Githopp192 commented 6 years ago

Steps to reproduce

Activate AntiVirus App
Upload dummy virus file to the Nextcloud
RuntimeException: Cannot connect to "/var/run/clamd.scan/clamd.sock": Permission denied (code 13)

ClamAV Service is running properly:

clamd@scan.service - Generic clamav scanner daemon Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2018-05-09 14:33:36 CEST; 1h 19min ago Process: 7531 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/%i.conf (code=exited, status=0/SUCCESS) Main PID: 7538 (clamd) CGroup: /system.slice/system-clamd.slice/clamd@scan.service └─7538 /usr/sbin/clamd -c /etc/clamd.d/scan.conf

Socket-File hat got the following permissions:

srw-rw-rw-. 1 clamscan clamscan 0 May 9 14:33 /var/run/clamd.scan/clamd.sock

Socket File is properly defined into the Nextcloud/AntiVirus Web-Gui

Expected behaviour

ClamAV Scanner should properly detect and report virus file. Nextcloud AntiVirus App should not report Permission denied on /var/run/clamd.scan/clamd.sock

Actual behaviour

RuntimeException: Cannot connect to "/var/run/clamd.scan/clamd.sock": Permission denied (code 13) by uploading any file.

Server configuration detail

Operating system: Linux 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64

Webserver: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.14 (apache2handler)

Database: mysql 5.5.56

PHP version: 7.1.14 Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, apcu, bcmath, bz2, calendar, ctype, curl, dba, dom, mbstring, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, imap, intl, json, ldap, exif, mcrypt, mysqli, PDO, pdo_mysql, pdo_sqlite, Phar, posix, redis, shmop, SimpleXML, soap, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, xml, wddx, xmlreader, xmlwriter, xsl, memcached, zip, Zend OPcache

Nextcloud version: 13.0.2 - 13.0.2.1

Updated from an older Nextcloud/ownCloud or fresh install: Updated from Nextcloud 12.0.6

Where did you install Nextcloud from: Automatic WEB-Upgrade by Nextcloud

Enabled:

activity: 2.6.1
admin_notifications: 1.0.1
announcementcenter: 3.2.1
apporder: 0.4.1
bookmarks: 0.11.0
bruteforcesettings: 1.0.3
calendar: 1.6.1
circles: 0.13.6
comments: 1.3.0
contacts: 2.1.3
dav: 1.4.6
deck: 0.3.1
federatedfilesharing: 1.3.1
federation: 1.3.0
files: 1.8.0
files_external: 1.4.1
files_pdfviewer: 1.2.1
files_rightclick: 0.8.4
files_sharing: 1.5.0
files_texteditor: 2.5.1
files_trashbin: 1.3.0
files_versions: 1.6.0
files_videoplayer: 1.2.0
firstrunwizard: 2.2.1
gallery: 18.0.0
impersonate: 1.0.4
issuetemplate: 0.3.0
logreader: 2.0.0
lookup_server_connector: 1.1.0
mindmaps: 0.1.0
mood: 0.3.3
music: 0.5.6
nextcloud_announcements: 1.2.0
notes: 2.3.2
notifications: 2.1.2
oauth2: 1.1.0
ownbackup: 17.5.0
passman: 2.1.4
password_policy: 1.3.0
polls: 0.8.1
provisioning_api: 1.3.0
quicknotes: 0.1.3
quota_warning: 1.2.0
rainloop: 5.0.6
ransomware_protection: 1.1.0
serverinfo: 1.3.0
sharebymail: 1.3.0
sharepoint: 1.1.0
socialsharing_diaspora: 1.0.2
socialsharing_email: 1.0.3
socialsharing_facebook: 1.0.2
socialsharing_googleplus: 1.0.2
socialsharing_twitter: 1.0.2
spreed: 3.2.0
survey_client: 1.1.0
systemtags: 1.3.0
tasks: 0.9.6
theming: 1.4.1
twofactor_backupcodes: 1.2.3
twofactor_totp: 1.4.1
updatenotification: 1.3.0
workflowengine: 1.3.0 Disabled:
admin_audit
appvncsafe
audioplayer
encryption
external
files_antivirus
lsd
ojsxc
richdocuments
spreedme
user_external
user_ldap
weather

{ "memcache.local": "\OC\Memcache\APCu", "filelocking.enabled": true, "redis": { "host": "REMOVED SENSITIVE VALUE", "port": 0, "dbindex": 0, "timeout": 1.5 }, "instanceid": "REMOVED SENSITIVE VALUE", "passwordsalt": "REMOVED SENSITIVE VALUE", "secret": "REMOVED SENSITIVE VALUE", "trusteddomains": [ "localhost", "xxxxx "xxxxxx", "xxxxxx" ], "datadirectory": "REMOVED SENSITIVE VALUE", "overwrite.cli.url": "https:\/\/xxxxxx", "dbtype": "mysql", "version": "13.0.2.1", "dbname": "REMOVED SENSITIVE VALUE", "dbhost": "REMOVED SENSITIVE VALUE", "dbport": "", "dbtableprefix": "oc", "mysql.utf8mb4": true, "dbuser": "REMOVED SENSITIVE VALUE", "dbpassword": "REMOVED SENSITIVE VALUE", "installed": true, "maintenance": false, "theme": "", "loglevel": 1, "updater.release.channel": "production", "auth.bruteforce.protection.enabled": true, "check_for_working_htaccess": true, "data-fingerprint": "xxxxxxxx", "mail_from_address": "REMOVED SENSITIVE VALUE", "mail_smtpmode": "smtp", "mail_smtpauthtype": "LOGIN", "mail_domain": "REMOVED SENSITIVE VALUE", "mail_smtpsecure": "tls", "mail_smtpauth": 1, "mail_smtpname": "REMOVED SENSITIVE VALUE", "mail_smtppassword": "REMOVED SENSITIVE VALUE", "mail_smtphost": "REMOVED SENSITIVE VALUE", "mail_smtpport": "xxxx", "session_lifetime": xxxx, "session_keepalive": false, "logtimezone": "xxxx", "logfile": "\/media\/nextcloud.log", "log_rotate_size": 104857600, "knowledgebaseenabled": false, "updater.secret": "REMOVED SENSITIVE VALUE" }

</details>

**Are you using external storage, if yes which one:** local/smb/sftp/...
no

**Are you using encryption:** no

**Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/...
no

<details><summary>LDAP configuration (delete this part if not used)</summary>

With access to your command line run e.g.: sudo -u www-data php occ ldap:show-config from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local computer or access your SQL server remotely and run the select query: SELECT * FROM oc_appconfig WHERE appid = 'user_ldap';

Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.


## Client configuration

**Browser:** Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/52.15.25.665 Chrome/52.0.2743.82 Safari/537.36

**Operating system:** 

Windows 10

Githopp192 commented 6 years ago

Issue can be closed. Cause is/was SELinux/Centos, which prevented the access to the Socket File.

What i did to resolve -->

Change Group --> chgrp apache /var/run/clamd.scan

Adapt the following SELinux Rule through audit2allow -->

require { type var_log_t; type antivirus_t; type httpd_t; class unix_stream_socket connectto; class file write; }

============= antivirus_t ==============

allow antivirus_t var_log_t:file write;

============= httpd_t ==============

You can create the rule with >

grep clamd.sock /var/log/audit/audit.log | audit2allow -M ClamAV

To make this policy package active, execute:

semodule -i ClamAV.pp

Best Regards Mike

pthoelken commented 4 years ago

@Githopp192 Hi Mike, maybe you can help me.

I've executed the following command but nothing changed.

chgrp nginx /var/run/clamd.scan
grep clamd.sock /var/log/audit/audit.log | audit2allow -M ClamAV
semodule -i ClamAV.pp

Can you explain how can I exactly create the selinux rule?

Adapt the following SELinux Rule through audit2allow -->

require {
type var_log_t;
type antivirus_t;
type httpd_t;
class unix_stream_socket connectto;
class file write;
}

#============= antivirus_t ==============
allow antivirus_t var_log_t:file write;

#============= httpd_t ==============

In my audit2allow -a is only the content which you can see below. How can I edit these?

[root@evk-srv-cloud01 administrator]# audit2allow -a                           
#============= antivirus_t ==============
allow antivirus_t httpd_sys_rw_content_t:file write;

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t antivirus_t:unix_stream_socket connectto;
allow httpd_t configfs_t:dir getattr;

#!!!! This avc is allowed in the current policy
allow httpd_t http_port_t:tcp_socket name_connect;

#!!!! This avc is allowed in the current policy
allow httpd_t smtp_port_t:tcp_socket name_connect;
allow httpd_t usr_t:file write;
allow httpd_t var_log_t:file { open read setattr };

#============= sshd_t ==============

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow sshd_t unreserved_port_t:tcp_socket name_bind;

Best Patrick

Update: After disabling selinux the error still there. Little bit confusing.

nextcloud / files_antivirus