Mailing List Archive

[clamav-users] Problem with clamdscan and SELinux
Hi all,

I've been having trouble with using clamdscan to scan my entire system (
'clamdscan --multiscan --fdpass /' ) when SELinux is in Enforcing mode due
to files of certain SELinux context types.

Environment:
- CentOS 7 with the following packages from the yum repo:

clamav-lib-0.103.2-1.el7.x86_64
clamav-data-0.103.2-1.el7.noarch
clamd-0.103.2-1.el7.x86_64
clamav-filesystem-0.103.2-1.el7.noarch
clamav-0.103.2-1.el7.x86_64
clamav-update-0.103.2-1.el7.x86_64

- Oracle Enterprise Linux 8 with the following packages from the yum repo:

clamav-lib-0.103.2-1.el8.x86_64
clamav-data-0.103.2-1.el8.noarch
clamd-0.103.2-1.el8.x86_64
clamav-filesystem-0.103.2-1.el8.noarch
clamav-0.103.2-1.el8.x86_64
clamav-update-0.103.2-1.el8.x86_64

- clamd runs as the clamscan user, but the same problem exsts even if I run
clamd as root


1. My /etc/clamd.d/scan.conf:

# egrep -v "^#|^$" /etc/clamd.d/scan.conf
LogSyslog yes
LocalSocket /run/clamd.scan/clamd.sock
LocalSocketMode 660
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/dev/
User clamscan



2. SELinux is in Enforcing mode, and I've got the SELinux booleans set
apropriately to allow ClamAV to scan the system:

# getenforce
Enforcing

# getsebool -a | grep antivirus
antivirus_can_scan_system --> on
antivirus_use_jit --> on



3. When I run a full system scan, it finishes way too fast and doesn't
catch the EICAR file that I know is on the system:

# clamdscan --multiscan --fdpass / 2>/dev/null
/dev: Excluded
/proc: Excluded
/sys: Excluded
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 30
Time: 6.298 sec (0 m 6 s)
Start Date: 2021:06:14 18:02:09
End Date: 2021:06:14 18:02:16



4. This is what /var/log/messages showed after the scan:

Jun 14 18:02:10 centos7-server clamd[2972]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 18:02:10 centos7-server clamd[2972]: Error condition on fd 10



5. I was able to narrow down which files & directories clamdscan was having
trouble with, so I reran the scan on just those:

# clamdscan --multiscan --fdpass /var/log/audit /etc/*shadow*
/etc/security/opasswd /etc/selinux/ /etc/audit/
/var/log/audit/audit.log.4: no reply from clamd
/etc/gshadow: no reply from clamd
/etc/gshadow-: no reply from clamd
/etc/shadow: no reply from clamd
/etc/shadow-: no reply from clamd
/etc/security/opasswd: no reply from clamd
/etc/selinux/semanage.conf: no reply from clamd
/etc/audit/audit.rules: no reply from clamd


----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 8
Time: 0.006 sec (0 m 0 s)
Start Date: 2021:06:14 14:30:02
End Date: 2021:06:14 14:30:02



6. This is what /var/log/messages showed after the scan:

Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server jdoe: root 192.168.0.10 [23471]: Jun 14
14:30:02 clamdscan --fdpass /var/log/audit /etc/*shadow*
/etc/security/opasswd /etc/selinux/ /etc/audit/ [2]



7. When I checked audit.log to see why SELinux was blocking the scan, it
came back with nothing:

# ausearch -ts recent | audit2why
Nothing to do



8. If I set SELinux to Permissive mode, clamdscan is able to scan those
files & directories and finds the EICAR file:

# setenforce 0
# clamdscan --fdpass /var/log/audit /etc/*shadow* /etc/security/opasswd
/etc/selinux/ /etc/audit/
/var/log/audit/eicar.txt: Eicar-Signature FOUND
/etc/gshadow: OK
/etc/gshadow-: OK
/etc/shadow: OK
/etc/shadow-: OK
/etc/security/opasswd: OK
/etc/selinux: OK
/etc/audit: OK
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 24.001 sec (0 m 24 s)
Start Date: 2021:06:14 14:34:37
End Date: 2021:06:14 14:35:01



9. Again, audit.log doesn't show what would've been blocked if SELinux was
in Enforcing mode:

# ausearch -ts recent | audit2why
Nothing to do



10. Looking at the SELinux context of the files & directories, I narrowed
it down to 4 types that seem to be problematic for clamdscan and SElinux:

# ls -lZ /var/log/audit /etc/*shadow* /etc/security/opasswd /etc/selinux/
/etc/audit/ | grep '_t' | cut -d: -f3 | sort -u
auditd_etc_t
auditd_log_t
selinux_config_t
shadow_t



----- QUESTIONS -----
Is this a bug with ClamAV or just SELinux working as designed?
Is there a way for clamdscan to scan files with SELinux context types
auditd_etc_t, auditd_log_t, selinux_config_t, and shadow_t using file
descriptor passing? It boggles me that auditd isn't logging anything,
otherwise I could try to create a local policy module to allow it.

As a workaround, this is how I'm currently performing a full system scan:

1. Exclude /var/log/audit and /etc from clamd scans:

/etc/clamd.d/scan.conf:
ExcludePath ^/var/log/audit/
# Excluding all of /etc/ because of Bug 12676 - Segmentation fault with
regex, multiscan and fdpass (
https://bugzilla.clamav.net/show_bug.cgi?id=12676)
ExcludePath ^/etc/



2. Run clamdscan on / first:

clamdscan --multiscan --fdpass /



3. As root, run clamscan separately on /etc & /var/log/audit:


clamscan --infected --recursive /etc /var/log/audit



Kind Regards,
Ray

--
Notice: This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy the message and attachments without
retaining a copy.
Re: [clamav-users] Problem with clamdscan and SELinux [ In reply to ]
Hi there,

On Mon, 14 Jun 2021, Lee, Raymond via clamav-users wrote:

> I've been having trouble with using clamdscan to scan my entire system ...

Then don't do it!

There are lots of things in Unix-like filesystems (and Linux is a kind
of Unix) which should not be scanned with ClamAV.

Unix exposes a lot of things to the file system which are not files.
You might cause problems by scanning them.

For much of the filesystem, scanning it is completely pointless. Much
of what is logged for example is simply harmless text, and it would be
far more useful to read it yourself than to scan it with ClamAV.

You'll find some discussion about it in the mailing list archives, and
also mention of things like SELinux and AppArmor. Please look there.

It's no use just throwing a scanner at a system and hoping for the
best. You need to develop a reasoned approach and a plan. If you
don't, you might be a bigger threat to the system than the threats
from which you think you're trying to protect it.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problem with clamdscan and SELinux [ In reply to ]
On Mon, Jun 14, 2021 at 6:50 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Mon, 14 Jun 2021, Lee, Raymond via clamav-users wrote:
>
> > I've been having trouble with using clamdscan to scan my entire system
> ...
>
> Then don't do it!


> There are lots of things in Unix-like filesystems (and Linux is a kind
> of Unix) which should not be scanned with ClamAV.
>

I've already excluded /proc, /sys, and /dev from my scans. I know I'll
have other things to exclude, such as files that mission-critical apps are
sensitive to, remote mounts, etc. My goal at this point is just to try to
create a baseline one-size-fits-all ClamAV config and then refine from
there.


>
> Unix exposes a lot of things to the file system which are not files.
> You might cause problems by scanning them.
>

I'm not quarantining anything, and so far in my testing I've only been
getting warning & error messages when scanning the whole system. We'll
also run scans on non-production test servers before rolling out to
production.


>
> For much of the filesystem, scanning it is completely pointless. Much
> of what is logged for example is simply harmless text, and it would be
> far more useful to read it yourself than to scan it with ClamAV.
>
> You'll find some discussion about it in the mailing list archives, and
> also mention of things like SELinux and AppArmor. Please look there.
>
>
I did search the archives for SELinux-related questions, but I didn't see
anything that addressed my question about clamd being unable to scan
certain context types. I do have a workaround, so I can just continue with
that if this is not a bug with clamd.


> It's no use just throwing a scanner at a system and hoping for the
> best. You need to develop a reasoned approach and a plan. If you
> don't, you might be a bigger threat to the system than the threats
> from which you think you're trying to protect it.
>
>
I still prefer to err on the side of caution and scan as much of the system
as reasonably possible. I know some people say it's good enough to scan
just the common user-accessible areas like /home, /tmp, and /var/tmp, but
bad actors already know that and would try to attack other areas.

Anyway, I don't want this thread to become a debate about whether or not to
scan the entire system. I was just looking for insight into my question
about clamd and SELinux.

--
Best Regards,
Ray

--
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

--
Notice: This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy the message and attachments without
retaining a copy.
Re: [clamav-users] Problem with clamdscan and SELinux [ In reply to ]
Hi there,

On Tue, 15 Jun 2021, Lee, Raymond via clamav-users wrote:

> ... I don't want this thread to become a debate about whether or not to
> scan the entire system. I was just looking for insight into my question
> about clamd and SELinux.

Sure, with you. FWIW I don't scan Linux systems. Primarily I use
ClamAV to scan mail, and I'm not especially interested in malware.

As far as SELinux is concerned it seems to me that it's most likely
doing what it's supposed to do. My personal take on is that there's
no reason on Earth to scan a shadow_t type file with ClamAV, and if
you do let it do that you risk a vulnerability in ClamAV ruining your
whole holiday. I don't know why you aren't seeing the log messages
which you're expecting to see, perhaps it's a permissions issue too.

In case it's interesting, here's the detection performance of some
scanners for the last 40 malicious emails processed by my systems:

30 fortinet.com
28 drweb.com
26 gdatasoftware.com
26 escanav.com
26 bitdefender.com
25 avast.com
20 sophos.com
20 ikarus.at
19 eset.com
7 f-secure.com
5 f-prot.com
3 clamav.net
0 trendmicro.com

The detection numbers were obtained by manually inspecting attempts to
send suspicious mail to our servers, and after confirming that the mail
was malicious, submitting samples to Jotti's malware scan:

https://virusscan.jotti.org/

This was by no means a scientific experiment. The sample size was
very samll; the malware chose to be in the study, not the other way
around; some of the 40 samples were almost identical; there may be
issues with the way in which samples were presented to the scanners
which skews the comparitive results. But as you can see, even the
best performer only found three out of four.

It's food for thought.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problem with clamdscan and SELinux [ In reply to ]
On Tue, Jun 15, 2021 at 7:19 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Tue, 15 Jun 2021, Lee, Raymond via clamav-users wrote:
>
> > ... I don't want this thread to become a debate about whether or not to
> > scan the entire system. I was just looking for insight into my question
> > about clamd and SELinux.
>
> Sure, with you. FWIW I don't scan Linux systems. Primarily I use
> ClamAV to scan mail, and I'm not especially interested in malware.
>
> As far as SELinux is concerned it seems to me that it's most likely
> doing what it's supposed to do. My personal take on is that there's
> no reason on Earth to scan a shadow_t type file with ClamAV, and if
> you do let it do that you risk a vulnerability in ClamAV ruining your
> whole holiday. I don't know why you aren't seeing the log messages
> which you're expecting to see, perhaps it's a permissions issue too.
>
>
I figured it out! Apparently, there were dontaudit rules that were
preventing the SELinux denials from being logged to audit.log. I
temporarily disabled the dontaudit rules with 'semodule -DB' and then
re-ran clamdscan with SELinux in Permissive mode. Then I saw the AVC
denial messages in audit.log and was able to use audit2allow to generate a
local policy to allow clamd to read the files that it was previously unable
to.


> In case it's interesting, here's the detection performance of some
> scanners for the last 40 malicious emails processed by my systems:
>
> 30 fortinet.com
> 28 drweb.com
> 26 gdatasoftware.com
> 26 escanav.com
> 26 bitdefender.com
> 25 avast.com
> 20 sophos.com
> 20 ikarus.at
> 19 eset.com
> 7 f-secure.com
> 5 f-prot.com
> 3 clamav.net
> 0 trendmicro.com
>
> The detection numbers were obtained by manually inspecting attempts to
> send suspicious mail to our servers, and after confirming that the mail
> was malicious, submitting samples to Jotti's malware scan:
>
> https://virusscan.jotti.org/
>
> This was by no means a scientific experiment. The sample size was
> very samll; the malware chose to be in the study, not the other way
> around; some of the 40 samples were almost identical; there may be
> issues with the way in which samples were presented to the scanners
> which skews the comparitive results. But as you can see, even the
> best performer only found three out of four.
>
>
LOL, I guess you get what you pay for. Maybe I'll install the
clamav-unofficial-sigs package to hopefully get a better detection rate.

Thanks for your insight!

--
Kind Regards,
Ray


> It's food for thought.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

--
Notice: This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy the message and attachments without
retaining a copy.