[clamav-users] Using OnAccess scanning with Selinux

Rob Fulton rob at cow-frenzy.co.uk
Fri Dec 14 10:55:27 EST 2018


Hi,

I'm trying to run clamav with ScanOnAccess on the / mount on a box 
running selinux. I've enabled antivirus_can_scan_system in selinux but 
shortly after startup clamav stops scanning reporting the following :

ERROR: ScanOnAccess: Internal error (failed to read data) ... Permission 
denied

Initially I was getting no AVC events but discovered selinux dontaudit 
rules, on disabling these and making the antivirus context permissive, I 
can see a whole load of policy denials around access to /etc/shadow and 
/var/log/audit/audit.log. I'd like to avoid writing a whole load of 
custom policies around these individual files, I might be a constant 
task as the so gets updated

Has anybody successfully run ScanOnAccess across the whole file system 
whilst having selinux enabled?

Is there a way to tell clamav to continue after encountering a 
Permission Denied? Currently it appears clamav stops it's scanning and 
my box eventually grinds to a halt, I guess as the fanotify queue 
continues to build

Any other suggestions on how to run the two together?

Regards

Rob




More information about the clamav-users mailing list