[clamav-users] Using OnAccess scanning with Selinux

[Kretschmer, Jens]

Hi Rob,

I'm facing the same issue. It's actually pretty easy to reproduce. 

1) start clamd at scan service
2) login via ssh (with any user)
3) Error message shows up and clamd stops working

In my opinion this is a bug and I will create a bug report.

Did you find a workaround for this problem?

Best regards,
Jens

-----Original Message-----
From: Rob Fulton <rob at cow-frenzy.co.uk> 
Sent: Friday, December 14, 2018 4:55 PM
To: clamav-users at lists.clamav.net
Subject: [clamav-users] Using OnAccess scanning with Selinux

Hi,

I'm trying to run clamav with ScanOnAccess on the / mount on a box running selinux. I've enabled antivirus_can_scan_system in selinux but shortly after startup clamav stops scanning reporting the following :

ERROR: ScanOnAccess: Internal error (failed to read data) ... Permission denied

Initially I was getting no AVC events but discovered selinux dontaudit rules, on disabling these and making the antivirus context permissive, I can see a whole load of policy denials around access to /etc/shadow and /var/log/audit/audit.log. I'd like to avoid writing a whole load of custom policies around these individual files, I might be a constant task as the so gets updated

Has anybody successfully run ScanOnAccess across the whole file system whilst having selinux enabled?

Is there a way to tell clamav to continue after encountering a Permission Denied? Currently it appears clamav stops it's scanning and my box eventually grinds to a halt, I guess as the fanotify queue continues to build

Any other suggestions on how to run the two together?

Regards

Rob