Mikko, I suspected as much based on your description.
Use 'ps -efZ | grep clamd' to find out how the clamd process is running. Check it when you run manually, and check it again when started by systemd. I suspect you will find a difference. Once you know the difference, then you can adjust the SELinux policies. Good luck, Bond On 05/06/2016 02:07 AM, Mikko Caldara wrote: > Disabling SELinux actually gets rid of the error. Unfortunately, this is not > viable for us. > > How do I go about debugging this further? No blocking/denied messages appear > in the logs... > Has anyone got ScanOnAccess working with SElinux enabled? > > Thanks > > Mikko > > ________________________________________ > From: Mikko Caldara > Sent: 05 May 2016 16:47 > To: ClamAV users ML > Subject: RE: [clamav-users] ScanOnAccess issue when clamd launched from > systemd > > Hi Mickey, > > I tried disabling SELinux and will report back later on that issue. > > I understand OnAccess cannot prevent access or write attempts > if OnAccessMountPath is enabled: not a problem for us, will disable > OnAccessPrevention. > > So I changed my config to: > > ScanOnAccess yes > OnAccessMountPath / > OnAccessExcludeUID 0 > > But still, whenever I access (cat/vim) a fake virus, clamd goes into a crazy > infinite loop, trying to access /tmp/clamav-RANDOM_UUID.tmp/nocomment.html > which from what I understand is created by clamav itself. > > The CPU usage is perfectly fine until an infected file is found: then it goes > into the loop and I need to kill it. > According to a previous reply, "OnAccessExcludeUID 0" should fix this > behaviour, but it doesn't in my case. > > Thanks > Mikko > > ________________________________________ > From: clamav-users [[email protected]] on behalf of > Mickey Sola [[email protected]] > Sent: 05 May 2016 16:27 > To: ClamAV users ML > Subject: Re: [clamav-users] ScanOnAccess issue when clamd launched from > systemd > > Mikko, > > I know you didn't find anything in audit.log, but is your primary issue > resolved when you set SELinux to Permissive? Looking at the code, and the > debug output, so far everything points to this being an issue with > permissions. > > Regarding your secondary problems: > > As documented, OnAccess scanning will not prevent access or write attempts > if OnAccessMountPath is enabled. This is to prevent users from accidentally > locking up their systems via an fanotify induced deadlock. > > The cpu resource utilization when watching the entire filesystem is > expected, due to the constant system-wide access events which must be > queued and processed individually. Unfortunately, delaying or throttling > event handling in this case would quickly overflow the fanotify event > queue. You might consider being more selective with your watchpoints to > reduce unwanted noise and free up cpu cycles. > > - Mickey > > On Thu, May 5, 2016 at 6:12 AM, Mikko Caldara <[email protected]> > wrote: > >> I currently have these options enabled: >> >> ScanOnAccess yes >> OnAccessMountPath / >> OnAccessExcludeUID 0 >> OnAccessPrevention yes >> >> the user is root. >> I guess there's a bug then? >> >> ________________________________________ >> From: clamav-users [[email protected]] on behalf of >> Virgo Pärna [[email protected]] >> Sent: 05 May 2016 11:07 >> To: [email protected] >> Subject: Re: [clamav-users] ScanOnAccess issue when clamd launched from >> systemd >> >> On Thu, 5 May 2016 09:50:03 +0000, Mikko Caldara <[email protected]> >> wrote: >>> Not sure if it's related, but when I launch clamd *without* systemd and >> then try to access an "infected" file, 2 problems occur: >>> - clamd does not prevent access, despite having the option enabled >>> - clamd goes into an infinite loop and hogs the CPU: >>> >>> Thu May 5 09:42:20 2016 -> ScanOnAccess: >> /etc/suricata/rules/emerging-activex.rules: >> Win.Trojan.cve_2011_2657-1(30e2f8e333f1624bb5ab66bed16eb110:274398) FOUND >>> Thu May 5 09:42:20 2016 -> ScanOnAccess: >> /tmp/clamav-326fdcae0616839f918d7b703a8e513b.tmp/nocomment.html (deleted): >> Win.Trojan.cve_2011_2657-1(d361373a52eb4e0cfcb1fd4783700152:273785) FOUND >> >> >> Looks like it is also scanning temporary files created turing >> the scanning. Could you set OnAccessExlcudeUID to clamd user id? >> >> -- >> Virgo Pärna >> [email protected] >> >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> >> This communication and any attachments contain information which is >> confidential and may be subject to legal privilege. It is for intended >> recipients only. If you are not the intended recipient you must not copy, >> distribute, publish, rely on or otherwise use it without our consent. Some >> of our communications may contain confidential information which it could >> be a criminal offence for you to disclose or use without authority. If you >> have received this email in error please notify [email protected] >> immediately and delete the email from your computer. Further information on >> the classification and handling of FCA information can be found on the FCA >> website (http://www.fca.org.uk/site-info/legal/fca-classified-information >> ). >> The FCA (or, if this email originates from the PSR, the FCA on behalf of >> the PSR/the PSR) reserves the right to monitor all email communications for >> compliance with legal, regulatory and professional standards. >> This email is not intended to nor should it be taken to create any legal >> relations or contractual relationships. This email has originated from the >> Financial Conduct Authority (FCA), or the Payment Systems Regulator (PSR). >> The Financial Conduct Authority (FCA) is registered as a limited company >> in England and Wales No. 1920623. Registered office: 25 The North >> Colonnade, Canary Wharf, London E14 5HS, United Kingdom >> The Payment Systems Regulator (PSR) is registered as a limited company in >> England and Wales No. 8970864. Registered office: 25 The North Colonnade, >> Canary Wharf, London E14 5HS, United Kingdom >> Switchboard 020 7066 1000 >> Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (PSR) >> >> >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
