Hi, I’m trying to setup clamav on-demand protection.
I set in
clamd.d/scan.conf to use a local socket:
Then activate the services:
sudo systemctl enable email@example.com
sudo systemctl enable clamav-clamonacc.service
Then restart for safety.
clamd daemon starts,
clamonacc, too, but I get a “permission denied” error for every scan attempt in
aug 24 10:58:05 localhost.localdomain clamonacc: /home/myuser/myfile: File path check failure: Permission denied. ERROR
aug 24 10:58:05 localhost.localdomain clamonacc: ClamMisc: Unexpected issue; Daemon failed to scan: /home/myuser/myfile
aug 24 10:58:05 localhost.localdomain clamd: File path check failure on: /home/myuser/myfile
No more verbose logs about what is happening. Any ideas?
Users are defaults for Fedora:
~ $ ps aux | grep clam 10:58:07
clamscan 1480 0.5 3.6 1714808 1182512 ? Ssl 09:50 0:23 /usr/sbin/clamd -c /etc/clamd.d/scan.conf
clamupd+ 1570 0.0 0.0 48884 13932 ? Ss 09:50 0:00 /usr/bin/freshclam -d --foreground=true
root 30927 6.5 0.2 557164 71716 ? Ssl 10:57 0:05 /usr/sbin/clamonacc -F --config-file=/etc/clamd.d/scan.conf
clamonacc is running as root)
Thanks in advance for the help… this is really under-documented and I couldn’t find an answer in the official docs.
Well, it was a permission issue indeed. I ran
root by adding
User=root to its systemd service file, also removed
User clamscan from the config file, then it worked, having access to the home folder.
clamonacc (as root) should have used
fdpass functionality to allow access to files via local socket, but it’s not working for some reason. Running
clamd as root works on the other hand.
Technically running clamd as root is probably a security risk as it could be used as an exploit vector for privilege escalation.
I got this working previously without doing so but there was a couple of things that had to be done first.
One was to update an selinux boolean (as mentioned in the official documentation). The other part of it was to give the clamscan user group level access to your home folder.
Once I did these things I was able to get it working properly as configured for the files I needed it to scan without generating permissions errors every time. I was able to find these things by reading the clam website documentation and a few other internet searches. I do remember having to add either a clam group or a clam user (system group/user) in order for this to happen as it wasn’t done as part of the repo package…probably should have lodged a bug but at the time I got it working myself.
Hmm… thanks, good idea! I used ACLs
setfacl -Rd -m 'u:clamscan:rx' /home/myuser
sudo setfacl -R -m 'u:clamscan:rx' /home/myuser
(needed to close all apps before)
This seems to be working. Let me know if there is a better way.
In the solution here, it’s not very clear what is meant by “update an selinux boolean”, do you perhaps have a link to the docs you’re referring to?
I’m having the same issues with running ClamAV on Fedora 36, and tried running clamd as root, which didn’t help, and running
sudo setfacl had no effect either, even after restarting the services.
Something that did seem to get me a bit further was to set
clamonacc, however, this introduces a slew of new errors reading:
no reply from clamd
Please, please post this as a new thread.
Software from more than a year ago likely is not the same as today and your issue deserves its own thread so it gets proper attention.
A Thread that already has a solution should not be reopened for a new issue…