Clamd@scan, Amavis permission denied on /run/clamd.scan/clamd.sock

wspivak · April 29, 2023, 12:02pm

I’ve been running Amavisd w/o Virus Checking without error.

After upgrading to F38, I went to implement Virus Checking.

With help on other forums, I debugged most of my issues, and somehow solved the following issue, which returned after I installed Bind (which is working).

pr 29 07:46:13 mcq amavis[16257]: (16257-01) Checking: I6qNLXaD9aQa [159.112.244.221] <bounce+790744.f7c326-wspivak=sbaconsulting.com@email.informeddelivery.usps.com> -> <sbaconsult@sbanetweb.com>
Apr 29 07:46:13 mcq amavis[16257]: (16257-01) (!)connect to /run/clamd.scan/clamd.sock failed, attempt #1: Can't connect to a UNIX socket /run/clamd.scan/clamd.sock: Permission denied
Apr 29 07:46:13 mcq amavis[16257]: (16257-01) ClamAV-clamd: All attempts (1) failed connecting to /run/clamd.scan/clamd.sock, retrying (1)
Apr 29 07:46:14 mcq amavis[16257]: (16257-01) (!)connect to /run/clamd.scan/clamd.sock failed, attempt #1: Can't connect to a UNIX socket /run/clamd.scan/clamd.sock: Permission denied
Apr 29 07:46:14 mcq amavis[16257]: (16257-01) (!)ClamAV-clamd: All attempts (1) failed connecting to /run/clamd.scan/clamd.sock, retrying (2)
Apr 29 07:46:18 mcq postfix/postscreen[16102]: CONNECT from [111.174.69.6]:47105 to [192.168.1.120]:25
Apr 29 07:46:18 mcq postfix/dnsblog[16112]: addr 111.174.69.6 listed by domain zen.spamhaus.org as 127.0.0.11
Apr 29 07:46:20 mcq amavis[16257]: (16257-01) (!)connect to /run/clamd.scan/clamd.sock failed, attempt #1: Can't connect to a UNIX socket /run/clamd.scan/clamd.sock: Permission denied
Apr 29 07:46:20 mcq amavis[16257]: (16257-01) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /run/clamd.scan/clamd.sock (All attempts (1) failed connecting to /run/clamd.scan/clamd.sock) at /usr/share/perl5/vendor_perl/Amavis/AV.pm line 663, <GEN14> line 8761.\n
Apr 29 07:46:20 mcq amavis[16257]: (16257-01) (!)WARN: all primary virus scanners failed, considering backups

 ls -al /run/clamd.scan/
total 4
drwx--x---  2 clamscan virusgroup   80 Apr 29 07:44 .
drwxr-xr-x 53 root     root       1500 Apr 29 06:15 ..
-rw-r--r--  1 root     root          6 Apr 29 07:44 clamd.pid
srw-rw-rw-  1 clamscan virusgroup    0 Apr 29 07:44 clamd.sock

# lsof /run/clamd.scan/
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
bash    14832 root  cwd    DIR   0,25       80 1578 /run/clamd.scan
lsof    16057 root  cwd    DIR   0,25       80 1578 /run/clamd.scan
lsof    16058 root  cwd    DIR   0,25       80 1578 /run/clamd.scan

Variables of note:

/etc/clamd.d/scan.conf

User clamscan
Group  virusgroup
PidFile /var/run/clamd.scan/clamd.pid

Any ideas?

vgaetera · April 29, 2023, 12:29pm

Check SELinux related errors and try using permissive mode:

journalctl --no-pager -b -g avc
sudo setenforce 0

wspivak · April 29, 2023, 12:33pm

Hi,

I don’t run Selinux. It is a royal PIA…

I just noticed clamd@amavsid is also running (I stopped clamd@scan).

Here what’s running:

vgaetera · April 29, 2023, 1:02pm

SELinux is preinstalled and enabled by default on all Fedora variants, see:

sestatus

wspivak · April 29, 2023, 1:57pm

I turned it off Always turn it off… LIke I said, causes more issues than stops IMO and experience.


[root@mcq amavisd]# sestatus
SELinux status:                 disabled
[root@mcq amavisd]#

Addendum

My /etc/amavid/amavisd.conf for scanners shows:

@av_scanners = (
  ### http://www.clamv.net/
 ['ClamAV-clamd',
    \&ask_daemon, ["CONTSCAN {}\n", "/run/clamd.scan/clamd.sock"],
    qr/\bOK$/m, qr/\bFOUND$/m,
     qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
  # NOTE: run clamd under the same user as amavisd - or run it under its own
  #   uid such as clamav, add user clamav to the amavis group, and then add
  #   AllowSupplementaryGroups to clamd.conf;
  # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
  #   this entry; when running chrooted one may prefer a socket under $MYHOME.

# ### http://www.clamav.net/ and CPAN  (memory-hungry! clamd is preferred)
# # note that Mail::ClamAV requires perl to be build with threading!
# ['Mail::ClamAV', \&ask_daemon, ['{}','clamav-perl:'],
#   [0], [1], qr/^INFECTED: (.+)/m],

My backup server shows


@av_scanners_backup = (
   ['ClamAV-clamdscan', 'clamdscan',
 # "--stdout --no-summary --config-file=/etc/clamd-client.conf {}",
  "--stdout --no-summary --config-file=/etc/clamd.d/clamd.conf {}",
   [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

Which may be the issue… ???..

vgaetera · April 29, 2023, 6:08pm

I’ve tested the default config in a Fedora 38 VM, and it works:

sudo dnf -y install dnf-plugin-diff
sudo dnf diff /etc/amavisd/amavisd.conf

wspivak · April 29, 2023, 6:43pm

Ran your suggestion.

[root@mcq amavisd]# systemctl status amavisd.service \
    clamd@amavisd.service clamav-freshclam.service
● amavisd.service - Amavis mail content checker
     Loaded: loaded (/usr/lib/systemd/system/amavisd.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Sat 2023-04-29 07:42:56 EDT; 6h ago
       Docs: http://www.ijs.si/software/amavisd/#doc
    Process: 16247 ExecStart=/usr/sbin/amavisd -c /etc/amavisd/amavisd.conf (code=exited, status=0/SUCCESS)
    Process: 16342 ExecReload=/usr/sbin/amavisd -c /etc/amavisd/amavisd.conf reload (code=exited, status=0/SUCCESS)
   Main PID: 16254 (/usr/sbin/amavi)
      Tasks: 5 (limit: 4542)
     Memory: 382.3M
        CPU: 44.601s
     CGroup: /system.slice/amavisd.service
             ├─16254 "/usr/sbin/amavisd (master)"
             ├─16350 "/usr/sbin/amavisd (ch13-avail)"
             ├─16351 "/usr/sbin/amavisd (ch13-avail)"
             ├─16352 "/usr/sbin/amavisd (ch13-avail)"
             └─16353 "/usr/sbin/amavisd (ch13-avail)"

Apr 29 14:00:54 mcq.sbanetweb.com amavis[16351]: (16351-13) lLkEg5ZskTrL FWD from <sporter@mclaneny.com> -> <khonig@sbanetweb.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B0A4F10BC807
Apr 29 14:00:54 mcq.sbanetweb.com amavis[16351]: (16351-13) Passed CLEAN {RelayedInbound}, [209.222.82.199]:34092 [104.47.55.171] <sporter@mclaneny.com> -> <khonig@sbanetweb.com>, Queue-ID: AA34A10BC802, Message-ID: <A76743D1-024F-4C30->
Apr 29 14:13:21 mcq.sbanetweb.com amavis[16353]: (16353-13) ESMTP :10024 /var/spool/amavisd/tmp/amavis-20230429T080216-16353-R8pFb1vT: <incoming+verp-ad2471fc8c37b01d5cbced45a0feac7e@fedoraproject.discoursemail.com> -> <wspivak@sbanetwe>
Apr 29 14:13:21 mcq.sbanetweb.com amavis[16353]: (16353-13) Checking: gWOdqPuQBH53 [64.71.144.218] <incoming+verp-ad2471fc8c37b01d5cbced45a0feac7e@fedoraproject.discoursemail.com> -> <wspivak@sbanetweb.com>
Apr 29 14:13:22 mcq.sbanetweb.com amavis[16353]: (16353-13) gWOdqPuQBH53 FWD from <incoming+verp-ad2471fc8c37b01d5cbced45a0feac7e@fedoraproject.discoursemail.com> -> <wspivak@sbanetweb.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]>
Apr 29 14:13:22 mcq.sbanetweb.com amavis[16353]: (16353-13) Passed CLEAN {RelayedInbound}, [64.71.144.218]:53107 [2602:fd3f:3:107:0:242:ac11:d] <incoming+verp-ad2471fc8c37b01d5cbced45a0feac7e@fedoraproject.discoursemail.com> -> <wspivak>
Apr 29 14:14:36 mcq.sbanetweb.com amavis[16352]: (16352-13) ESMTP :10024 /var/spool/amavisd/tmp/amavis-20230429T082404-16352-lspTv8qI: <s-2tb19v2xhb7l4vbuekpu3o9o51bw1dlq5wq8gxezv6golpo0m0vxo114@bounce.linkedin.com> -> <sbaconsult@sbane>
Apr 29 14:14:36 mcq.sbanetweb.com amavis[16352]: (16352-13) Checking: 0GuaoyhIyBfs [108.174.6.150] <s-2tb19v2xhb7l4vbuekpu3o9o51bw1dlq5wq8gxezv6golpo0m0vxo114@bounce.linkedin.com> -> <sbaconsult@sbanetweb.com>
Apr 29 14:14:36 mcq.sbanetweb.com amavis[16352]: (16352-13) 0GuaoyhIyBfs FWD from <s-2tb19v2xhb7l4vbuekpu3o9o51bw1dlq5wq8gxezv6golpo0m0vxo114@bounce.linkedin.com> -> <sbaconsult@sbanetweb.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0>
Apr 29 14:14:36 mcq.sbanetweb.com amavis[16352]: (16352-13) Passed CLEAN {RelayedInbound}, [108.174.6.150]:52663 [108.174.6.150] <s-2tb19v2xhb7l4vbuekpu3o9o51bw1dlq5wq8gxezv6golpo0m0vxo114@bounce.linkedin.com> -> <sbaconsult@sbanetweb.c>

● clamd@amavisd.service - clamd scanner (amavisd) daemon
     Loaded: loaded (/usr/lib/systemd/system/clamd@.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Sat 2023-04-29 04:46:26 EDT; 9h ago
       Docs: man:clamd(8)
             man:clamd.conf(5)
             https://www.clamav.net/documents/
    Process: 2456 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/amavisd.conf (code=exited, status=0/SUCCESS)
   Main PID: 2537 (clamd)
      Tasks: 4 (limit: 4542)
     Memory: 68.2M
        CPU: 26.136s
     CGroup: /system.slice/system-clamd.slice/clamd@amavisd.service
             └─2537 /usr/sbin/clamd -c /etc/clamd.d/amavisd.conf

Apr 29 12:46:23 mcq.sbanetweb.com clamd[2537]: SelfCheck: Database status OK.
Apr 29 12:56:23 mcq.sbanetweb.com clamd[2537]: SelfCheck: Database status OK.
Apr 29 13:06:23 mcq.sbanetweb.com clamd[2537]: SelfCheck: Database status OK.
Apr 29 13:16:23 mcq.sbanetweb.com clamd[2537]: SelfCheck: Database status OK.
Apr 29 13:26:23 mcq.sbanetweb.com clamd[2537]: SelfCheck: Database status OK.
Apr 29 13:36:23 mcq.sbanetweb.com clamd[2537]: SelfCheck: Database status OK.
Apr 29 13:46:23 mcq.sbanetweb.com clamd[2537]: SelfCheck: Database status OK.
Apr 29 13:56:23 mcq.sbanetweb.com clamd[2537]: SelfCheck: Database status OK.
Apr 29 14:06:23 mcq.sbanetweb.com clamd[2537]: SelfCheck: Database status OK.
Apr 29 14:16:24 mcq.sbanetweb.com clamd[2537]: SelfCheck: Database status OK.

● clamav-freshclam.service - ClamAV virus database updater
     Loaded: loaded (/usr/lib/systemd/system/clamav-freshclam.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Sat 2023-04-29 04:45:13 EDT; 9h ago
       Docs: man:freshclam(1)
             man:freshclam.conf(5)
             https://docs.clamav.net/
   Main PID: 1095 (freshclam)
      Tasks: 1 (limit: 4542)
     Memory: 1.1M
        CPU: 9.443s
     CGroup: /system.slice/clamav-freshclam.service
             └─1095 /usr/bin/freshclam -d --foreground=true

Apr 29 12:46:02 mcq.sbanetweb.com freshclam[1095]: Received signal: wake up
Apr 29 12:46:02 mcq.sbanetweb.com freshclam[1095]: Sat Apr 29 12:46:02 2023 -> ClamAV update process started at Sat Apr 29 12:46:02 2023
Apr 29 12:46:02 mcq.sbanetweb.com freshclam[1095]: ClamAV update process started at Sat Apr 29 12:46:02 2023
Apr 29 12:46:02 mcq.sbanetweb.com freshclam[1095]: Sat Apr 29 12:46:02 2023 -> daily.cld database is up-to-date (version: 26891, sigs: 2032357, f-level: 90, builder: raynman)
Apr 29 12:46:02 mcq.sbanetweb.com freshclam[1095]: daily.cld database is up-to-date (version: 26891, sigs: 2032357, f-level: 90, builder: raynman)
Apr 29 12:46:02 mcq.sbanetweb.com freshclam[1095]: Sat Apr 29 12:46:02 2023 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Apr 29 12:46:02 mcq.sbanetweb.com freshclam[1095]: Sat Apr 29 12:46:02 2023 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Apr 29 12:46:02 mcq.sbanetweb.com freshclam[1095]: main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Apr 29 12:46:02 mcq.sbanetweb.com freshclam[1095]: bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Apr 29 12:46:02 mcq.sbanetweb.com freshclam[1095]: -------------------------------------

The major differences after running the diff program:

in Diff file:



-# a minimalistic configuration file for amavis with all necessary settings
+# a minimalistic configuration file for amavisd-new with all necessary settings

<break> *<-- As in I'm skipping a whole bunch of stuff...*

-#
-  ['ClamAV-clamdscan', 'clamdscan',
-   "--config-file=/etc/clamd.d/amavisd.conf --fdpass --stdout --no-summary {}",
-   [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
-
-# ### http://www.clamav.net/ and CPAN  (memory-hungry! clamd is preferred)
-# # note that Mail::ClamAV requires perl to be build with threading!
-# ['Mail::ClamAV', \&ask_daemon, ['{}','clamav-perl:'],
-#   [0], [1], qr/^INFECTED: (.+)/m],
-
...

+  ### http://www.clamv.net/
+ ['ClamAV-clamd',
+    \&ask_daemon, ["CONTSCAN {}\n", "/run/clamd.scan/clamd.sock"],
+    qr/\bOK$/m, qr/\bFOUND$/m,
+     qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+  # NOTE: run clamd under the same user as amavisd - or run it under its own
+  #   uid such as clamav, add user clamav to the amavis group, and then add
+  #   AllowSupplementaryGroups to clamd.conf;
+  # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
+  #   this entry; when running chrooted one may prefer a socket under $MYHOME.
+
<break>

# ClamAV (clamd, direct socket communication)
-#
-# http://www.clamav.net/
-#
-# In the past, this was the default way to integrate amavis and
-# clamav. However, it has some downsides relative to running
-# clamdscan; see the clamdscan entry for a comparison.
-#
-# If you decide to use this method, you will need to give the clamd
-# daemon read access to the files that amavis will want to scan. This
-# can be accomplished with filesystem ACLs, or by adding the clamav
-# user to the amavis group. Note however that the latter has security
-# implications: it grants clamav the ability to read *any* of amavis's
-# files -- not just the ones that amavis asks clamd to scan!
-#
-# You may also have to adjust the path to the clamd communication
-# socket to match your system. The path is usually defined in the file
-# /etc/clamd.conf, or may be controlled by your service manager / init.
-#
-# ['ClamAV-clamd',
-#   \&ask_daemon, ["CONTSCAN {}\n", "/run/clamd.amavisd/clamd.sock"],
-#   qr/\bOK$/m, qr/\bFOUND$/m,
-#   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+ # ['ClamAV-clamscan', 'clamscan',
+ #   "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
+ #   [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
+
+# ### http://www.clamav.net/ - using remote clamd scanner as a backup
+   ['ClamAV-clamdscan', 'clamdscan',
+ # "--stdout --no-summary --config-file=/etc/clamd-client.conf {}",
+  "--stdout --no-summary --config-file=/etc/clamd.d/clamd.conf {}",
+   [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

 # ['ClamAV-clamd-stream',
-#   \&ask_daemon, ["*", 'clamd:/run/clamd.amavisd/clamd.sock'],
+#   \&ask_daemon, ["*", 'clamd:/run/clamav/clamd.sock'],
 #   qr/\bOK$/m, qr/\bFOUND$/m,
 #   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
<break>

So am I the remove the “-” and add the “+” (including the comment character “#”)?

I made a backup copy of my current amavid.conf.

Thanks,

Wayne

vgaetera · April 29, 2023, 8:47pm

It looks like the config you are currently using is quite old.

You need to merge the default and current configs, preserving only necessary customization and updating outdated lines.

Lines in the default config start with -, while lines in the current config start with +.

This is actually what you should do after each system upgrade:
Update system configuration files

wspivak · April 29, 2023, 9:49pm

I think that worked, thank you very much!!!