Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Me
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
elmar283
Guru
Guru


Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands

PostPosted: Sat Nov 10, 2012 12:16 pm    Post subject: LibClamAV Warning: RWX mapping denied: Can't allocate RWX Me Reply with quote

I'm using hardened sources on my server. I have a mailserver with postfix. I'm using clamd as virusscanner.
When I start clamd I get a error message:
Code:
elmarotter@masterserver ~ $ sudo /etc/init.d/clamd start
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Operation not permitted
 * Starting clamd ...                                                     [ ok ]
 * Starting freshclam ... 


I already tried 'sudo paxctl -m /usr/sbin/clamd'. That didn't solve my problem.

I did build clamav is following:
Code:
[ebuild   R    ] app-antivirus/clamav-0.97.5-r1  USE="bzip2 iconv ipv6 -clamdtop -milter (-selinux) -static-libs" 14,409 kB


My kernel config can be founded at http://elmarotter.eu/bestanden/kernel-config

my make.conf:
Code:
elmarotter@masterserver ~ $ cat /etc/portage/make.conf
# These settings were set by the catalyst build script that automatically
# built this stage.
# Please consult /usr/share/portage/config/make.conf.example for a more
# detailed example.
CFLAGS="-O2 -march=native -pipe"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j2"
# WARNING: Changing your CHOST is not something that should be done lightly.
# Please consult http://www.gentoo.org/doc/en/change-chost.xml before changing.
CHOST="i686-pc-linux-gnu"

#LINGUAS="nl nl_NL"

LINGUAS="nl"

LANG="nl_NL"

USE="apache2 acpi alsa apm autoip avahi bonjour cairo cdr consolekit curl cups dbus dvd exif expat fuse gd gdu geoip gnome gif gs gtk gtk3 gvfs hardened hfs howl-compat imagemagick imap ipv6 java jit jpeg jpeg2k kerberos kdrive ldap libwww lm_sensors mad maildir md5sum mdnsresponder-compat mmx mp3 mysql mysqli nls ntp opengl openldap openssl pear perl pam pcre php pic pmu png pliciykit python samba sasl sdl slang spamassassin sse sse2 ssl sql sqlite tiff theora truetype udev udisks unicode webkit x264 xml zeroconf X X11 xorg -ppp"

APACHE2_MODULES="alias auth_basic auth_digest authn_default authn_file authz_user autoindex cache dav dav_fs dav_lock rewrite authz_host dir mime unique_id"

APACHE2_MPMS="prefork"

INPUT_DEVICES="evdev synaptics keyboard mouse"

VIDEO_CARDS="radeon"

ALSA_CARDS="AC97"

COLLECTD_PLUGINS="apache cpu curl disk dns filecount fscache logfile mysql network processes uptime users swap syslog load csv conntrack interface memory netlink rrdtool rrdcached table tcpconns unixsock vmem df protocols"

GENTOO_MIRRORS="rsync://mirror.leaseweb.com/gentoo/ http://mirror.leaseweb.com/gentoo/ ftp://mirror.leaseweb.com/gentoo/ ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ftp.snt.utwente.nl/pub/os/linux/gentoo rsync://ftp.snt.utwente.nl/gentoo"

SYNC="rsync://rsync.nl.gentoo.org/gentoo-portage"

ACCEPT_LICENSE="*"

#PORTDIR_OVERLAY="/usr/local/portage"

MAILMAN_PREFIX=/usr/local/mailman
MAILMAN_VAR_PREFIX=/usr/local/mailman

source /var/lib/layman/make.conf


Code:

elmarotter@masterserver ~ $ cat /etc/clamd.conf
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##



# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
LogFile /var/log/clamav/clamd.log

# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes

# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers.
# Default: 1M
#LogFileMaxSize 2M

# Log time with each message.
# Default: no
LogTime yes

# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
#LogClean yes

# Use system logger (can work together with LogFile).
# Default: no
LogSyslog yes

# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
LogFacility LOG_MAIL

# Enable verbose logging.
# Default: no
LogVerbose yes

# Log additional information about the infected file, such as its
# size and hash, together with the virus name.
#ExtendedDetectionInfo yes

# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
PidFile /var/run/amavis/clamd.pid

# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#TemporaryDirectory /var/tmp

# Path to the database directory.
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav

# Only load the official signatures published by the ClamAV project.
# Default: no
#OfficialDatabaseOnly no

# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.

# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /var/amavis/clamd

# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
#LocalSocketGroup virusgroup

# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
#LocalSocketMode 660

# Remove stale socket after unclean shutdown.
# Default: yes
#FixStaleSocket yes

# TCP port address.
# Default: no
#TCPSocket 3310

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: no
#TCPAddr 127.0.0.1

# Maximum length the queue of pending connections may grow to.
# Default: 200
#MaxConnectionQueueLength 30

# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.

# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 25M
StreamMaxLength 10M

# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000

# Maximum number of threads running at the same time.
# Default: 10
#MaxThreads 20

# Waiting for data from a client socket will timeout after this time (seconds).
# Value of 0 disables the timeout.
# Default: 120
#ReadTimeout 300

# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 5
#CommandReadTimeout 5

# This option specifies how long to wait (in miliseconds) if the send buffer is full.
# Keep this value low to prevent clamd hanging
#
# Default: 500
#SendBufTimeout 200

# Maximum number of queued items (including those being processed by MaxThreads threads)
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out  of file descriptors,
# the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
#
# Default: 100
#MaxQueue 200

# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60

# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
#ExcludePath ^/proc/
#ExcludePath ^/sys/

# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20

# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes

# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes

# Scan files and directories on other filesystems.
# Default: yes
#CrossFilesystems yes

# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600

# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User amavis

# Initialize supplementary group access (clamd must be started by root).
# Default: no
AllowSupplementaryGroups yes

# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes

# Don't fork into background.
# Default: no
#Foreground yes

# Enable debug messages in libclamav.
# Default: no
#Debug yes

# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes

# Detect Possibly Unwanted Applications.
# Default: no
#DetectPUA yes

# Exclude a specific PUA category. This directive can be used multiple times.
# See http://www.clamav.net/support/pua for the complete list of PUA
# categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool

# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT

# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to provide accurate detection. This option
# controls the algorithmic detection.
# Default: yes
#AlgorithmicDetection yes


##
## Executable files
##

# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option allows
# ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite.
# Default: yes
#ScanPE yes

# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# Default: yes
#ScanELF yes

# With this option clamav will try to detect broken executables (both PE and
# ELF) and mark them as Broken.Executable.
# Default: no
#DetectBrokenExecutables yes


##
## Documents
##

# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# Default: yes
#ScanOLE2 yes


# With this option enabled OLE2 files with VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#OLE2BlockMacros no

# This option enables scanning within PDF files.
# Default: yes
#ScanPDF yes


##
## Mail files
##

# Enable internal e-mail scanner.
# Default: yes
ScanMail yes

# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
# WARNING: This option may open your system to a DoS attack.
#      Never use it on loaded servers.
# Default: no
#ScanPartialMessages yes


# With this option enabled ClamAV will try to detect phishing attempts by using
# signatures.
# Default: yes
#PhishingSignatures yes

# Scan URLs found in mails for phishing attempts using heuristics.
# Default: yes
#PhishingScanURLs yes

# Always block SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockSSLMismatch no

# Always block cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockCloak no

# Allow heuristic match to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only at
# the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes

##
## Data Loss Prevention (DLP)
##

# Enable the DLP module
# Default: No
#StructuredDataDetection yes

# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5

# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5

# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal yes

# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes


##
## HTML
##

# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
#ScanHTML yes


##
## Archives
##

# ClamAV can scan within archives and compressed files.
# Default: yes
ScanArchive yes

# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
#ArchiveBlockEncrypted no


##
## Limits
##

# The options below protect your system against Denial of Service attacks
# using archive bombs.

# This option sets the maximum amount of data to be scanned for each input file.
# Archives and other containers are recursively extracted and scanned up to this
# value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 100M
#MaxScanSize 150M

# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 25M
#MaxFileSize 30M

# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: setting this limit too high may result in severe damage to the system.
# Default: 16
#MaxRecursion 10

# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
#MaxFiles 15000


##
## Clamuko settings
##

# Enable Clamuko. Dazuko must be configured and running. Clamuko supports
# both Dazuko (/dev/dazuko) and DazukoFS (/dev/dazukofs.ctrl). DazukoFS
# is the preferred option. For more information please visit www.dazuko.org
# Default: no
#ClamukoScanOnAccess yes

# The number of scanner threads that will be started (DazukoFS only).
# Having multiple scanner threads allows Clamuko to serve multiple
# processes simultaneously. This is particularly beneficial on SMP machines.
# Default: 3
#ClamukoScannerCount 3

# Don't scan files larger than ClamukoMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#ClamukoMaxFileSize 10M

# Set access mask for Clamuko (Dazuko only).
# Default: no
#ClamukoScanOnOpen yes
#ClamukoScanOnClose yes
#ClamukoScanOnExec yes

# Set the include paths (all files inside them will be scanned). You can have
# multiple ClamukoIncludePath directives but each directory must be added
# in a seperate line. (Dazuko only)
# Default: disabled
#ClamukoIncludePath /home
#ClamukoIncludePath /students

# Set the exclude paths. All subdirectories are also excluded. (Dazuko only)
# Default: disabled
#ClamukoExcludePath /home/bofh

# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
# Default: yes
#Bytecode yes

# Set bytecode security level.
# Possible values:
#       None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
#         This value is only available if clamav was built with --enable-debug!
#       TrustSigned - trust bytecode loaded from signed .c[lv]d files,
#                insert runtime safety checks for bytecode loaded from other sources
#       Paranoid - don't trust any bytecode, insert runtime checks for all
# Recommended: TrustSigned, because bytecode in .cvd files already has these checks
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
#
# Default: TrustSigned
#BytecodeSecurity TrustSigned

# Set bytecode timeout in miliseconds.
#
# Default: 5000
# BytecodeTimeout 1000


Code:
elmarotter@masterserver ~ $ cat /etc/conf.d/clamd
# Config file for /etc/init.d/clamd

# NOTICE: Since clamav-0.85-r1, only START_CLAMD and START_FRESHCLAM settings
#     are used, other are silently ignored

START_CLAMD=yes
FRESHCLAM_OPTS="-d"
START_FRESHCLAM=yes
CLAMD_NICELEVEL=3
FRESHCLAM_NICELEVEL=19
Back to top
View user's profile Send private message
skunk
l33t
l33t


Joined: 28 May 2003
Posts: 646
Location: granada, spain

PostPosted: Sun Nov 11, 2012 11:38 am    Post subject: Reply with quote

paxctl -m /usr/sbin/clamd /usr/bin/freshclam /usr/bin/clamconf
Back to top
View user's profile Send private message
LordVan
Developer
Developer


Joined: 28 Nov 2002
Posts: 67
Location: Austria

PostPosted: Mon Jun 10, 2013 6:57 am    Post subject: Reply with quote

Thanks skunk for the answer ;)

(I just had the same 'problem' )
_________________
I don't suffer from insanity. I enjoy every minute of it.
Back to top
View user's profile Send private message
Jacekalex
Guru
Guru


Joined: 17 Sep 2009
Posts: 553

PostPosted: Mon Jun 10, 2013 8:02 am    Post subject: Reply with quote

skunk wrote:
paxctl -m /usr/sbin/clamd /usr/bin/freshclam /usr/bin/clamconf

For what?

Code:
qlist -ICvU clamav
app-antivirus/clamav-0.97.8 (bzip2 clamdtop iconv ipv6 milter selinux)
app-antivirus/clamav-unofficial-sigs-3.7.1
sec-policy/selinux-clamav-2.20120725-r12

Code:
cat /proc/`pidof clamd`/status | grep -i pax
PaX:   PeMRs


Code:
checksec --proc clamd
* System-wide ASLR: PaX ASLR enabled

* Does the CPU support NX: Yes

         COMMAND    PID RELRO             STACK CANARY           NX/PaX        PIE
           clamd   3318 Full RELRO        Canary found           PaX enabled   PIE enabled     


Code:

cat /proc/version
uname -a
Linux localhost 3.9.4-grsec #7 SMP PREEMPT Sat Jun 8 10:32:03 CEST 2013 x86_64 Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz GenuineIntel GNU/Linux

Code:
gcc version 4.6.3 (Gentoo Hardened 4.6.3 p1.5, pie-0.5.2)


My clamd.conf:
Code:
egrep -v '#|^$' /etc/clamd.conf
LogFile /var/log/clamav/clamd.log
LogFileUnlock yes
LogFileMaxSize 64M
LogTime yes
LogSyslog yes
PidFile /var/run/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /var/lib/clamav
LocalSocket /var/run/clamd.sock
LocalSocketGroup clamav
LocalSocketMode 666
FixStaleSocket yes
TCPSocket 3310
TCPAddr 127.0.0.1
MaxConnectionQueueLength 30
StreamMaxLength 100M
ReadTimeout 300
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 200
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/dev/
ExcludePath ^/bin/
ExcludePath ^/sbin/
ExcludePath ^/lib/
ExcludePath ^/usr/
MaxDirectoryRecursion 20
FollowDirectorySymlinks yes
FollowFileSymlinks yes
CrossFilesystems yes
SelfCheck 600
User clamav
AllowSupplementaryGroups yes
Debug no
DetectPUA yes
IncludePUA Scanner
AlgorithmicDetection yes
ScanPE yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
ScanPDF yes
ScanMail yes
ScanPartialMessages yes
PhishingSignatures yes
PhishingScanURLs yes
PhishingAlwaysBlockSSLMismatch yes
PhishingAlwaysBlockCloak yes
HeuristicScanPrecedence yes
StructuredDataDetection yes
StructuredMinCreditCardCount 5
StructuredMinSSNCount 5
StructuredSSNFormatNormal yes
StructuredSSNFormatStripped yes
ScanHTML yes
ScanArchive yes
MaxScanSize 150M
MaxFileSize 30M
Bytecode yes
BytecodeSecurity TrustSigned
BytecodeTimeout 60000



Try to install the latest version of clamav. ;)

Cheers
8)
Back to top
View user's profile Send private message
elmar283
Guru
Guru


Joined: 06 Dec 2004
Posts: 316
Location: Haarlem, Netherlands

PostPosted: Thu Oct 31, 2013 2:04 pm    Post subject: Reply with quote

Jacekalex: could you explain what part of your configurations allows clamd to run with pax protection enabled?
I followed your /etc/clamav.conf settings without succes.
And yes I keep my world updated.

I think it has something to do with this:
Code:

LibClamAV Warning: Bytecode: disabling JIT because PaX is preventing 'mprotect' access.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum