When I boot I see this message: "ClamAV daemon: ERROR: can't open
>>>>>>>>>>>> >>>>>> >>> > > > /var/log/clamav/clamlog in append mode.
>>>>>>>>>>>> Check
>>>>>> >>>>>> permissions. >>> >>> ERROR: > > > problem with
>>>>>> internal logger. Please check
>>> >>> permissions >>> of > > > /var/log/clamav/clamlog."
>>> >>>
>>>>>>>>>>>> >>>>>> >>> > > > I checked the permissions (600) and set
>>>>>>>>>>>> them to 666 to
>>>>>> >>>>>> be sure >>> >>> that the > > > file is writable
>>>>>> for the owner clamav. (Shouldn't
>>> >>> be >>> necessary though).
>>> >>>
>>>>>>>>>>>> >>>>>> >>> > > > Still I can't start clamd.
>>>>>>>>>>>> >>>>>> >>> > > > In clamav.conf the option LogFileUnlock is
>>>>>>>>>>>> uncommented.
>>>>>>>>>>>> >>>>>> >>> > > > I don't understand why I keep having this
>>>>>>>>>>>> error.
>>>>>>>>>>>> >>>>>> >>> > > > Any suggestion is wellcome.
>>>>>>>>>>>>
>>>>>> >>>>>> >>> >>>
>>>>>>>> >>>> >> > > > >
>>>>>>>> >>>> >> > > Do you have SELinux enabled, and if so, are there
>>>>>>>> any
>>>> >>>> messages with
>>>>
>>>>>>>> >>>> >> > > "avc: denied" in /var/log/messages or
>>>>>>>> /var/log/audit/audit.log?
>>>>>>>> >>>> >> > > > Yes, I have.
>>>>>>>>
>>>> >>>>
>>>>>> >>> >> > In /var/log/audit/audit.log I have this message:
>>>>>> >>> >> > type=AVC msg=audit(1149784852.944:133): avc: denied {
>>>>>> write }
>>> >>> for >> > pid=2352 comm="freshclam" name="log" dev=tmpfs ino=6715
>>> >
>>>> >> >> scontext=system_u:system_r:freshclam_t:s0 > >>
>> >> tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
>> >>
>>>>>> >>> >> > type=SYSCALL msg=audit(1149784852.944:133):
>>>>>> arch=40000003
>>>> >> >> syscall=102 > success=no exit=-13 a0=3 a1=bf926000 a2=4f32aff4
>>>>
>> >> a3=15 >> items=1 pid=2352 > auid=4294967295 uid=46 gid=46 euid=46
>> >> suid=46 >> fsuid=46 egid=46 sgid=46 > fsgid=46 comm="freshclam" >>
>> >> exe="/usr/bin/freshclam"
>>>> >> >> >> Curious. The AVC seems to relate to denial of sending a
>>>> syslog
>> >> message,
>>>> >> >> whereas the error message seems to relate to a regular file
>>>> >> >> (/var/log/clamav/clamlog).
>>>> >> >>
>>>> >> >> Are you on FC4 or FC5? Are your selinux policy packages up to
>>>> date?
>>>> >> >> > I have FC5 and yes, selinux packages are up to date.
>>>>
>> >> >> OK, you can fix this denial as follows:
>> >>
>> >> Set yourself up for making local policy modules:
>> >>
>> >> # yum install checkpolicy
>> >> # cd /root
>> >> # mkdir selinux.local
>> >> # cd selinux.local
>> >> # chcon -R -t usr_t .
>> >> # ln -s /usr/share/selinux/devel/Makefile .
>> >>
>> >> Make a local policy module for this issue, in this directory:
>> >>
>> >> 1. Create a file myfreshclam.te with this content:
>> >>
>> >> policy_module(myfreshclam, 0.1.0)
>> >>
>> >> require {
>> >> type freshclam_t;
>> >> };
>> >>
>> >> # Allow freshclam to send syslog messages
>> >> logging_send_syslog_msg(freshclam_t)
>> >>
>> >> 2. Build the policy module:
>> >>
>> >> # make
>> >>
>> >> 3. Finally, install your new policy module:
>> >>
>> >> # semodule -i myfreshclam.pp
>> >>
>> >> That should allow freshclam to send syslog messages, though I'm not
>> >> convinced that that's the actual problem you're seeing.
>> >> > When I do the "chcon"-step this is happening:
>> > > selinux.local]# chcon -R -t usr_t
>> > chcon: too few arguments
>> > Try `chcon --help' for more information.
>> > > What should I do now?
Add the dot as the last parameter of the command.
# chcon -R -t usr_t .
You are right; I missed the dot. I built the module following your
instructions. Still I can't start clamd en the error message during
booting is still there.
Try putting SELinux in permissive mode and then try it again. If it now
works, you've confirmed that it's an SELinux issue and we'll have to
look again for more "avc: denied" messages. If not, the problem is not
SELinux-related and you'll have to look for the problem elsewhere.
With SELinux in permissive mode clamd started without problem.
In the graphical configuration tool of SELinux I found SELinux Service Protection; there I only had to check clamd.
Clamd is now also running in enforced mode (SELinux).
Thank you for your help.
Peter.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list