Testing RC3

Bugs in eFa 4
Post Reply
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Testing RC3

Post by henk »

Used kickstart to deploy new test efa4.
After the Efa-Init. ( tested it several times with same result)

High cpu usage ( 1 cpu 100%) caused by clamd@scan.service. Caused by /var/lib/clamav/sanesecurity.ftm being 0 bytes

If something goes wrong in this script, there must be some additional logic to remove files that are 0 bytes

Code: Select all

systemctl status clamd@scan.service
clamd@scan.service - Generic clamav scanner daemon
Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled;
vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2019-03-01 15:47:05
CET; 1min 16s ago
Docs: man:clamd(8)
man:clamd.conf(5)
https://www.clamav.net/documents/
Process: 17234 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/%i.conf
(code=exited, status=1/FAILURE)

Mar 01 15:46:43 efa4RC3 clamd[17234]: Bytecode: Security mode set to "TrustSigned".
Mar 01 15:47:05 efa4RC3 clamd[17234]: LibClamAV Error: Empty external filetype database
Mar 01 15:47:05 efa4RC3 clamd[17234]: LibClamAV Error: Can't load /var/lib/clamav/sanesecurity.ftm: Malformed database
Mar 01 15:47:05 efa4RC3 clamd[17234]: LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/sanesecurity.ftm
Mar 01 15:47:05 efa4RC3 clamd[17234]: Malformed database
Mar 01 15:47:05 efa4RC3 clamd[17234]: ERROR: Malformed database
Mar 01 15:47:05 efa4RC3 systemd[1]: clamd@scan.service: control process exited, code=exited status=1
Mar 01 15:47:05 efa4RC3 systemd[1]: Failed to start Generic clamav scanner daemon.
Mar 01 15:47:05 efa4RC3 systemd[1]: Unit clamd@scan.service entered failed state.
Mar 01 15:47:05 efa4RC3 systemd[1]: clamd@scan.service failed.

Solved by:

1# remove /var/lib/clamav/sanesecurity.ftm

2# temp disable Restart = on-failure

/lib/systemd/system/clamd@.service

Code: Select all

[Unit]
Description = clamd scanner (%i) daemon
Documentation=man:clamd(8) man:clamd.conf(5) 
https://www.clamav.net/documents/
# Check for database existence
# ConditionPathExistsGlob=@DBDIR@/main.{c[vl]d,inc}
# ConditionPathExistsGlob=@DBDIR@/daily.{c[vl]d,inc}
After = syslog.target nss-lookup.target network.target

[Service]
Type = forking
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf
#Restart = on-failure
3#

Code: Select all

systemctl daemon-reload
4# update unofficial-sigs again. No clue why the update works fine this time......

Code: Select all

/usr/sbin/clamav-unofficial-sigs.sh
4# re-enable Restart = on-failure

5.

Code: Select all

systemctl daemon-reload
Last edited by henk on 01 Mar 2019 23:26, edited 1 time in total.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Testing RC3

Post by henk »

After the Efa-Init. ( tested 2 times with same result)

Warnings in maillog

efa4RC3 postfix/smtpd[14549]: warning: database /etc/postfix/sender_canonical.db is older than source file /etc/postfix/sender_canonical
efa4RC3 postfix/smtpd[14549]: warning: database /etc/postfix/recipient_canonical.db is older than source file /etc/postfix/recipient_canonical
efa4RC3 postfix/cleanup[14553]: warning: database /etc/postfix/sender_canonical.db is older than source file /etc/postfix/sender_canonical
efa4RC3 postfix/cleanup[14553]: warning: database /etc/postfix/recipient_canonical.db is older than source file /etc/postfix/recipient_canonical
efa4RC3 MailScanner[14557]: Cannot find Socket (/var/run/clamd.socket/clamd.sock) Exiting!
efa4RC3 MailScanner[14724]: Cannot find Socket (/var/run/clamd.socket/clamd.sock) Exiting!
efa4RC3 postfix/smtpd[23371]: warning: database /etc/postfix/sender_canonical.db is older than source file /etc/postfix/sender_canonical
efa4RC3 postfix/smtpd[23371]: warning: database /etc/postfix/recipient_canonical.db is older than source file /etc/postfix/recipient_canonical
efa4RC3 postfix/cleanup[23374]: warning: database /etc/postfix/sender_canonical.db is older than source file /etc/postfix/sender_canonical
efa4RC3 postfix/cleanup[23374]: warning: database /etc/postfix/recipient_canonical.db is older than source file /etc/postfix/recipient_canonical

Solved by

Code: Select all

postmap /etc/postfix/sender_canonical
postmap /etc/postfix/recipient_canonical 
The clamd.socket issue should be solved by the solution in the first post. Will check/report this a.s.a.p.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Testing RC3

Post by shawniverson »

User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Testing RC3

Post by shawniverson »

henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Testing RC3-Selinux

Post by henk »

After a yum update ( on RC3) today

Code: Select all

  
eFa-4.0.0-59.eFa.el7.x86_64.rpm  
MailScanner-5.1.3-3.noarch.rpm  

Updating   : MailScanner-5.1.3-3.noarch       1/4
warning: /etc/MailScanner/MailScanner.conf created as /etc/MailScanner/MailScanner.conf.rpmnew
Added new: Highlight Mailto Phishing = yes
Added new: Web Bug Replacement = https://s3.amazonaws.com/msv5/images/spacer.gif
Added new: Ignore Denial Of Service = no
Added new: Lockfile Dir = /var/spool/MailScanner/incoming/Locks
Added new: include /etc/MailScanner/conf.d/*

Summary
-------
Read 379 settings from old /etc/MailScanner/MailScanner.conf.original
Used 377 settings from old /etc/MailScanner/MailScanner.conf.original
Used 6 default settings from new /etc/MailScanner/MailScanner.conf.dist

To configure MailScanner, edit the following files:

/etc/MailScanner/defaults
/etc/MailScanner/MailScanner.conf

To activate MailScanner run the following commands:

--SysV Init--
chkconfig mailscanner on
service mailscanner start

--Systemd--
systemctl enable mailscanner.service
systemctl start mailscanner.service

To activate Sendmail for Mailscanner (if in use) run the following commands:

--SysV Init--
chkconfig sendmail off
chkconfig sm-client off
chkconfig ms-sendmail on
service ms-sendmail start

--Systemd--
systemctl disable sendmail.service
systemctl disable sm-client.service
systemctl enable ms-sendmail.service
systemctl start ms-sendmail.service

To activate MSMilter for Mailscanner (if in use) run the following commands:

--SysV Init--
chkconfig msmilter on
service msmilter start

--Systemd--
systemctl enable msmilter.service
systemctl start msmilter.service

  Updating   : 1:eFa-4.0.0-59.eFa.el7.x86_64        2/4

Preparing to update eFa...
checkmodule:  loading policy configuration from /var/eFa/lib/selinux/eFa.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 19) to /var/eFa/lib/selinux/eFa.mod
Update completed successfully!
  Cleanup    : 1:eFa-4.0.0-48.eFa.el7.x86_64        3/4
  Cleanup    : MailScanner-5.1.3-2.noarch              4/4
  Verifying  : MailScanner-5.1.3-3.noarch              1/4
  Verifying  : 1:eFa-4.0.0-59.eFa.el7.x86_64         2/4
  Verifying  : MailScanner-5.1.3-2.noarch              3/4
  Verifying  : 1:eFa-4.0.0-48.eFa.el7.x86_64         4/4

Updated:
  MailScanner.noarch 0:5.1.3-3                                                     eFa.x86_64 1:4.0.0-59.eFa.el7

Complete!
After login to the Gui, the /usr/bin/ps generates Selinux denied messages

Code: Select all

tail -F /var/log/audit/audit.log

Code: Select all

type=AVC msg=audit(1552055404.383:401): avc:  denied  { getattr } for  pid=8417 comm="ps" path="/proc/6545" dev="proc" ino=39354 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1552055404.383:401): arch=c000003e syscall=4 success=no exit=-13 a0=f90310 a1=7fb703539aa0 a2=7fb703539aa0 a3=0 items=0 ppid=8416 pid=8417 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ps" exe="/usr/bin/ps" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=PROCTITLE msg=audit(1552055404.383:401): proctitle=7073006178
Last edited by henk on 08 Mar 2019 23:29, edited 1 time in total.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Testing RC3

Post by henk »

As addition to the previous post.

If you have any config files in etc/MailScanner/conf.d/ that overrule x-headers, be aware of a name change in the headers (see example below)

The header :
MS_FOUND_SPAMVIRUS exists:X-%org-name%-MailScanner-EFA-SpamVirus-Report
must look like:
MS_FOUND_SPAMVIRUS exists:X-%org-name%-MailScanner-eFa-SpamVirus-Report
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Testing RC3

Post by shawniverson »

MailScanner update output is normal, except it is overriding the 1x1 spacer for efa-project.org.

Noted selinux denial, flagging.
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Testing RC3

Post by henk »

Yum Updated to : eFa.x86_64 1:4.0.0-60.eFa.el7

Login Gui.

Issues
1. Monitoring via xymon ( on a different network-ETH0) , /usr/sbin/sshd
2. With each refresh of the Gui, /usr/bin/ps getattr solved
3. dhclient - getattr solved

Code: Select all

tail -F audit.log

Code: Select all

type=USER_LOGIN msg=audit(1552489198.557:2021): pid=11799 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=xx.xx.xx.xx terminal=ssh res=failed'
type=AVC msg=audit(1552489203.889:2022): avc:  denied  { search } for  pid=11802 comm="ps" name="5165" dev="proc" ino=32677 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1552489203.889:2022): arch=c000003e syscall=2 success=no exit=-13 a0=7ffcf5511a90 a1=0 a2=0 a3=0 items=0 ppid=11801 pid=11802 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ps" exe="/usr/bin/ps" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=PROCTITLE msg=audit(1552489203.889:2022): proctitle=7073006178
type=AVC msg=audit(1552489203.915:2023): avc:  denied  { search } for  pid=11806 comm="ps" name="5165" dev="proc" ino=32677 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1552489203.915:2023): arch=c000003e syscall=2 success=no exit=-13 a0=7ffde9529660 a1=0 a2=0 a3=0 items=0 ppid=11805 pid=11806 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ps" exe="/usr/bin/ps" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=PROCTITLE msg=audit(1552489203.915:2023): proctitle=7073006178
type=AVC msg=audit(1552489203.933:2024): avc:  denied  { search } for  pid=11811 comm="ps" name="5165" dev="proc" ino=32677 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1552489203.933:2024): arch=c000003e syscall=2 success=no exit=-13 a0=7ffe5af23020 a1=0 a2=0 a3=0 items=0 ppid=11810 pid=11811 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ps" exe="/usr/bin/ps" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=PROCTITLE msg=audit(1552489203.933:2024): proctitle=7073006178

[root@rc3]# ps -ef |grep 5165
root 5165 4855 0 14:29 ? 00:00:00 /sbin/dhclient -d -q -sf /usr/libexec/nm-dhcp-helper -pf /var/run/dhclient-eth1.pid -lf /var/lib/NetworkManager/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease -cf /var/lib/NetworkManager/dhclient-eth1.conf eth1

Dhclient Solved by

Code: Select all

service auditd rotate
ausearch -a '1365' --raw | audit2allow -M my-dhclient
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-dhclient.pp

my-dhclient.te

Code: Select all

module my-dhclient 1.0;

require {
        type dhcpc_t;
        type httpd_sys_script_t;
        class dir getattr;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t dhcpc_t:dir getattr;
Update: :!:
needed to add some additional policies. in several steps. Only xymon is having an issue now

Code: Select all

module my-dhclient 1.0;

require {
        type dhcpc_t;
        type httpd_sys_script_t;
        class dir getattr;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t dhcpc_t:dir getattr;


#============= httpd_sys_script_t ==============
allow httpd_sys_script_t dhcpc_t:dir search;

====
require {
        type dhcpc_t;
        type httpd_sys_script_t;
        class dir search;
        class file read;
}

#============= httpd_sys_script_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t dhcpc_t:dir search;
allow httpd_sys_script_t dhcpc_t:file read;
===

require {
        type dhcpc_t;
        type httpd_sys_script_t;
        class dir search;
        class file { open read };
}

#============= httpd_sys_script_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t dhcpc_t:dir search;
allow httpd_sys_script_t dhcpc_t:file open;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t dhcpc_t:file read;
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Testing RC3

Post by henk »

Only xymon is having an issue now
/var/log/audit/audit.log
'type=USER_LOGIN msg=audit(1552742644.019:2379): pid=28441 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=xxx.xxx.xxx.xxx terminal=ssh res=failed'

The xymon-client (Xymon version 4.3.28-1.el7.terabithia) error had nothing to do with Sellinux or Firewalld, my mistake :oops: :shhh: :shifty:

The final result: Rc3 is running error free :dance:
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Testing RC3

Post by shawniverson »

Added items to the SELinux ruleset.
vervoto1
Posts: 4
Joined: 24 Feb 2015 07:17

Re: Testing RC3

Post by vervoto1 »

When setting the DCC servers to 1) use default pool

Current DCC Pool:

Choose an option:
1) Use default pool (dccservers)

e) Return to main menu

[eFa] : 1
/var/eFa/lib/eFa-Configure/func_askdccservers: line 31: /usr/local/bin/cdcc: No such file or directory
/var/eFa/lib/eFa-Configure/func_askdccservers: line 32: /usr/local/bin/cdcc: No such file or directory
/var/eFa/lib/eFa-Configure/func_askdccservers: line 33: /usr/local/bin/cdcc: No such file or directory
/var/eFa/lib/eFa-Configure/func_askdccservers: line 34: /usr/local/bin/cdcc: No such file or directory
/var/eFa/lib/eFa-Configure/func_askdccservers: line 35: /usr/local/bin/cdcc: No such file or directory
[eFa] DCC Pool set to default
Press [Enter] key to continue...
No surprise as cdcc is in /usr/bin/ instead of /usr/local/bin
Post Reply