On 25/06/13 20:07, Dennis Peterson wrote:
> On 6/25/13 8:19:50AM, Denis McMahon wrote:
>
>> I'm guessing that the interesting data here is:
>>
>> open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission
>> denied)
>>
>> and
>>
>> sin_addr=inet_addr("127.0.0.1")}, 16) = 0
>>
>> which, at a guess, I'd say meant that freshclam had been unable to open
>> /etc/resolv.conf to get a list of nameservers, was using localhost as a
>> nameserver, and was getting nothing back from localhost?
>>
>> $ host current.cvd.clamav.net localhost
>> ;; connection timed out; no servers could be reached
>> $ host current.cvd.clamav.net 127.0.0.1
>> ;; connection timed out; no servers could be reached
>> $
>>
>> Tends to confirm the latter ....
>>
>> So I installed dnsproxy, that didn't seem to help.
>>
>> Then looking in syslog I saw a lot of:
>>
>> Jun 25 15:55:34 server kernel: [883159.006897] type=1400
>> audit(1372172134.934:1143): apparmor="DENIED" operation="open"
>> parent=25929 profile="/usr/bin/freshclam"
>> name="/etc/network/nameservers" pid=25930 comm="freshclam"
>> requested_mask="r" denied_mask="r" fsuid=107 ouid=0
>>
>> So the issue is that apparmor is blocking freshclam?
>>
>> After adding:
>>
>> /etc/resolv.conf r,
>> /etc/network/nameservers r,
>>
>> in:
>>
>> /etc/apparmor.d/local/usr.bin.freshclam
>>
>> freshclam updated fine!
>>
>> Why dnsproxy didn't fix it I have no idea, but I'll remove it as I don't
>> seem to need it anyway.
>>
>> Rgds
>>
>> Denis McMahon
>
> This looks like Ubuntu which I don't have a version of or experience
> with - I've never seen it in any production data centers I've worked in.
> I didn't even know they made a server version :). I'm curious enough to
> install it as a vm though. Freshclam is binding to the local interface.
> That by itself is not a bad thing depending on what happens next (eg if
> a proxy is present and working). What does your /etc/network/interfaces
> file look like? Cloak IP's as needed.
It is, and they do, although this server is only hosting a couple of
sites and is running in a domestic environment.
> SELinux has been mentioned and there may be a better test of that than
> what you performed, but that is an Ubuntuism I'm not familiar with. I'm
> also curious what your default route is as seen with netstat -rn and the
> result of pinging current.cvd.clamav.net.
$ cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.254
dns-nameservers 192.168.1.254 158.152.1.43 8.8.8.8
$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
$ ping current.cvd.clamav.net
ping: unknown host current.cvd.clamav.net
$ host current.cvd.clamav.net
$ host -t txt current.cvd.clamav.net
current.cvd.clamav.net descriptive text
"0.97.8:54:17414:1372184941:1:63:40666:214"
$
Rgds
Denis McMahon
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
