Unable to run clamav/clamonacc, permission denied on files

Hi, I’m trying to setup clamav on-demand protection.

I set in clamd.d/scan.conf to use a local socket:

LocalSocket /run/clamd.scan/clamd.sock
LocalSocketGroup virusgroup
FixStaleSocket yes
User clamscan
OnAccessIncludePath /home/myuser
OnAccessPrevention yes
OnAccessExcludeRootUID yes
OnAccessExcludeUname clamav

Then activate the services:

sudo systemctl enable clamd@scan.service
sudo systemctl enable clamav-clamonacc.service 

Then restart for safety.
The clamd daemon starts, clamonacc, too, but I get a “permission denied” error for every scan attempt in journalctl.

aug 24 10:58:05 localhost.localdomain clamonacc[30927]: /home/myuser/myfile: File path check failure: Permission denied. ERROR
aug 24 10:58:05 localhost.localdomain clamonacc[30927]: ClamMisc: Unexpected issue; Daemon failed to scan: /home/myuser/myfile
aug 24 10:58:05 localhost.localdomain clamd[1480]: File path check failure on: /home/myuser/myfile

No more verbose logs about what is happening. Any ideas?

Users are defaults for Fedora:

~ $ ps aux | grep clam                                                                                                                                           10:58:07
clamscan    1480  0.5  3.6 1714808 1182512 ?     Ssl  09:50   0:23 /usr/sbin/clamd -c /etc/clamd.d/scan.conf
clamupd+    1570  0.0  0.0  48884 13932 ?        Ss   09:50   0:00 /usr/bin/freshclam -d --foreground=true
root       30927  6.5  0.2 557164 71716 ?        Ssl  10:57   0:05 /usr/sbin/clamonacc -F --config-file=/etc/clamd.d/scan.conf

(So, clamonacc is running as root)

Thanks in advance for the help… this is really under-documented and I couldn’t find an answer in the official docs.

Well, it was a permission issue indeed. I ran clamd@scan as root by adding User=root to its systemd service file, also removed User clamscan from the config file, then it worked, having access to the home folder.

Basically, clamonacc (as root) should have used fdpass functionality to allow access to files via local socket, but it’s not working for some reason. Running clamd as root works on the other hand.

1 Like

Technically running clamd as root is probably a security risk as it could be used as an exploit vector for privilege escalation.

I got this working previously without doing so but there was a couple of things that had to be done first.

One was to update an selinux boolean (as mentioned in the official documentation). The other part of it was to give the clamscan user group level access to your home folder.

Once I did these things I was able to get it working properly as configured for the files I needed it to scan without generating permissions errors every time. I was able to find these things by reading the clam website documentation and a few other internet searches. I do remember having to add either a clam group or a clam user (system group/user) in order for this to happen as it wasn’t done as part of the repo package…probably should have lodged a bug but at the time I got it working myself.

2 Likes

Hmm… thanks, good idea! I used ACLs

setfacl -Rd -m 'u:clamscan:rx' /home/myuser
sudo setfacl -R -m 'u:clamscan:rx' /home/myuser 

(needed to close all apps before)

This seems to be working. Let me know if there is a better way.

1 Like