the culprit is always… SELinux :)

After having setup squid and dansguardian (using clamd) on Centos 5, I wasn't able to use it :( I had always the following error, even if the dansguardian user was the same as clamd (clamav) :
2010.7.9 12:22:41 - 10.0.200.6 http://www.eicar.org/anti_virus_test_file.htm
 *INFECTED* *DENIED* /tmp/tfIlR1j6: lstat() failed: Permission denied. 
ERROR GET 15590 0 Content scanning 1 403 text/html  
I just realize after having searched too long that SELinux (I know life is too short for it) was the culprit. It was my mistake as I completely forgot that this machine had selinux enabled :-S So in /var/log/audit/audit.log I had :
type=AVC msg=audit(1278673113.470:3489): avc:  denied  { getattr } for
pid=32164 comm="clamd" path="/tmp/tfCSCirx" dev=dm-3 ino=17 
scontext=user_u:system_r:clamd_t:s0 
tcontext=user_u:object_r:initrc_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1278673113.470:3489): arch=c000003e 
syscall=6 success=no exit=-13 a0=8cce370 a1=421f2dc0 a2=421f2dc0 
a3=8 items=0 ppid=1 pid=32164 auid=1004 uid=102 gid=114 euid=102 
suid=102 fsuid=102 egid=114 sgid=114 fsgid=114 tty=(none) ses=437 
comm="clamd" exe="/usr/sbin/clamd" subj=user_u:system_r:clamd_t:s0 
key=(null)
Note to myself: Never forget to check in audit.log ! To create the selinux policies, I used the following commands, which are quiet easy:
audit2allow -a -m dansguardian > dansguardian.te
checkmodule -M -m dansguardian.te 
checkmodule -M -m dansguardian.te -o dansguardian.mod
semodule_package -o dansguardian.pp -m dansguardian.mod
semodule -i dansguardian.pp 
Et voilà ! Dansguardian is running and I didn't disable selinux :-)

After having setup squid and dansguardian (using clamd) on Centos 5, I wasn’t able to use it 🙁

I had always the following error, even if the dansguardian user was the same as clamd (clamav) :

2010.7.9 12:22:41 - 10.0.200.6 http://www.eicar.org/anti_virus_test_file.htm
 *INFECTED* *DENIED* /tmp/tfIlR1j6: lstat() failed: Permission denied. 
ERROR GET 15590 0 Content scanning 1 403 text/html  

I just realize after having searched too long that SELinux (I know life is too short for it) was the culprit.
It was my mistake as I completely forgot that this machine had selinux enabled :-S

So in /var/log/audit/audit.log I had :

type=AVC msg=audit(1278673113.470:3489): avc:  denied  { getattr } for
pid=32164 comm="clamd" path="/tmp/tfCSCirx" dev=dm-3 ino=17 
scontext=user_u:system_r:clamd_t:s0 
tcontext=user_u:object_r:initrc_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1278673113.470:3489): arch=c000003e 
syscall=6 success=no exit=-13 a0=8cce370 a1=421f2dc0 a2=421f2dc0 
a3=8 items=0 ppid=1 pid=32164 auid=1004 uid=102 gid=114 euid=102 
suid=102 fsuid=102 egid=114 sgid=114 fsgid=114 tty=(none) ses=437 
comm="clamd" exe="/usr/sbin/clamd" subj=user_u:system_r:clamd_t:s0 
key=(null)

Note to myself: Never forget to check in audit.log !

To create the selinux policies, I used the following commands, which are quiet easy:

audit2allow -a -m dansguardian > dansguardian.te
checkmodule -M -m dansguardian.te 
checkmodule -M -m dansguardian.te -o dansguardian.mod
semodule_package -o dansguardian.pp -m dansguardian.mod
semodule -i dansguardian.pp 

Et voilà ! Dansguardian is running and I didn’t disable selinux 🙂

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Leave a Reply

Your email address will not be published. Required fields are marked *

As MySQL Community Manager, I am an employee of Oracle and the views expressed on this blog are my own and do not necessarily reflect the views of Oracle.

You can find articles I wrote on Oracle’s blog.