Unable to run clamav/clamonacc, permission denied on files

Hi, I’m trying to setup clamav on-demand protection.

I set in clamd.d/scan.conf to use a local socket:

LocalSocket /run/clamd.scan/clamd.sock
LocalSocketGroup virusgroup
FixStaleSocket yes
User clamscan
OnAccessIncludePath /home/myuser
OnAccessPrevention yes
OnAccessExcludeRootUID yes
OnAccessExcludeUname clamav

Then activate the services:

sudo systemctl enable clamd@scan.service
sudo systemctl enable clamav-clamonacc.service 

Then restart for safety.
The clamd daemon starts, clamonacc, too, but I get a “permission denied” error for every scan attempt in journalctl.

aug 24 10:58:05 localhost.localdomain clamonacc[30927]: /home/myuser/myfile: File path check failure: Permission denied. ERROR
aug 24 10:58:05 localhost.localdomain clamonacc[30927]: ClamMisc: Unexpected issue; Daemon failed to scan: /home/myuser/myfile
aug 24 10:58:05 localhost.localdomain clamd[1480]: File path check failure on: /home/myuser/myfile

No more verbose logs about what is happening. Any ideas?

Users are defaults for Fedora:

~ $ ps aux | grep clam                                                                                                                                           10:58:07
clamscan    1480  0.5  3.6 1714808 1182512 ?     Ssl  09:50   0:23 /usr/sbin/clamd -c /etc/clamd.d/scan.conf
clamupd+    1570  0.0  0.0  48884 13932 ?        Ss   09:50   0:00 /usr/bin/freshclam -d --foreground=true
root       30927  6.5  0.2 557164 71716 ?        Ssl  10:57   0:05 /usr/sbin/clamonacc -F --config-file=/etc/clamd.d/scan.conf

(So, clamonacc is running as root)

Thanks in advance for the help… this is really under-documented and I couldn’t find an answer in the official docs.

Well, it was a permission issue indeed. I ran clamd@scan as root by adding User=root to its systemd service file, also removed User clamscan from the config file, then it worked, having access to the home folder.

Basically, clamonacc (as root) should have used fdpass functionality to allow access to files via local socket, but it’s not working for some reason. Running clamd as root works on the other hand.

1 Like

Technically running clamd as root is probably a security risk as it could be used as an exploit vector for privilege escalation.

I got this working previously without doing so but there was a couple of things that had to be done first.

One was to update an selinux boolean (as mentioned in the official documentation). The other part of it was to give the clamscan user group level access to your home folder.

Once I did these things I was able to get it working properly as configured for the files I needed it to scan without generating permissions errors every time. I was able to find these things by reading the clam website documentation and a few other internet searches. I do remember having to add either a clam group or a clam user (system group/user) in order for this to happen as it wasn’t done as part of the repo package…probably should have lodged a bug but at the time I got it working myself.


Hmm… thanks, good idea! I used ACLs

setfacl -Rd -m 'u:clamscan:rx' /home/myuser
sudo setfacl -R -m 'u:clamscan:rx' /home/myuser 

(needed to close all apps before)

This seems to be working. Let me know if there is a better way.

1 Like

In the solution here, it’s not very clear what is meant by “update an selinux boolean”, do you perhaps have a link to the docs you’re referring to?

I’m having the same issues with running ClamAV on Fedora 36, and tried running clamd as root, which didn’t help, and running sudo setfacl had no effect either, even after restarting the services.

Something that did seem to get me a bit further was to set --fdpass on clamonacc, however, this introduces a slew of new errors reading: no reply from clamd

Please, please post this as a new thread.

Software from more than a year ago likely is not the same as today and your issue deserves its own thread so it gets proper attention.
A Thread that already has a solution should not be reopened for a new issue…