[clamav-users] clamd OnAccessScan issues

tasc at exemail.com.au tasc at exemail.com.au
Thu Jun 2 00:34:10 UTC 2016 

Hi

I am using Centos 7.2, i.e.: /proc/version =>
Linux version 3.10.0-327.18.2.el7.x86_64 (builder at kbuilder.dev.centos.org)
(gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Thu May 12
11:03:55 UTC 2016

SElinux is running.

Using Epel packages for clamav including unofficial signatures.

Using latest clamavtk as well.

Installed per
https://www.adminsys.ch/2015/08/21/installing-clamav-epel-centosred-hat-7-nightmare/.

freshclam functional
clamscan functional
clamavtk functional in KDE environment.

clamd service can be started using your sample clamd.conf.

1/ $> clamd zPING
   $> clamd PING
gives new line and then nothing. Need to terminate with control -c.

Doesn't match manual?

2/ Enabled per clamd.conf-2016-06-01-OnAccessScan attached as used for for
/etc/clamd.d/scan.conf .

Results in attached /var/log/clamd.scan log at the end as attached.

$ systemctl status clamd at scanclamd at scan.service - Generic clamav scanner daemon
   Loaded: loaded (/usr/lib/systemd/system/clamd at scan.service; enabled;
vendor preset: disabled)
   Active: active (running) since Thu 2016-06-02 09:11:03 AEST; 2s ago
 Main PID: 29639 (clamd)
   CGroup: /system.slice/system-clamd.slice/clamd at scan.service
           └─29639 /usr/sbin/clamd -c /etc/clamd.d/scan.conf
--nofork=yes

Jun 02 09:11:03 earth systemd[1]: Started Generic clamav scanner daemon.
Jun 02 09:11:03 earth systemd[1]: Starting Generic clamav scanner daemon...
Jun 02 09:11:03 earth clamd[29639]: clamd daemon 0.99.1 (OS: linux-gnu,
ARCH: x86_64, CPU: x86_64)
Jun 02 09:11:03 earth clamd[29639]: Running as user clamscan (UID 981, GID
972)
Jun 02 09:11:03 earth clamd[29639]: Log file size limited to 10485760 bytes.
Jun 02 09:11:03 earth clamd[29639]: Reading databases from /var/lib/clamav
Jun 02 09:11:03 earth clamd[29639]: Bytecode: Security mode set to
"TrustSigned".

Get in clamd.scan log

Thu Jun  2 09:11:12 2016 -> ERROR: ScanOnAccess: fanotify_init failed:
Operation not permitted
Thu Jun  2 09:11:12 2016 -> ScanOnAccess: clamd must be started by root

Yet I note that running as root is not a good idea.

I note some websites re Debian/Opensuse refer to apparmour settings being
an issue. There appears to be no documentation re SElinux settings.
Further clamd is running as clamscan user 981

$ ps -alx | grep clam
1   982   2959      1  20   0  73808  3168 pause  Ss   ?          0:04
/usr/bin/freshclam -d -c 4
0  1000   5587   5094  20   0 516868 39848 poll_s Sl   ?          0:00
/usr/bin/perl /usr/bin/clamtk
0  1000   8876   5094  20   0 1241756 162936 poll_s Sl ?          0:03
/usr/bin/okular
/home/robertk/Documents/PC/Intel-P4304CR2JNF/Applications/ClamAV/clamdoc.pdf
--icon okular -caption Okular
4   981  29639      1  20   0 774572 551400 poll_s Ssl ?          0:18
/usr/sbin/clamd -c /etc/clamd.d/scan.conf --nofork=yes
4     0  39355  16994  20   0 215476  4132 signal T    pts/2      0:00
sudo clamd zPING
4   981  39387  39355  20   0 373808 307192 signal T   pts/2      0:04
clamd zPING
0  1000 172437  16994  20   0 112660   984 pipe_w S+   pts/2      0:00
grep --color=auto clam

Consequently your documentation is inadequate to cover the OnAccessScan
case using SELinux as clamd service.

Could you please assist before I tinker further with the system?

Regards
RobK

More information about the clamav-users mailing list