2012
 
Directories to scan: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /home /tmp
Directories to exclude: --exclude-dir=/tmp/autodesk --exclude-dir=/usr/autodesk --exclude-dir=/home/paul/Desktop/Baretta/BarettaBetaDocs
 
ClamAV 0.97.3/14610/Wed Mar  7 16:18:47 2012

----------- SCAN SUMMARY -----------
Known viruses: 1155880
Engine version: 0.97.3
Scanned directories: 1998
Scanned files: 33696
Infected files: 0
Data scanned: 834.39 MB
Data read: 2032.86 MB (ratio 0.41:1)
Time: 330.406 sec (5 m 30 s)
=====
running duplicate check
/var/quarantine_clamscan /
/
=====
 
Ending Time: Wed Mar 7 21:38:06 PST 2012

+++

Let me know if I can provide anything else,
Thanks,
Paul
Comment 7 Paul 2012-03-08 00:40:51 EST
Created attachment 568501 [details]
script that rc.local calls to do a clamscan (as requested)
Comment 8 Paul 2012-04-02 01:22:22 EDT
Miroslav:

You asked me how I start clamscan back on the 7th of March and I replied (giving as much info as I could) on the 8th. I have noticed that I haven't heard back and we've just crossed into April.

Can you let me know where this stands?

Thanks,
Paul
Comment 9 Miroslav Grepl 2012-04-04 07:05:29 EDT
I missed this one, I apologize. Will work on this issue again asap.
Comment 10 Paul 2012-04-19 03:10:40 EDT
Miroslav:

Hate to be a bother, but I am assuming I should hear something from you based on your last entry on this bug (?)

Thanks for understanding the ping,
Paul
Comment 11 Miroslav Grepl 2012-04-20 03:42:25 EDT
The problem is you end up with clamscan_t because of your custom rc.local script. If you run this script directly, it will work.

I think we will need to change a way how we confine these scanners. Because they could read random files on a system.

Could you just try to change label to bin_t for clamscan binary

chcon -t bin_t `which clamscan`
Comment 12 Paul 2012-04-20 04:30:42 EDT
Miroslav:

Thanks for the reply.

Its late in my time zone, so let me try your chcon suggestion tomorrow. That being said, I would appreciate your understanding if, after checking out the man page for chcon, I am not certain what you are looking for (as in this is all Greek to me (smile))

Thanks,
Paul
Comment 13 Paul 2012-04-22 02:00:14 EDT
Miroslav:

My apologies for the delay. I am on the Maya beta program and the license blows up in 5 days, so I am hard-pressed to do any other computer stuff until I get through that.

That being said, I re-read the man pages (twice!) and think I understand what you are asking for.

As soon as a window shows up, I will do as you suggest.

Thanks for understanding,
Paul
Comment 14 Miroslav Grepl 2012-04-22 14:52:12 EDT
Ok.
Comment 15 Paul 2012-04-26 21:57:41 EDT
Miroslav:

Thanks for giving me the time to get anything Maya related done before the beta license ended.

I'm now back to working with F16 and was able to test your suggestion.

I did a "yum update" so I was current as of @4:00pm my time (that would be midnight GMT). I ran "ls -Z" and verified that the type is currently "clamscan_exec_t". I verified that I was still getting the SElinux alerts. I made the "chcon -t bin_t /usr/bin/clamscan" and verified with "ls -Z" that it is now "bin_t".

Restarted and the SElinux alerts go away (hooray!).

I do not know if this a test so that you can get "clamscan_exec_t" working or a proposed fix. I did some digging to find out that if I want this to be permanent, I need to do "/usr/sbin/semanage fcontext -a -t bin_t /usr/bin/clamscan". I'm not going to do that until I hear back about how you would like to proceed and if there are anymore tests you'd like me to run

Once again, thanks for bearing with the delay and I hope my results are what you were hoping that I'd report

Paul
Comment 16 Miroslav Grepl 2012-04-27 05:15:18 EDT
Great. But I came up with a new solution. I am going to add a new boolean

tunable_policy(`clamscan_can_scan_system`)
        files_read_non_security_files(clamscan_t)
')

which I would like to apply for scanners and add

$scanner_can_scan_system

booleans.
Comment 17 Paul 2012-04-27 16:16:46 EDT
Miroslav:

Thanks for the reply.

If I understand correctly, this means that when your fix in pushed out to the release version(s), there will be a "setsebool -P scanner_can_scan_system 1" command available? If not, can you correct my thinking?

For the time being, I can use your "chcon -t bin_t /usr/bin/clamscan" to get rid of the alerts.

I'll assume that I'll get notice of when the fix is out via email on this bug. I am hoping this will be for both F17 and F16.

Paul
Comment 18 Miroslav Grepl 2012-05-02 06:21:39 EDT
Yes.

commit f12d1aef1af4282d180eac7acebd77201692c116
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed May 2 12:19:49 2012 +0000

    Add clamscan_can_scan_system boolean


Fixed in selinux-policy-3.10.0-88.fc16
Comment 19 Paul 2012-05-02 14:03:10 EDT
Miroslav:

Thanks for confirm. I have one more machine to convert to F16 (now that I don't need it on F14 for Maya). I'll do it middle to end of month once I see selinux-policy-3.10.0-88.fc16 show up on my other F16 boxes so I can verify on a system before I've modified it too much.

Paul
Comment 20 Fedora Update System 2012-06-15 06:29:02 EDT
selinux-policy-3.10.0-89.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-89.fc16
Comment 21 Fedora Update System 2012-06-15 19:51:15 EDT
Package selinux-policy-3.10.0-89.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-89.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9507/selinux-policy-3.10.0-89.fc16
then log in and leave karma (feedback).
Comment 22 Paul 2012-06-15 21:25:27 EDT
Thanks for the update and news about it. I have three questions before I can do this.

I've never used the testing repository and, though your instructions make it pretty clear and easy about how to install the patch, can you point me to a link telling me how to get rid of it afterwards so I am back on "released only code".

The second question regards how to test it. I used Miroslav's suggestion of chcon -t bin_t `which clamscan` to get myself working. To test this, I need to undo that change to bring the system back to default, correct? What did clamscan's label start out as? (I can't find anything about what it was it my notes, just Miroslav's bin_t).

My assumption is I need to undo the chcon command, test to verify I am still seeing the error, yum update your test release, test to see if it fixes the error, and then get rid of the test update in anticipation of the real release. Is my thinking correct or am I being to simple or making things too complex?

Thanks,
Paul
Comment 23 Fedora Update System 2012-06-27 23:25:24 EDT
selinux-policy-3.10.0-89.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Paul 2012-06-30 23:21:00 EDT
Thank you for fixing and releasing this.

Sorry I was unable to test as I am worse than a newbie when it comes to test patches.

If you can tell me what to reset clamscan to (chcon -t ? `which clamscan`) to get back to factory-default setting for F16 (which shows the bug), I'll be glad to test in the release version

Paul
Comment 25 Miroslav Grepl 2012-07-02 03:00:11 EDT
What does

# ls -Z `which clamscan`
Comment 26 Paul 2012-07-02 03:30:46 EDT
Miroslav:

Thanks for the reply ... here's what I am getting based on the original suggested workaround
+++
[paul@yoyo ~]$ ls -Z `which clamscan`
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/clamscan
[paul@yoyo ~]
+++

yum -list selinuc-policy yields:
+++
3.10.0-89.fc16
+++

Paul
Comment 27 Miroslav Grepl 2012-07-02 04:17:58 EDT
Ok.

the restorecon tool is used to fix labeling. So just execute

# restorecon -R -v /usr/bin/clamscan
Comment 28 Paul 2012-07-02 05:02:04 EDT
Miroslav:

Thanks for the "how-to-do"

Ran the command, got
+++
[root@yoyo ~]# restorecon -R -v /usr/bin/clamscan
restorecon reset /usr/bin/clamscan context system_u:object_r:bin_t:s0->system_u:object_r:clamscan_exec_t:s0
[root@yoyo ~]#
+++

rebooted system, waited awhile to see what happened, pulled up SELinux Alert Browser and found one "problem" (see attachments forthcoming once I submit this comment).

This looks to me like I haven't done something right in my testing or (and I hope not) there is still a problem

Paul
Comment 29 Paul 2012-07-02 05:02:53 EDT
Created attachment 595679 [details]
the top half of the SEliunx Alert
Comment 30 Paul 2012-07-02 05:03:33 EDT
Created attachment 595680 [details]
the bottom half of the SElinux Alert
Comment 31 Paul 2012-07-02 05:12:21 EDT
Miroslav:

Looking closer, there are 21 alerts which pretty much matches my prior results before I applied the chcon workaround.

Paul
Comment 32 Miroslav Grepl 2012-07-02 06:22:18 EDT
Execute

# setsebool -P clamscan_can_scan_system 1
Comment 33 Paul 2012-07-05 20:01:19 EDT
Miroslav:

I apologize for the delay in getting back to you ... family decided to take priority over computer (smile)

So I did the setsebool -P clamscan_can_scan_system 1, did a power-down, waited long enough that I knew I wouldn't get any confusion from one power cycle to another (in regards to date), powered the machine up, and let it do its thing.

After about an hour, there were only 4 alerts (better than 21!). I am going to attach snaps showing the warnings.

By the way, is there a way I can get selinux to email the alerts to me so I would get a nice "text" version on each on a different machine than the one I am testing on?

I don't know if there warnings are to be expected or if I have something wrong in my settings ... and whether there is enough here to reopen this bug (or, if you prefer, open a new bug).

Let me know what I can do to help,
Paul
Comment 34 Paul 2012-07-05 20:02:32 EDT
Created attachment 596535 [details]
summary list of all 4 alerts from 05jul12
Comment 35 Paul 2012-07-05 20:02:59 EDT
Created attachment 596536 [details]
details of alert 1
Comment 36 Paul 2012-07-05 20:03:21 EDT
Created attachment 596537 [details]
details of alert 2
Comment 37 Paul 2012-07-05 20:03:39 EDT
Created attachment 596538 [details]
details of alert 3
Comment 38 Paul 2012-07-05 20:04:00 EDT
Created attachment 596539 [details]
details of alert 4
Comment 39 Miroslav Grepl 2012-07-09 02:29:31 EDT
I added fixes.
Comment 40 Paul 2012-07-09 16:35:57 EDT
Miroslav:

Thanks. I am presuming I just need to wait until I see a new selinux-policy being pushed into f16 release branch and then I will test again.

Paul

Note You need to log in before you can comment on or make changes to this bug.