Re: [Clamav-users] ClamAV Live CD
On Sunday 27 January 2008, Brandon Perry wrote: Hi, about a week ago, a guy came in asking for a ClamAV Live CD. I have been working with ClamAV and live cds for a while, but never just ClamAV. I am uploading the Live CD right now to my webserver. Link to the page is: http://projects.volatileminds.net/clamav.html It is based on Ubuntu and runs on extremely low-end machines (~140 MB). It fits on a business-card CD. If you have any troubles with it, please email me as I would like this to be a solid as possible. Thanks, Brandon The person asking was me. In the meantime, I got the live CD plus USB stick idea working. Once I get it easier to use (i.e. some scripts written) I will post a follow-up with how I did it for anyone else who wants to go the route I did. Your CD looks good, but does not include the ntfs-3g drivers. Since they are GPL v2, there's no real reason they can't be included. The nicest thing about the USB stick is I can have current definitions with me. I have encountered a fairly new machine about 2 weeks ago that neither Insert nor Knoppix would recognize the NIC. Rare, but it does happen. -- Fail to learn history-repeat it. Fail to learn rights-lose them. Learn both-get screwed by previous two groups. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem with clamav on Linux
Quỳnh H Nguyễn wrote: Oh, I'm sure that the .conf files were modified. Because the daemon show the message [OK] when system boot, but I can not see any clamd process listen at port 3310. So that means clamd does not start. But when I type command clamd, there is a clamd process listen at port 3310. Do you have the databases in /var/clamav, what permissions? (ls -l /var/clamav/) Please post clamconf output. I had tried another command after run clamd to listen at port 3310: service clamd stop = [OK] this command kill the clamd process. Then I want to open again clamd process by use command: service clamd start the console show message [OK] again, looks like as the booting message. but there is not any clamd listen at port 3310. But if I type simply command: clamd, there is no message show at console, but there is a clamd process open and listen at port 3310. So is there any problem in my .conf files? Do you launch clamd as root? Also do you have SELinux on or off? Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem with clamav on Linux
[EMAIL PROTECTED] ~]# ls -l /var/clamav/ total 11120 drwxr-xr-x 2 clamav clamav 4096 Jan 28 09:57 daily.inc -rw-r--r-- 1 clamav clamav 11347852 Dec 18 23:15 main.cvd -rw--- 1 clamav clamav 156 Jan 28 04:02 mirrors.dat SELinux is on. But I had included the config in /etc/sysconfig/iptalbes for clamav: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3310 -j ACCEPT This is my /etc/clamd.conf: LogFile /var/log/clamav/clamd.log LogFileMaxSize 0 LogTime yes LogClean yes LogSyslog yes PidFile /var/run/clamav/clamd.pid TemporaryDirectory /var/tmp DatabaseDirectory /var/clamav LocalSocket /tmp/clamd.socket TCPSocket 3310 TCPAddr 127.0.0.1 MaxConnectionQueueLength 30 MaxThreads 50 ReadTimeout 300 User clamav AllowSupplementaryGroups yes DetectPUA yes ScanPE yes ScanELF yes DetectBrokenExecutables yes ScanOLE2 yes ScanMail yes ScanArchive yes ArchiveMaxCompressionRatio 300 ArchiveBlockEncrypted no ArchiveBlockMax no Please help me! On Jan 28, 2008 5:24 PM, Török Edwin [EMAIL PROTECTED] wrote: Quỳnh H Nguyễn wrote: Oh, I'm sure that the .conf files were modified. Because the daemon show the message [OK] when system boot, but I can not see any clamd process listen at port 3310. So that means clamd does not start. But when I type command clamd, there is a clamd process listen at port 3310. Do you have the databases in /var/clamav, what permissions? (ls -l /var/clamav/) Please post clamconf output. I had tried another command after run clamd to listen at port 3310: service clamd stop = [OK] this command kill the clamd process. Then I want to open again clamd process by use command: service clamd start the console show message [OK] again, looks like as the booting message. but there is not any clamd listen at port 3310. But if I type simply command: clamd, there is no message show at console, but there is a clamd process open and listen at port 3310. So is there any problem in my .conf files? Do you launch clamd as root? Also do you have SELinux on or off? Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem with clamav on Linux
Quỳnh H Nguyễn wrote: [EMAIL PROTECTED] ~]# ls -l /var/clamav/ total 11120 drwxr-xr-x 2 clamav clamav 4096 Jan 28 09:57 daily.inc -rw-r--r-- 1 clamav clamav 11347852 Dec 18 23:15 main.cvd -rw--- 1 clamav clamav 156 Jan 28 04:02 mirrors.dat SELinux is on. But I had included the config in /etc/sysconfig/iptalbes for clamav: If SELinux is on, then labels also matter, use ls -lZ to see the security context. Can you try turning SELinux off temporarely? I'd like to be sure that the SELinux policy is not the problem. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3310 -j ACCEPT This is my /etc/clamd.conf: Allowing clamd in the firewall is not enough if you got SELinux. Check your logs for SELinux avc denied messages, check /var/log/messages and /var/log/audit/audit/log. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem with clamav on Linux
Quỳnh H Nguyễn wrote: [snip] LocalSocket /tmp/clamd.socket TCPSocket 3310 TCPAddr 127.0.0.1 [snip] That will never work, you have to choose between using a local socket or a tcp socket, can't have both... and clamd should be advising you with a message to the log. -- René Berber ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem with clamav on Linux
Dear Edwin, I think you are right. When I turn off SELinux temporary (permissive mode) or permanent (disable), and reboot the system, clamd service start ok. I tried the command sudo -i:3310, there is an clamd process listenning at that port. Oh, that means the config of SELinux is wrong? How can I still use SELinux but the clamd has right to run in SELinux enforcing mode? I'm newbie, so too hard to have a deep understand about SELinux and config it. Please help me! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem with clamav on Linux
Quỳnh H Nguyễn wrote: Linux distribution is: Redhat Linux 5.1 (Tikanga) This is the command result that you asked: [EMAIL PROTECTED] ~]# ls -IRZ /var/clamav daily.inc main.cvd mirrors.dat I asked for ls -lRZ not -IRZ. Please run that command. [EMAIL PROTECTED] ~]# Error message in /var/log/messages: Thanks, these messages tell whats the problem. Short story: your databases should be in /var/lib/clamav instead of /var/clamav. type=AVC msg=audit(1201570795.547:6): avc: denied { search } for pid=2098 comm=clamd name=kernel dev=proc ino=-268435416 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir Not sure why clamd has to do this, but this is not fatal error. type=SYSCALL msg=audit(1201570795.547:6): arch=4003 syscall=5 success=no exit=-13 a0=c03a64 a1=0 a2=c1dff4 a3=c1f974 items=0 ppid=2097 pid=2098 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:clamd_t:s0 key=(null) type=AVC msg=audit(1201570795.731:7): avc: denied { write } for pid=2099 comm=clamd name=clamav dev=dm-0 ino=2195478 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir DB locking failed, non-fatal. type=SYSCALL msg=audit(1201570795.731:7): arch=4003 syscall=5 success=no exit=-13 a0=8f0fc74 a1=242 a2=1fc a3=8f0fc70 items=0 ppid=1 pid=2099 auid=4294967295 uid=100 gid=101 euid=100 suid=100 fsuid=100 egid=101 sgid=101 fsgid=101 tty=(none) comm=clamd exe=/usr/sbin/clamd subj=system_u:system_r:clamd_t:s0 key=(null) type=AVC msg=audit(1201570795.828:8): avc: denied { read } for pid=2099 comm=clamd name=clamav dev=dm-0 ino=2195478 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir Reading DB fails. The SELinux security context is wrong. It has been a while since I've written an SELinux policy, but this seems to be the right place to look for the policy: http://oss.tresys.com/repos/refpolicy/trunk/policy/modules/services/clamav.te # var/lib files together with clamd manage_dirs_pattern(freshclam_t,clamd_var_lib_t,clamd_var_lib_t) manage_files_pattern(freshclam_t,clamd_var_lib_t,clamd_var_lib_t) Ok, this is a rule for accessing /var/lib, and you've got your database in /var/clamav. Lets look at the patterns: http://oss.tresys.com/repos/refpolicy/trunk/policy/modules/services/clamav.fc It contains: /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) But nothing about /var/clamav. So try putting your database in /var/lib/clamav, then check with ls -Z that they have right security context. (If security context is wrong, you may need to relabel that directory) If the .rpm package has chosen /var/clamav for you, then there is an inconsistency between the clamav rpm package, and the selinux policy package. Please open a bugreport with redhat about this. P.S.: check the other pattern in clamav.fc, and make sure your other settings are right. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem with clamav on Linux
Quỳnh H Nguyễn wrote: Dear Edwin, I think you are right. When I turn off SELinux temporary (permissive mode) or permanent (disable), and reboot the system, clamd service start ok. I tried the command sudo -i:3310, there is an clamd process listenning at that port. Oh, that means the config of SELinux is wrong? How can I still use SELinux but the clamd has right to run in SELinux enforcing mode? I'm newbie, so too hard to have a deep understand about SELinux and config it. It could be a new feature of clamav that is not allowed by the SELinux policy. What Linux distribution are you using (is it Fedora 8?) It would be useful to show us the SELinux error messages, so we know whats wrong. Look for them in /var/log/messages, or /var/log/audit/audit.log (they should be logged even in permissive mode). Also the output of ls -lRZ /var/clamav that i have asked for in my previous mail. Those messages look like this (but of course with exe=/usr/sbin/clamd): |avc: denied { search } for pid=8753 exe=/usr/bin/nmap name=nmap dev=dm-4 ino=100533 scontext=root:sysadm_r:traceroute_t tcontext=system_u: object_r:traceroute_t tclass=dir| Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem with clamav on Linux
René Berber wrote: [snip] [snip] That will never work, you have to choose between using a local socket or a tcp socket, can't have both... and clamd should be advising you with a message to the log. No this is not correct. It depends on the version of clamav installed. The newer version supports both local and IP sockets. I believe it will even support multiple local and IP sockets as well. -James -- Scanned by ClamAV - http://www.clamav.net ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html