5

On fc29 I have clamd installed and clamd@scan.service is running fine. clamdscan runs for root but not for a regular user, even after addition to 'clamscan' group.

dnf list installed | grep clam

clamav.x86_64                               0.101.0-3.fc29                      @updates               
clamav-filesystem.noarch                    0.101.0-3.fc29                      @updates               
clamav-lib.x86_64                           0.101.0-3.fc29                      @updates               
clamav-update.x86_64                        0.101.0-3.fc29                      @updates               
clamd.x86_64                                0.101.0-3.fc29                      @updates               

Running clamdscan as root works just fine

clamdscan --fdpass .

gpasswd -a reg_user clamscan

When run as user in clamscan group-

clamdscan --fdpass .
ERROR: Could not connect to clamd on LocalSocket /var/run/clamd.scan/clamd.sock: Permission denied

Still no-

sudo -u reg_user clamdscan --fdpass .
ERROR: Could not connect to clamd on LocalSocket /var/run/clamd.scan/clamd.sock: Permission denied

Not surprisingly-

sudo -u reg_user ls -la /var/run/clamd.scan
ls: cannot open directory '/var/run/clamd.scan': Permission denied

sudo -u clamscan ls -la /var/run/clamd.scan

total 0
drwx--x---.  2 clamscan virusgroup   60 Jan  9 10:24 .
drwxr-xr-x. 42 root     root       1220 Jan  9 09:06 ..
srw-rw----.  1 clamscan virusgroup    0 Jan  9 10:24 clamd.sock

Here are the socket settings in the config-

cat /etc/clamd.d/scan.conf | grep ocket

LocalSocket /var/run/clamd.scan/clamd.sock
LocalSocketGroup virusgroup
LocalSocketMode 660
FixStaleSocket yes

Here is the socket-

ls -laZ /var/run/clamd.scan

total 0
drwx--x---.  2 clamscan virusgroup system_u:object_r:antivirus_var_run_t:s0   60 Jan  9 10:08 .
drwxr-xr-x. 42 root     root       system_u:object_r:var_run_t:s0           1220 Jan  9 09:06 ..
srw-rw----.  1 clamscan virusgroup system_u:object_r:antivirus_var_run_t:s0    0 Jan  9 10:08 clamd.sock

Here is the group-

cat /etc/group | grep clam

clamupdate:x:976:
virusgroup:x:975:clamupdate,clamscan
clamscan:x:974:reg_user

This is not blocked by selinux AFAIK. I've seen there have been some debates on the permissions of the socket folder in redhat variants but it seems that clamdscan should run for any user in the 'clamscan' group.

hotkarl
  • 155
  • 1
  • 10
  • Your configuration says the LocalSocketGroup is virusgroup. That's the group that has permission to the socket, not clamscan. This is clearly displayed on your ls output. –  Jan 09 '19 at 20:28
  • I didn't mention I also tried adding the user to 'virusgroup' and got the same error. Plus 'clamscan' user is actually a member of 'virusgroup' already.. – hotkarl Jan 09 '19 at 20:52
  • 1
    @hotkarl, did you find a solution to this? – detaylor Dec 06 '19 at 13:56

0 Answers0