Hello,
I installed the ClamAV package onto a CentOS 6.3 server using yum. I then modified the /etc/freshclam.conf file to run a perl script whenever the ClamAV databases were updated:
OnUpdateExecute /usr/local/bin/xymon_event ...
The 'xymon_event' command is used on several servers, and generally works with no problems. However, on this server when the /etc/cron.daily/freshclam script runs in the early morning, I get sent an email error message:
===================================== /etc/cron.daily/freshclam:
Can't locate strict.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/bin/xymon_event line 15. BEGIN failed--compilation aborted at /usr/local/bin/xymon_event line 15. =====================================
The problem is that 'strict.pm' is located in /usr/share/perl5 (as it is on our other servers), and /usr/share/perl5 is specified in @INC.
So I am a bit lost as to why perl seems to think that strict.pm cannot be found. Anyone any ideas?
We run ClamAV, with the freshclam cron job and xymon_event, on other servers (albeit CentOS 5.8) with no problems.
Thanks,
John.
On 10/10/2012 4:38 AM, John Horne wrote:
The problem is that 'strict.pm' is located in /usr/share/perl5 (as it is on our other servers), and /usr/share/perl5 is specified in @INC.
Perl can do this is when you've run it out of file handles, then someone tries to load a not-previously-loaded Perl module. The Perl interpreter needs one more file handle to open the new module, but it can't get another from the kernel, so it gives that message.
Generally this results from a bug in the code, typically one involving an over-reliance on Perl's garbage collector. Perl will close opened file handles for you eventually, but not as long as it thinks they're still being used. If you have a long-running script, you need to be careful about this if it also opens a lot of files, since the default FD limit per process is 1024 on Linux.
You can monitor FD usage in a program with
ls /proc/`pidof my-program`/fd | wc -l
I don't know if you want to put "xymon_event" in for "my-program" or something higher up, since I don't know anything about that or ClamAV.
Regardless, if you see that number climb continuously, then see the problem happen shortly after the number crests 1000, you've confirmed my guess.
On Wed, 2012-10-10 at 05:44 -0600, Warren Young wrote:
On 10/10/2012 4:38 AM, John Horne wrote:
The problem is that 'strict.pm' is located in /usr/share/perl5 (as it is on our other servers), and /usr/share/perl5 is specified in @INC.
Perl can do this is when you've run it out of file handles,
Hello,
Thanks for this, but no. The program is relatively short, runs okay at other times throughout the day on this and several other servers (both CentOS 5 and 6 servers). We have other servers that are much more likely to run out of file descriptors, and they use 'xymon_event' too throughout the day with no problem.
John.
On Wed, 2012-10-10 at 11:38 +0100, John Horne wrote:
the /etc/cron.daily/freshclam script runs in the early morning, I get sent an email error message:
===================================== /etc/cron.daily/freshclam:
Can't locate strict.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/bin/xymon_event line 15. BEGIN failed--compilation aborted at /usr/local/bin/xymon_event line 15. =====================================
Hello,
Turns out this is an SELinux issue - the audit.log file shows access to strict.pm being denied. As the problem occurs on 6.3, but not on our 5.8 systems, I have submitted it as a bug to RedHat (#865390) to see what they say. (We have both CentOS and RedHat 5.8/6.3 servers.)
John.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/11/2012 06:34 AM, John Horne wrote:
On Wed, 2012-10-10 at 11:38 +0100, John Horne wrote:
the /etc/cron.daily/freshclam script runs in the early morning, I get sent an email error message:
===================================== /etc/cron.daily/freshclam:
Can't locate strict.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/bin/xymon_event line 15. BEGIN failed--compilation aborted at /usr/local/bin/xymon_event line 15. =====================================
Hello,
Turns out this is an SELinux issue - the audit.log file shows access to strict.pm being denied. As the problem occurs on 6.3, but not on our 5.8 systems, I have submitted it as a bug to RedHat (#865390) to see what they say. (We have both CentOS and RedHat 5.8/6.3 servers.)
John.
What is the path to strict.pm? Do you see any AVC messages?
On Thu, 2012-10-11 at 11:42 -0400, Daniel J Walsh wrote:
On 10/11/2012 06:34 AM, John Horne wrote:
On Wed, 2012-10-10 at 11:38 +0100, John Horne wrote:
the /etc/cron.daily/freshclam script runs in the early morning, I get sent an email error message:
===================================== /etc/cron.daily/freshclam:
Can't locate strict.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/bin/xymon_event line 15. BEGIN failed--compilation aborted at /usr/local/bin/xymon_event line 15. =====================================
Hello,
Turns out this is an SELinux issue - the audit.log file shows access to strict.pm being denied. As the problem occurs on 6.3, but not on our 5.8 systems, I have submitted it as a bug to RedHat (#865390) to see what they say. (We have both CentOS and RedHat 5.8/6.3 servers.)
John.
What is the path to strict.pm? Do you see any AVC messages?
Hello,
The path is '/usr/share/perl5/strict.pm'.
The audit.log shows:
============================================= type=AVC msg=audit(1349922579.929:111741): avc: denied { getattr } for pid=29296 comm="xymon_event" path="/usr/share/perl5/strict.pm" dev=sda1 ino=922261 scontext=system_u:system_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file =============================================
John.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/11/2012 11:47 AM, John Horne wrote:
On Thu, 2012-10-11 at 11:42 -0400, Daniel J Walsh wrote:
On 10/11/2012 06:34 AM, John Horne wrote:
On Wed, 2012-10-10 at 11:38 +0100, John Horne wrote:
the /etc/cron.daily/freshclam script runs in the early morning, I get sent an email error message:
===================================== /etc/cron.daily/freshclam:
Can't locate strict.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at /usr/local/bin/xymon_event line 15. BEGIN failed--compilation aborted at /usr/local/bin/xymon_event line 15. =====================================
Hello,
Turns out this is an SELinux issue - the audit.log file shows access to strict.pm being denied. As the problem occurs on 6.3, but not on our 5.8 systems, I have submitted it as a bug to RedHat (#865390) to see what they say. (We have both CentOS and RedHat 5.8/6.3 servers.)
John.
What is the path to strict.pm? Do you see any AVC messages?
Hello,
The path is '/usr/share/perl5/strict.pm'.
The audit.log shows:
============================================= type=AVC msg=audit(1349922579.929:111741): avc: denied { getattr } for pid=29296 comm="xymon_event" path="/usr/share/perl5/strict.pm" dev=sda1 ino=922261 scontext=system_u:system_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file =============================================
John.
Yes this should be allowed.
-
Daniel J Walsh -
John Horne -
Warren Young