2

I've created an custom clamscan(clamav) in bash and when I run it in my shell everyhing is fine, but if I run it in a cron, it can't create the log file.

This are the errors:

  1. /root/Scripts/clamscan : line 9: /var/log/clamscan/weekly/clamscan-Test-2014-09-16.log: No such file or directory
  2. /bin/bash: /root/Scripts/clamscan: Permission denied
  3. Also I get emails from cron: Null message body;hope that's ok
  4. Before the "if it's ok mail" I get an empty email, with no message

If I run the script in a shell, it creates the log file no problem.

Questions:

  1. What do I have to do with my bash script so it can write the appropriate files?
  2. Why do I get these errors?

Here is the script:

#!/bin/bash
FILENAMEDATE=$(date +"%F")

/usr/bin/clamscan -i -r --log=/var/log/clamscan/weekly/clamscan-Test-$FILENAMEDATE.log /home/Username/Downloads >/dev/null 2>/dev/null

if [ $? -gt 0 ];
then
SUBJECT="Virus Report for `uname -n`, `date +%m-%d-%Y`"
mail -s "$SUBJECT" 'Email' < /var/log/clamscan/weekly/clamscan-Test-$FILENAMEDATE.log
fi

Here is /etc/crontab:

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO="Email"

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
 56 13  *  *  * root  /bin/bash /root/Scripts/clamscan

2 Answers 2

1

It seems that your clamscan didn't generate any log file on output. Just change clamscan blah blah >/dev/null 2>/dev/null to clamscan blah blah &>/tmp/scan.log and check the scan.log - there probably some hints.

0

I found the answer:

Note this system is Fedora 20.

SELinux was denying clamscan from writing, creating and more to the system.

So follow the directions in the SELinux troubleshooter on allowing clamscan the access and repeat for all accesses. There was also a denial on mailx but that didn't do anything visible to the process, it works!

Here are two of the SELinux denials:

SELinux is preventing /usr/bin/mailx from ioctl access on the file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that mailx should be allowed ioctl access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context                system_u:object_r:user_home_t:s0
Target Objects                 [ file ]
Source                        mail
Source Path                   /usr/bin/mailx
Port                          <Unknown>
Host                          Hostname
Source RPM Packages           mailx-12.5-10.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-183.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Hostname
Platform                      Linux Hostname 3.16.2-200.fc20.x86_64 #1 SMP Mon
                              Sep 8 11:54:45 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-09-16 17:42:37 GMT
Last Seen                     2014-09-16 17:42:37 GMT
Local ID                      abc31a8e-345d-4d49-adf4-42cefab652a0

Raw Audit Messages
type=AVC msg=audit(1410889357.123:13483): avc:  denied  { ioctl } for  pid=32125 comm="mail" path="PathToLogFile.log" dev="dm-3" ino=2760739 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1410889357.123:13483): arch=x86_64 syscall=ioctl success=no exit=EACCES a0=0 a1=5401 a2=7fff29623700 a3=8 items=0 ppid=32089 pid=32125 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=765 comm=mail exe=/usr/bin/mailx subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)

Hash: mail,system_mail_t,user_home_t,file,ioctl

SELinux is preventing /usr/bin/clamscan from unlink access on the file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that clamscan should be allowed unlink access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep clamscan /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:antivirus_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                 [ file ]
Source                        clamscan
Source Path                   /usr/bin/clamscan
Port                          <Unknown>
Host                          Hostname
Source RPM Packages           clamav-0.98.4-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-183.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     Hostname
Platform                      Linux Hostname 3.16.2-200.fc20.x86_64 #1 SMP Mon
                              Sep 8 11:54:45 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-09-16 18:28:11 GMT
Last Seen                     2014-09-16 18:28:11 GMT
Local ID                      513c5c73-1ca8-4715-8b6a-458010ede5bf

Raw Audit Messages
type=AVC msg=audit(1410892091.713:13684): avc:  denied  { unlink } for  pid=1305 comm="clamscan" name="eicar.com.txt" dev="dm-4" ino=10769 scontext=system_u:system_r:antivirus_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1410892091.713:13684): arch=x86_64 syscall=unlink success=no exit=EACCES a0=21fecf0 a1=3aa5db9a10 a2=0 a3=3a7478742e6d6f63 items=0 ppid=1302 pid=1305 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=792 comm=clamscan exe=/usr/bin/clamscan subj=system_u:system_r:antivirus_t:s0-s0:c0.c1023 key=(null)

Hash: clamscan,antivirus_t,user_home_t,file,unlink

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.