On fc29 I have clamd installed and clamd@scan.service is running fine. clamdscan runs for root but not for a regular user, even after addition to 'clamscan' group.
dnf list installed | grep clam
clamav.x86_64 0.101.0-3.fc29 @updates
clamav-filesystem.noarch 0.101.0-3.fc29 @updates
clamav-lib.x86_64 0.101.0-3.fc29 @updates
clamav-update.x86_64 0.101.0-3.fc29 @updates
clamd.x86_64 0.101.0-3.fc29 @updates
Running clamdscan as root works just fine
clamdscan --fdpass .
gpasswd -a reg_user clamscan
When run as user in clamscan group-
clamdscan --fdpass .
ERROR: Could not connect to clamd on LocalSocket /var/run/clamd.scan/clamd.sock: Permission denied
Still no-
sudo -u reg_user clamdscan --fdpass .
ERROR: Could not connect to clamd on LocalSocket /var/run/clamd.scan/clamd.sock: Permission denied
Not surprisingly-
sudo -u reg_user ls -la /var/run/clamd.scan
ls: cannot open directory '/var/run/clamd.scan': Permission denied
sudo -u clamscan ls -la /var/run/clamd.scan
total 0
drwx--x---. 2 clamscan virusgroup 60 Jan 9 10:24 .
drwxr-xr-x. 42 root root 1220 Jan 9 09:06 ..
srw-rw----. 1 clamscan virusgroup 0 Jan 9 10:24 clamd.sock
Here are the socket settings in the config-
cat /etc/clamd.d/scan.conf | grep ocket
LocalSocket /var/run/clamd.scan/clamd.sock
LocalSocketGroup virusgroup
LocalSocketMode 660
FixStaleSocket yes
Here is the socket-
ls -laZ /var/run/clamd.scan
total 0
drwx--x---. 2 clamscan virusgroup system_u:object_r:antivirus_var_run_t:s0 60 Jan 9 10:08 .
drwxr-xr-x. 42 root root system_u:object_r:var_run_t:s0 1220 Jan 9 09:06 ..
srw-rw----. 1 clamscan virusgroup system_u:object_r:antivirus_var_run_t:s0 0 Jan 9 10:08 clamd.sock
Here is the group-
cat /etc/group | grep clam
clamupdate:x:976:
virusgroup:x:975:clamupdate,clamscan
clamscan:x:974:reg_user
This is not blocked by selinux AFAIK. I've seen there have been some debates on the permissions of the socket folder in redhat variants but it seems that clamdscan should run for any user in the 'clamscan' group.
