Use clamdscan on workstation F38

lesar · November 23, 2023, 11:26am

Before I post I have search on internet and read manual for 2 days.
If the info I’m searching are easy to find I have missing it.

I’m on F38 workstation and have installed by dnf clamd.
I know that I can use clamscan on files etc but I need to use daemon to test it for my project.

To make the test I have download a virus signature file:
$ curl https://www.eicar.org/download/eicar.com.txt -o eicar.txt

daemon use socket connection:
$ sudo ls -l /run/clamd.scan/clamd.sock

srw-rw-rw-. 1 clamscan clamscan 0 23 nov 10.23 /run/clamd.scan/clamd.sock

the I try to test:
$ clamdscan eicar.txt
this fail to connect by my user permission on socket
I add my user to clamscan group … not work
use sudo to become root … not work
…
$ sudo -u clamscan -g leonardo clamdscan eicar.txt

All’utente leonardo non è consentito eseguire “/usr/bin/clamdscan eicar.txt” come clamscan:leonardo su …

tranlsate:

User leonardo is not allowed to run “/usr/bin/clamdscan eicar.txt” as clamscan:leonardo on …

Have I hit a selinux policy?

$ sudo -u clamscan -g clamscan clamdscan eicar.txt

ERROR: Can’t access file /home/leonardo/eicar.txt

Seems that if I use a good user by daemon is not good for eicar.txt
If I do:

$ sudo chmod o+x /home/leonardo
$ sudo chmod o+r eicar.txt 
$ sudo -u clamscan -g clamscan ls -l eicar.txt

-rw-r–r–. 1 leonardo leonardo 103257 23 nov 08.42 eicar.txt
but:
$ sudo -u clamscan -g clamscan clamdscan eicar.txt
/home/leonardo/eicar.txt: File path check failure: Permission denied. ERROR
/home/leonardo/eicar.txt: File path check failure: Permission denied. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 2

…

if I do:
sudo dnf diff /etc/clamd.d/scan.conf
I get:

— /etc/clamd.d/scan.conf 2023-10-29 02:00:00.000000000 +0200 [ === ] — B/s | 0 B --:-- ETA
+++ /etc/clamd.d/scan.conf 2023-11-15 13:58:21.753691180 +0100
@@ -94,6 +94,7 @@
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
#LocalSocket /run/clamd.scan/clamd.sock
+LocalSocket /run/clamd.scan/clamd.sock

# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)

Have I do something wrong on my conf?

Anyone is able to do a simple scan using clamdscan?

I would like to let daemon run on clamscan user an group how is done by dnf default install.
I do not like put socket and daemon on root user.

(My english is bad. if too bad I will try to write this post on my lang let me know… )

best regards,
Leonardo

vgaetera · November 23, 2023, 12:52pm

It works for me on Fedora 39 like this:

sudo dnf -y install clamav clamd
sudo sed -i -e "/^#*LocalSocket\s/s/^#//" /etc/clamd.d/scan.conf
sudo freshclam
sudo systemctl --now enable clamav-freshclam.service clamd@scan.service
sudo semanage boolean -m -1 antivirus_can_scan_system
wget -O /tmp/eicar.txt \
"https://www.eicar.org/download/eicar-com-2/?wpdmdl=8842"
sudo -u clamscan clamdscan /tmp/eicar.txt

gnwiii · November 23, 2023, 1:01pm

All my clamscan experience has been years ago on machines with multiple users (where it often found Windows viruses in incoming emails) where access to all user data was important. I would start with defaults as in Linux Capable’s Install Clamav on Fedora Linux. If your use case isn’t compatible with the default install, you should discuss it on clamav-specific forums.

computersavvy · November 23, 2023, 4:08pm

This was a permission error.
By default the users home directory has 0700 permissions which would block access for the clamscan user, as well as the selinux permissions blocking access.

The instructions by Vladislav above worked for me.

lesar · November 23, 2023, 6:07pm

Thanks so much everyone.

@computersavvy I agree that this seems a permission error but I have
$ chmod o+x /home/leonardo
and
$ chmod o+r eicar.txt
so I suppose clamscan user can read it
$ sudo -u clamscan ls -l eicar.txt
work …
Do I make some wrong permission change?

@vgaetera I’m new on fedora (my first selinux too: I come from ubuntu) so I have miss
$ sudo semanage boolean -m -1 antivirus_can_scan_system
but now I do and still not work.

I have do

wget -O /tmp/eicar.txt \
"https://www.eicar.org/download/eicar-com-2/?wpdmdl=8842"

and scanning this file work so is my permission problem

gnwiii I think my use case is compatible. At last probably I have do some banal permission mistake.
(I’m new and can’t refer than 2 user on message)

Next week, me too, upgrade to Fedora 39 so I will investigate more when I have move on new version.

best regards,
Leonardo

Update

Seems that after update selinux by semanage I have write too quickly the /home/leonard chmd and do $ chmod o-x /home/leonardo unless use + silly me …

Now all work the solution was at last to do:
$ sudo semanage boolean -m -1 antivirus_can_scan_system

best regards,
Leonardo

Topic		Replies	Views
Clamscan vs clamdscan Ask Fedora antivirus , security , clamav , clamd	13	860	February 24, 2025
Clamd@scan, Amavis permission denied on /run/clamd.scan/clamd.sock Ask Fedora f38	8	664	April 29, 2023
ClamAV scan entire filesystem Ask Fedora	4	291	November 23, 2024
Atomic + ClamAV on-demand scanning Ask Fedora silverblue	3	330	July 12, 2024
Clamscan on the Desktop icon? Ask Fedora	1	213	June 12, 2021

Use clamdscan on workstation F38

Update

Related topics