[clamav-users] ScanOnAccess issue when clamd launched from systemd

Mikko Caldara Mikko.Caldara at fca.org.uk
Mon May 9 05:48:03 EDT 2016


Hi Bond,
you were right!
When using systemd, the command returns:
system_u:system_r:antivirus_t:s0

but when launching it manually, it has:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

I thought antivirus_can_scan_system would already take care of this?

# getsebool antivirus_can_scan_system
antivirus_can_scan_system --> on

What else can I enabled?

Thanks

________________________________________
From: clamav-users [clamav-users-bounces at lists.clamav.net] on behalf of Bond Masuda [bond.masuda at hexadiam.com]
Sent: 06 May 2016 18:03
To: clamav-users at lists.clamav.net
Subject: Re: [clamav-users] ScanOnAccess issue when clamd launched from systemd

Mikko,

I suspected as much based on your description.

Use 'ps -efZ | grep clamd' to find out how the clamd process is running.
Check it when you run manually, and check it again when started by
systemd. I suspect you will find a difference. Once you know the
difference, then you can adjust the SELinux policies.

Good luck,
Bond

On 05/06/2016 02:07 AM, Mikko Caldara wrote:
> Disabling SELinux actually gets rid of the error. Unfortunately, this is not viable for us.
>
> How do I go about debugging this further? No blocking/denied messages appear in the logs...
> Has anyone got ScanOnAccess working with SElinux enabled?
>
> Thanks
>
> Mikko
>
> ________________________________________
> From: Mikko Caldara
> Sent: 05 May 2016 16:47
> To: ClamAV users ML
> Subject: RE: [clamav-users] ScanOnAccess issue when clamd launched from systemd
>
> Hi Mickey,
>
> I tried disabling SELinux and will report back later on that issue.
>
> I understand OnAccess cannot prevent access or write attempts
> if OnAccessMountPath is enabled: not a problem for us, will disable OnAccessPrevention.
>
> So I changed my config to:
>
> ScanOnAccess yes
> OnAccessMountPath /
> OnAccessExcludeUID 0
>
> But still, whenever I access (cat/vim) a fake virus, clamd goes into a crazy infinite loop, trying to access /tmp/clamav-RANDOM_UUID.tmp/nocomment.html which from what I understand is created by clamav itself.
>
> The CPU usage is perfectly fine until an infected file is found: then it goes into the loop and I need to kill it.
> According to a previous reply, "OnAccessExcludeUID 0" should fix this behaviour, but it doesn't in my case.
>
> Thanks
> Mikko
>
> ________________________________________
> From: clamav-users [clamav-users-bounces at lists.clamav.net] on behalf of Mickey Sola [msola at sourcefire.com]
> Sent: 05 May 2016 16:27
> To: ClamAV users ML
> Subject: Re: [clamav-users] ScanOnAccess issue when clamd launched from systemd
>
> Mikko,
>
> I know you didn't find anything in audit.log, but is your primary issue
> resolved when you set SELinux to Permissive? Looking at the code, and the
> debug output, so far everything points to this being an issue with
> permissions.
>
> Regarding your secondary problems:
>
> As documented, OnAccess scanning will not prevent access or write attempts
> if OnAccessMountPath is enabled. This is to prevent users from accidentally
> locking up their systems via an fanotify induced deadlock.
>
> The cpu resource utilization when watching the entire filesystem is
> expected, due to the constant system-wide access events which must be
> queued and processed individually. Unfortunately, delaying or throttling
> event handling in this case would quickly overflow the fanotify event
> queue. You might consider being more selective with your watchpoints to
> reduce unwanted noise and free up cpu cycles.
>
> - Mickey
>
> On Thu, May 5, 2016 at 6:12 AM, Mikko Caldara <Mikko.Caldara at fca.org.uk>
> wrote:
>
>> I currently have these options enabled:
>>
>> ScanOnAccess yes
>> OnAccessMountPath /
>> OnAccessExcludeUID 0
>> OnAccessPrevention yes
>>
>> the user is root.
>> I guess there's a bug then?
>>
>> ________________________________________
>> From: clamav-users [clamav-users-bounces at lists.clamav.net] on behalf of
>> Virgo Pärna [virgo.parna at mail.ee]
>> Sent: 05 May 2016 11:07
>> To: clamav-users at lists.clamav.net
>> Subject: Re: [clamav-users] ScanOnAccess issue when clamd launched from
>> systemd
>>
>> On Thu, 5 May 2016 09:50:03 +0000, Mikko Caldara <Mikko.Caldara at fca.org.uk>
>> wrote:
>>> Not sure if it's related, but when I launch clamd *without* systemd and
>> then try to access an "infected" file, 2 problems occur:
>>> - clamd does not prevent access, despite having the option enabled
>>> - clamd goes into an infinite loop and hogs the CPU:
>>>
>>> Thu May  5 09:42:20 2016 -> ScanOnAccess:
>> /etc/suricata/rules/emerging-activex.rules:
>> Win.Trojan.cve_2011_2657-1(30e2f8e333f1624bb5ab66bed16eb110:274398) FOUND
>>> Thu May  5 09:42:20 2016 -> ScanOnAccess:
>> /tmp/clamav-326fdcae0616839f918d7b703a8e513b.tmp/nocomment.html (deleted):
>> Win.Trojan.cve_2011_2657-1(d361373a52eb4e0cfcb1fd4783700152:273785) FOUND
>>
>>
>>         Looks like it is also scanning temporary files created turing
>> the scanning. Could you set OnAccessExlcudeUID to clamd user id?
>>
>> --
>> Virgo Pärna
>> virgo.parna at mail.ee
>>
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>> This communication and any attachments contain information which is
>> confidential and may be subject to legal privilege. It is for intended
>> recipients only. If you are not the intended recipient you must not copy,
>> distribute, publish, rely on or otherwise use it without our consent. Some
>> of our communications may contain confidential information which it could
>> be a criminal offence for you to disclose or use without authority. If you
>> have received this email in error please notify postmaster at fca.org.uk
>> immediately and delete the email from your computer. Further information on
>> the classification and handling of FCA information can be found on the FCA
>> website (http://www.fca.org.uk/site-info/legal/fca-classified-information
>> ).
>> The FCA (or, if this email originates from the PSR, the FCA on behalf of
>> the PSR/the PSR) reserves the right to monitor all email communications for
>> compliance with legal, regulatory and professional standards.
>> This email is not intended to nor should it be taken to create any legal
>> relations or contractual relationships. This email has originated from the
>> Financial Conduct Authority (FCA), or the Payment Systems Regulator (PSR).
>> The Financial Conduct Authority (FCA) is registered as a limited company
>> in England and Wales No. 1920623. Registered office: 25 The North
>> Colonnade, Canary Wharf, London E14 5HS, United Kingdom
>> The Payment Systems Regulator (PSR) is registered as a limited company in
>> England and Wales No. 8970864. Registered office: 25 The North Colonnade,
>> Canary Wharf, London E14 5HS, United Kingdom
>> Switchboard 020 7066 1000
>> Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (PSR)
>>
>>
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list