Computers 'n Stuff: Howto Install Dazuko (with AppArmor and AntiVir or ClamAV) with the default kernel in OpenSuse 10.2 64Bit version

I here share the resolutions for my Linux problems so they might safe somebody some time.

Saturday, May 05, 2007 parmanent link to this post

Howto Install Dazuko (with AppArmor and AntiVir or ClamAV) with the default kernel in OpenSuse 10.2 64Bit version

Issues:
On-Access scanning (AntiVir: AVGuard, ClamAV:Clamd with Clamuko enabeled) does not work using OpenSuse 10.2 as AppArmor is enabeled by default

Why?:
  1. Clamd and AVGuard require Dazuko which is a kernel module (dazuko.ko). (Note: dazuko.ko is the version for new kernel. dazuko.o the old kernel version) Dazuko and AppArmor are using the same API. Since AppArmor is enabeled per default in OpenSuse 10.2 the Dazuko module can not be loaded and as a result AVGuard and On-Access scanning by Clamd/Clamuko will fail.
  2. As Dazuko support of ClamAV is experimentel (Clamuko) the feature is disabeled in the /etc/clamd.conf and needs to be enabled first.
  3. For security reasons Dazuko only talks to processes of root. The OpenSuse default /etc/clamd.conf starts clamd as user vscan. This has to be disabeled in the clamd.conf.

suggested reading:
known issues in OpenSuse:
HowTo install dazuko
Dazuko doesent run on my 64 bit mashine


Workaround:
Install the Dazuko module of OpenSuse 10.2 using the Yast utility.

Unload AppArmor e.g.
# rmmod apparmor
Load Dazuko module e.g.
# modprobe dazuko

(--Note:
  • To permanently avoid loading of AppArmor at boot time you can use the Yast/Novell AppArmor/AppArmor Control Panel Utility.
  • The dazuko module can be installed as a binary package using the Yast Utilitiy
  • After installation the binary can be found in standard installation at:
    /lib/modules/2.6.18.2-34-default/updates/dazuko.ko
  • if you are using different kernels
    # find /lib -name dazuko.ko
    will show you all occurences of the dazuko.ko module
Note--)

Resolution:
If you need/want to use AppArmor and AVGuard/Clamuko in parrallel you need to downlaoad the Dazuko sources and to compile the dazuko module (I used version 2.3.3) using the following directives:

# ./configure --disable-local-dpath --disable-chroot-support --enable-syscalls --mapfile=/boot/System.map-xxxx
# make

Now you should be abel to load the module
# insmod ./dazuko.ko

To check wheather its loaded successful
# lsmod | grep dazuko
dazuko
# dmesg
[...]
dazuko: info: using chroot events for chroot'd processes
dazuko: loaded, version=2.3.3
#

Finally replace old dazuko.ko with new dazuko.ko version.

(---I've done this after installation of AntiVir and after installation of the dazuko module of the OpenSuse distribution using the Yast utility. This might avoid some ajustments you might need to do otherwise like installing a node in /dev/modules and adjusting the module dependecies and the like. to make the device node first get the major number of the dazuko module which needs to loaded already:
# cat /proc/devices | grep mdp
254 mdp

where 254 is usually the major number. Now make a device node
# mknod -m 600 /dev/dazuko c 254 0
# chown root:root /dev/dazuko

----)

(--Note:
  • System.map-xxxx has to be replaced by the actual fileneme of your systme map. You can find it using e.g.
    # find /boot -name System.map*

  • Chose the System.map of the kernel you which to compile the module for. This is probably the kernel you boot and for standard installations this will be the default kernel. The Mapfile will look something like System.map-xxxxx-default where xxxxx is the version number of your kernel
  • to find out which version of the kernel you are using right now you can type e.g.
    # cat /proc/version
Note--)


Why?

Dazoko has to be compiled with syscalls enabeled (--enable-syscalls directive) to bypath the API occupied by AppArmor.( no idea what syscalls are ...)
Therfore dazuko needs to now the Systemmap of your kernal (--mapfile=/boot/System.map.xxxx) (Don't ask met a System map is, though)
To use syscalls dazuko needs the "dpath" (don't ask me what that is. either :). Yet with the default OpenSuse 10.2 kernels dpath can not be mad available to dazuko:
Dazuko can use the d_path exported by the kernel. However, OpenSuse 10.2 kernel does not export the dpath.

(--Note:

check dpath export with:
# grep __d_path /proc/kallsyms

The results can be interpreted as:

xxxxx T __d_path <= capital T means dpath is exported xxxxx t __d_path <= lower t means dpath is not exported --Note) Alternatively, Dazuko can use a local copy of dpath. Yet this does not work for SMP (Multi-CPU) kernels. Unfortunately the OpenSuse 10.2 default kernel is SMP for single and multiprocessor systmes. So for the default Kernel we have to disable the use of the local dpath (--disable-local-dpath directive). Luckyly dazuko offers an wokraroud to work without the dpath which only works if you don't need a chroot environment so you can disable dazukos chroot support (--disable-chroot-support direktive). As far as I know chroot is some kind of virtual file system inside a running filesystem. I think that most users will not nedd chroot support. In fact the OpenSuse dazuko.ko module was compiled with chroot-support disabeled. If you need chroot directory support in dazuko than you probalbly can't use default kernels in OpenSuse and you have to patch the kernel sources in order to compile a kernel which exports dpath.

Releated posts:
apparmor and dazuko
Links:
Dazuko home
Free AntiVir Download
ClamAV home


Labels: , , , ,