我在 bash 中创建了一个自定义clamscan
( clamav
) ,当我在 shell 中运行它时一切都很好,但如果我在 a 中运行它cron
,它就无法创建日志文件。
这是错误:
- /root/Scripts/clamscan :第 9 行:/var/log/clamscan/weekly/clamscan-Test-2014-09-16.log:没有这样的文件或目录
- /bin/bash: /root/Scripts/clamscan: 权限被拒绝
- 我还收到来自 cron 的电子邮件:消息正文为空;希望没问题
- 在“如果可以的话”邮件之前,我收到一封空电子邮件,没有任何消息
如果我在 shell 中运行该脚本,它会毫无问题地创建日志文件。
问题:
- 我需要做什么
bash script
才能让它写入适当的文件? - 为什么我会收到这些错误?
这是脚本:
#!/bin/bash
FILENAMEDATE=$(date +"%F")
/usr/bin/clamscan -i -r --log=/var/log/clamscan/weekly/clamscan-Test-$FILENAMEDATE.log /home/Username/Downloads >/dev/null 2>/dev/null
if [ $? -gt 0 ];
then
SUBJECT="Virus Report for `uname -n`, `date +%m-%d-%Y`"
mail -s "$SUBJECT" 'Email' < /var/log/clamscan/weekly/clamscan-Test-$FILENAMEDATE.log
fi
这是/etc/crontab:
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO="Email"
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
56 13 * * * root /bin/bash /root/Scripts/clamscan
答案1
您的 clamscan 似乎没有在输出中生成任何日志文件。只需更改clamscan blah blah >/dev/null 2>/dev/null
并clamscan blah blah &>/tmp/scan.log
检查 scan.log - 可能会有一些提示。
答案2
我找到了答案:
请注意,该系统是 Fedora 20。
SELinux 拒绝 clamscan 对系统进行写入、创建等操作。
因此,请按照 SELinux 故障排除程序中有关允许 clamscan 访问的说明进行操作,并对所有访问重复此操作。 mailx 上也有一个拒绝,但没有做任何进程可见的事情,它有效!
以下是 SELinux 的两个拒绝:
SELinux is preventing /usr/bin/mailx from ioctl access on the file .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that mailx should be allowed ioctl access on the file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep mail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023
Target Context system_u:object_r:user_home_t:s0
Target Objects [ file ]
Source mail
Source Path /usr/bin/mailx
Port <Unknown>
Host Hostname
Source RPM Packages mailx-12.5-10.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-183.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name Hostname
Platform Linux Hostname 3.16.2-200.fc20.x86_64 #1 SMP Mon
Sep 8 11:54:45 UTC 2014 x86_64 x86_64
Alert Count 1
First Seen 2014-09-16 17:42:37 GMT
Last Seen 2014-09-16 17:42:37 GMT
Local ID abc31a8e-345d-4d49-adf4-42cefab652a0
Raw Audit Messages
type=AVC msg=audit(1410889357.123:13483): avc: denied { ioctl } for pid=32125 comm="mail" path="PathToLogFile.log" dev="dm-3" ino=2760739 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1410889357.123:13483): arch=x86_64 syscall=ioctl success=no exit=EACCES a0=0 a1=5401 a2=7fff29623700 a3=8 items=0 ppid=32089 pid=32125 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=765 comm=mail exe=/usr/bin/mailx subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
Hash: mail,system_mail_t,user_home_t,file,ioctl
SELinux is preventing /usr/bin/clamscan from unlink access on the file .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that clamscan should be allowed unlink access on the file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep clamscan /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:antivirus_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects [ file ]
Source clamscan
Source Path /usr/bin/clamscan
Port <Unknown>
Host Hostname
Source RPM Packages clamav-0.98.4-1.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-183.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name Hostname
Platform Linux Hostname 3.16.2-200.fc20.x86_64 #1 SMP Mon
Sep 8 11:54:45 UTC 2014 x86_64 x86_64
Alert Count 1
First Seen 2014-09-16 18:28:11 GMT
Last Seen 2014-09-16 18:28:11 GMT
Local ID 513c5c73-1ca8-4715-8b6a-458010ede5bf
Raw Audit Messages
type=AVC msg=audit(1410892091.713:13684): avc: denied { unlink } for pid=1305 comm="clamscan" name="eicar.com.txt" dev="dm-4" ino=10769 scontext=system_u:system_r:antivirus_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1410892091.713:13684): arch=x86_64 syscall=unlink success=no exit=EACCES a0=21fecf0 a1=3aa5db9a10 a2=0 a3=3a7478742e6d6f63 items=0 ppid=1302 pid=1305 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=792 comm=clamscan exe=/usr/bin/clamscan subj=system_u:system_r:antivirus_t:s0-s0:c0.c1023 key=(null)
Hash: clamscan,antivirus_t,user_home_t,file,unlink