Hi all,
I've been having trouble with using clamdscan to scan my entire system (
'clamdscan --multiscan --fdpass /' ) when SELinux is in Enforcing mode due
to files of certain SELinux context types.
Environment:
- CentOS 7 with the following packages from the yum repo:
clamav-lib-0.103.2-1.el7.x86_64
clamav-data-0.103.2-1.el7.noarch
clamd-0.103.2-1.el7.x86_64
clamav-filesystem-0.103.2-1.el7.noarch
clamav-0.103.2-1.el7.x86_64
clamav-update-0.103.2-1.el7.x86_64
- Oracle Enterprise Linux 8 with the following packages from the yum repo:
clamav-lib-0.103.2-1.el8.x86_64
clamav-data-0.103.2-1.el8.noarch
clamd-0.103.2-1.el8.x86_64
clamav-filesystem-0.103.2-1.el8.noarch
clamav-0.103.2-1.el8.x86_64
clamav-update-0.103.2-1.el8.x86_64
- clamd runs as the clamscan user, but the same problem exsts even if I run
clamd as root
1. My /etc/clamd.d/scan.conf:
# egrep -v "^#|^$" /etc/clamd.d/scan.conf
LogSyslog yes
LocalSocket /run/clamd.scan/clamd.sock
LocalSocketMode 660
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/dev/
User clamscan
2. SELinux is in Enforcing mode, and I've got the SELinux booleans set
apropriately to allow ClamAV to scan the system:
# getenforce
Enforcing
# getsebool -a | grep antivirus
antivirus_can_scan_system --> on
antivirus_use_jit --> on
3. When I run a full system scan, it finishes way too fast and doesn't
catch the EICAR file that I know is on the system:
# clamdscan --multiscan --fdpass / 2>/dev/null
/dev: Excluded
/proc: Excluded
/sys: Excluded
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 30
Time: 6.298 sec (0 m 6 s)
Start Date: 2021:06:14 18:02:09
End Date: 2021:06:14 18:02:16
4. This is what /var/log/messages showed after the scan:
Jun 14 18:02:10 centos7-server clamd[2972]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 18:02:10 centos7-server clamd[2972]: Error condition on fd 10
5. I was able to narrow down which files & directories clamdscan was having
trouble with, so I reran the scan on just those:
# clamdscan --multiscan --fdpass /var/log/audit /etc/*shadow*
/etc/security/opasswd /etc/selinux/ /etc/audit/
/var/log/audit/audit.log.4: no reply from clamd
/etc/gshadow: no reply from clamd
/etc/gshadow-: no reply from clamd
/etc/shadow: no reply from clamd
/etc/shadow-: no reply from clamd
/etc/security/opasswd: no reply from clamd
/etc/selinux/semanage.conf: no reply from clamd
/etc/audit/audit.rules: no reply from clamd
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 8
Time: 0.006 sec (0 m 0 s)
Start Date: 2021:06:14 14:30:02
End Date: 2021:06:14 14:30:02
6. This is what /var/log/messages showed after the scan:
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server jdoe: root 192.168.0.10 [23471]: Jun 14
14:30:02 clamdscan --fdpass /var/log/audit /etc/*shadow*
/etc/security/opasswd /etc/selinux/ /etc/audit/ [2]
7. When I checked audit.log to see why SELinux was blocking the scan, it
came back with nothing:
# ausearch -ts recent | audit2why
Nothing to do
8. If I set SELinux to Permissive mode, clamdscan is able to scan those
files & directories and finds the EICAR file:
# setenforce 0
# clamdscan --fdpass /var/log/audit /etc/*shadow* /etc/security/opasswd
/etc/selinux/ /etc/audit/
/var/log/audit/eicar.txt: Eicar-Signature FOUND
/etc/gshadow: OK
/etc/gshadow-: OK
/etc/shadow: OK
/etc/shadow-: OK
/etc/security/opasswd: OK
/etc/selinux: OK
/etc/audit: OK
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 24.001 sec (0 m 24 s)
Start Date: 2021:06:14 14:34:37
End Date: 2021:06:14 14:35:01
9. Again, audit.log doesn't show what would've been blocked if SELinux was
in Enforcing mode:
# ausearch -ts recent | audit2why
Nothing to do
10. Looking at the SELinux context of the files & directories, I narrowed
it down to 4 types that seem to be problematic for clamdscan and SElinux:
# ls -lZ /var/log/audit /etc/*shadow* /etc/security/opasswd /etc/selinux/
/etc/audit/ | grep '_t' | cut -d: -f3 | sort -u
auditd_etc_t
auditd_log_t
selinux_config_t
shadow_t
----- QUESTIONS -----
Is this a bug with ClamAV or just SELinux working as designed?
Is there a way for clamdscan to scan files with SELinux context types
auditd_etc_t, auditd_log_t, selinux_config_t, and shadow_t using file
descriptor passing? It boggles me that auditd isn't logging anything,
otherwise I could try to create a local policy module to allow it.
As a workaround, this is how I'm currently performing a full system scan:
1. Exclude /var/log/audit and /etc from clamd scans:
/etc/clamd.d/scan.conf:
ExcludePath ^/var/log/audit/
# Excluding all of /etc/ because of Bug 12676 - Segmentation fault with
regex, multiscan and fdpass (
https://bugzilla.clamav.net/show_bug.cgi?id=12676)
ExcludePath ^/etc/
2. Run clamdscan on / first:
clamdscan --multiscan --fdpass /
3. As root, run clamscan separately on /etc & /var/log/audit:
clamscan --infected --recursive /etc /var/log/audit
Kind Regards,
Ray
--
Notice: This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy the message and attachments without
retaining a copy.
I've been having trouble with using clamdscan to scan my entire system (
'clamdscan --multiscan --fdpass /' ) when SELinux is in Enforcing mode due
to files of certain SELinux context types.
Environment:
- CentOS 7 with the following packages from the yum repo:
clamav-lib-0.103.2-1.el7.x86_64
clamav-data-0.103.2-1.el7.noarch
clamd-0.103.2-1.el7.x86_64
clamav-filesystem-0.103.2-1.el7.noarch
clamav-0.103.2-1.el7.x86_64
clamav-update-0.103.2-1.el7.x86_64
- Oracle Enterprise Linux 8 with the following packages from the yum repo:
clamav-lib-0.103.2-1.el8.x86_64
clamav-data-0.103.2-1.el8.noarch
clamd-0.103.2-1.el8.x86_64
clamav-filesystem-0.103.2-1.el8.noarch
clamav-0.103.2-1.el8.x86_64
clamav-update-0.103.2-1.el8.x86_64
- clamd runs as the clamscan user, but the same problem exsts even if I run
clamd as root
1. My /etc/clamd.d/scan.conf:
# egrep -v "^#|^$" /etc/clamd.d/scan.conf
LogSyslog yes
LocalSocket /run/clamd.scan/clamd.sock
LocalSocketMode 660
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/dev/
User clamscan
2. SELinux is in Enforcing mode, and I've got the SELinux booleans set
apropriately to allow ClamAV to scan the system:
# getenforce
Enforcing
# getsebool -a | grep antivirus
antivirus_can_scan_system --> on
antivirus_use_jit --> on
3. When I run a full system scan, it finishes way too fast and doesn't
catch the EICAR file that I know is on the system:
# clamdscan --multiscan --fdpass / 2>/dev/null
/dev: Excluded
/proc: Excluded
/sys: Excluded
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 30
Time: 6.298 sec (0 m 6 s)
Start Date: 2021:06:14 18:02:09
End Date: 2021:06:14 18:02:16
4. This is what /var/log/messages showed after the scan:
Jun 14 18:02:10 centos7-server clamd[2972]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 18:02:10 centos7-server clamd[2972]: Error condition on fd 10
5. I was able to narrow down which files & directories clamdscan was having
trouble with, so I reran the scan on just those:
# clamdscan --multiscan --fdpass /var/log/audit /etc/*shadow*
/etc/security/opasswd /etc/selinux/ /etc/audit/
/var/log/audit/audit.log.4: no reply from clamd
/etc/gshadow: no reply from clamd
/etc/gshadow-: no reply from clamd
/etc/shadow: no reply from clamd
/etc/shadow-: no reply from clamd
/etc/security/opasswd: no reply from clamd
/etc/selinux/semanage.conf: no reply from clamd
/etc/audit/audit.rules: no reply from clamd
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 8
Time: 0.006 sec (0 m 0 s)
Start Date: 2021:06:14 14:30:02
End Date: 2021:06:14 14:30:02
6. This is what /var/log/messages showed after the scan:
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no
control data received, 9 bytes read(Is SELinux/AppArmor enabled, and
blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server jdoe: root 192.168.0.10 [23471]: Jun 14
14:30:02 clamdscan --fdpass /var/log/audit /etc/*shadow*
/etc/security/opasswd /etc/selinux/ /etc/audit/ [2]
7. When I checked audit.log to see why SELinux was blocking the scan, it
came back with nothing:
# ausearch -ts recent | audit2why
Nothing to do
8. If I set SELinux to Permissive mode, clamdscan is able to scan those
files & directories and finds the EICAR file:
# setenforce 0
# clamdscan --fdpass /var/log/audit /etc/*shadow* /etc/security/opasswd
/etc/selinux/ /etc/audit/
/var/log/audit/eicar.txt: Eicar-Signature FOUND
/etc/gshadow: OK
/etc/gshadow-: OK
/etc/shadow: OK
/etc/shadow-: OK
/etc/security/opasswd: OK
/etc/selinux: OK
/etc/audit: OK
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 24.001 sec (0 m 24 s)
Start Date: 2021:06:14 14:34:37
End Date: 2021:06:14 14:35:01
9. Again, audit.log doesn't show what would've been blocked if SELinux was
in Enforcing mode:
# ausearch -ts recent | audit2why
Nothing to do
10. Looking at the SELinux context of the files & directories, I narrowed
it down to 4 types that seem to be problematic for clamdscan and SElinux:
# ls -lZ /var/log/audit /etc/*shadow* /etc/security/opasswd /etc/selinux/
/etc/audit/ | grep '_t' | cut -d: -f3 | sort -u
auditd_etc_t
auditd_log_t
selinux_config_t
shadow_t
----- QUESTIONS -----
Is this a bug with ClamAV or just SELinux working as designed?
Is there a way for clamdscan to scan files with SELinux context types
auditd_etc_t, auditd_log_t, selinux_config_t, and shadow_t using file
descriptor passing? It boggles me that auditd isn't logging anything,
otherwise I could try to create a local policy module to allow it.
As a workaround, this is how I'm currently performing a full system scan:
1. Exclude /var/log/audit and /etc from clamd scans:
/etc/clamd.d/scan.conf:
ExcludePath ^/var/log/audit/
# Excluding all of /etc/ because of Bug 12676 - Segmentation fault with
regex, multiscan and fdpass (
https://bugzilla.clamav.net/show_bug.cgi?id=12676)
ExcludePath ^/etc/
2. Run clamdscan on / first:
clamdscan --multiscan --fdpass /
3. As root, run clamscan separately on /etc & /var/log/audit:
clamscan --infected --recursive /etc /var/log/audit
Kind Regards,
Ray
--
Notice: This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy the message and attachments without
retaining a copy.