Why ClamAV can't scan some files?

Whenever I try to execute a ClamAV scan on a file in many of my bin directories, it fails with a

Can't open file or directory ERROR

message. I know it's possible to get ClamdScan to scan the bin directory but I can't figure out how. Any suggestions?

$ clamdscan /bin/true
/bin/true: Can't open file or directory ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)

I can't find any differences between the AppArmor configuration files on the machine where it works and on the machine where it doesn't. I did get it to scan with a workaround by adding:

/bin/** r,

to:

/etc/apparmor.d/local/usr.sbin.clamd

But this line isn't present on the other machine's local clamd AppArmor permissions file so I'm still confused and such a shot-gun solution of just saying ClamAV can access everything in /bin and below mainly because if this is the solution then I have to add /sbin /usr/bin and /usr/sbin to AppArmor as well, and that just seems counter-intuitive.

clamav

TimeHorse

Posted 2013-11-07T22:57:35.290

Reputation: 201

Please provide the permission information on the folder. – Ramhound – 2013-11-07T23:31:01.127

1@Ramhound it's -rwxr-xr-x 1 root root 27184 Nov 8 07:49 /bin/true* for the given executable and drwxr-xr-x 2 root root 4096 Nov 7 15:11 bin/ for the directory. But I think it has to do with AppArmor. – TimeHorse – 2013-11-08T14:47:15.687

Answers

It was AppArmor preventing me from accessing bin. I changed:

/etc/apparmor.d/local/usr.sbin.clamd

by adding:

/bin/** r,

To it and was able to scan the files in /bin. If I want to add other directories I need to just add lines to that file to include them. The AppArmor line above means /bin and all child folders, recursively, with read-only access, which is all the ClamAV needs. The file in question is AppArmor's directive for what special permissions /usr/sbin/clamd will receive which is the ClamAV service daemon. So this was all I needed to do to get it working. Thanks @Ramhound for the hint!

TimeHorse

Posted 2013-11-07T22:57:35.290

Reputation: 201

is there any reason you have 2 astericks in your example? I was able to get it working with only 1, ie: /bin/* r – macguru2000 – 2018-03-05T22:46:01.000

1It's been a heck of a long time but if I recall correctly, one * is this directory, two, **, means recurse subdirectories too. – TimeHorse – 2018-03-06T13:50:05.233

Thanks thanks, if that’s the case I’ll have to update mine too... let you know what I find. Cheers! – macguru2000 – 2018-03-06T15:01:27.167

Confirmed that 2 asterisks indeed means to allow all the sub-directories too. Thanks again! – macguru2000 – 2018-03-06T23:14:13.610

Glad I could help! – TimeHorse – 2018-03-07T04:36:07.493