On 08/23/2010 01:18 PM, Arthur Dent wrote: > On Mon, 2010-08-23 at 12:12 +0100, Arthur Dent wrote: >> On Mon, 2010-08-23 at 13:01 +0200, Dominick Grift wrote: >>> On 08/23/2010 12:57 PM, Arthur Dent wrote: >>>> On Mon, 2010-08-23 at 12:31 +0200, Dominick Grift wrote: >>>>> On 08/23/2010 12:20 PM, Arthur Dent wrote: >>>>>> On Mon, 2010-08-23 at 10:56 +0200, Dominick Grift wrote: >>>>>>> On 08/23/2010 10:47 AM, Arthur Dent wrote: >>>>>>>> On Mon, 2010-08-23 at 10:42 +0200, Dominick Grift wrote: >>>>>>>>> On 08/23/2010 10:40 AM, Arthur Dent wrote: >>>>>>>>>> On Mon, 2010-08-23 at 10:29 +0200, Dominick Grift wrote: >>>>>>>>>>> On 08/23/2010 10:09 AM, Arthur Dent wrote: >>>>>>>>>>>> On Sun, 2010-08-22 at 22:44 +0100, Arthur Dent wrote: >>>>>>>>>>>>> On Sun, 2010-08-22 at 23:07 +0200, Dominick Grift wrote: >>>>>>>>>>>>>> On 08/22/2010 08:24 PM, Arthur Dent wrote: >>>>>>>>>>>>> >>>>> >>>>> Looks like clamd again/or still runs in the init script domain. >>>>> Therefore clamdscan cannot connect to it >>>>> >>>>> ps -auxZ | grep initrc_t >>>> >>>> # ps -auxZ | grep initrc_t >>>> Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ >>>> system_u:system_r:initrc_t:s0 ddclient 1141 0.0 0.1 9148 1824 ? S Aug21 0:02 ddclient - sleeping for 20 seconds >>>> unconfined_u:system_r:initrc_t:s0 clamav 19801 0.2 27.6 309276 279772 ? Ssl Aug22 4:01 /usr/local/sbin/clamd >>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 25217 0.0 0.0 4312 728 pts/0 S+ 11:55 0:00 grep initrc_t >>> >>> So clamd runs in the wrong domain: >>> >>> try: >>> >>> matchpathcon /usr/local/sbin/clamd >>> chcon -t clamd_exec_t /usr/local/sbin/clamd >>> service clamd restart >> >> Not quite sure what went wrong here... >> >> # matchpathcon /usr/local/sbin/clamd >> /usr/local/sbin/clamd system_u:object_r:bin_t:s0 >> # chcon -t clamd_exec_t /usr/local/sbin/clamd >> # service clamd restart >> Stopping clamd: [ OK ] >> Starting clamd: [FAILED] >> > > Addendum: > > Just after I sent this message I saw this: > > Should I try the setsebool command? > Yes but that may have a bug as well (recently fixed) and we can manually implement it aswell. But also implement the patch in my previous post to make fallback to non execmem work. > > ************************* > * !!! ALERT !!! * > * CLAMD IS NOT RUNNING! * > ************************* > > Attempting to start ClamD... > > libclamav JIT: Can't allocate RWX Memory: Permission denied > libclamav JIT: SELinux is preventing 'execmem' access. Run 'setsebool -P clamd_use_jit on' to allow access > libclamav JIT: falling back to interpreter mode > LibClamAV Error: cli_load(): Can't open file /usr/local/share/clamav/phish.ndb > ERROR: Can't open file or directory > ************************* > * !!! PANIC !!! * > * CLAMD FAILED TO START * > ************************* > > Check to confirm that the clamd start process defined for > the 'start_clamd' variable in the 'USER EDIT SECTION' is > set correctly for your particular distro. If it is, then > check your logs to determine why clamd failed to start. > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
