clamav-lib-0.103.2-1.el7.x86_64
clamav-data-0.103.2-1.el7.noarch
clamd-0.103.2-1.el7.x86_64
clamav-filesystem-0.103.2-1.el7.noarch
clamav-0.103.2-1.el7.x86_64
clamav-update-0.103.2-1.el7.x86_64

- Oracle Enterprise Linux 8 with the following packages from the yum repo:

clamav-lib-0.103.2-1.el8.x86_64
clamav-data-0.103.2-1.el8.noarch
clamd-0.103.2-1.el8.x86_64
clamav-filesystem-0.103.2-1.el8.noarch
clamav-0.103.2-1.el8.x86_64
clamav-update-0.103.2-1.el8.x86_64

- clamd runs as the clamscan user, but the same problem exsts even if I run clamd as root


1. My /etc/clamd.d/scan.conf:

# egrep -v "^#|^$" /etc/clamd.d/scan.conf
LogSyslog yes
LocalSocket /run/clamd.scan/clamd.sock
LocalSocketMode 660
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/dev/
User clamscan

2. SELinux is in Enforcing mode, and I've got the SELinux booleans set apropriately to allow ClamAV to scan the system:

# getenforce
Enforcing

# getsebool -a | grep antivirus
antivirus_can_scan_system --> on
antivirus_use_jit --> on

3. When I run a full system scan, it finishes way too fast and doesn't catch the EICAR file that I know is on the system:

# clamdscan --multiscan --fdpass / 2>/dev/null
/dev: Excluded
/proc: Excluded
/sys: Excluded
----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 30
Time: 6.298 sec (0 m 6 s)
Start Date: 2021:06:14 18:02:09
End Date:   2021:06:14 18:02:16

4. This is what /var/log/messages showed after the scan:

Jun 14 18:02:10 centos7-server clamd[2972]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?)
Jun 14 18:02:10 centos7-server clamd[2972]: Error condition on fd 10

5. I was able to narrow down which files & directories clamdscan was having trouble with, so I reran the scan on just those:

# clamdscan --multiscan --fdpass /var/log/audit /etc/*shadow* /etc/security/opasswd /etc/selinux/ /etc/audit/
/var/log/audit/audit.log.4: no reply from clamd
/etc/gshadow: no reply from clamd
/etc/gshadow-: no reply from clamd
/etc/shadow: no reply from clamd
/etc/shadow-: no reply from clamd
/etc/security/opasswd: no reply from clamd
/etc/selinux/semanage.conf: no reply from clamd
/etc/audit/audit.rules: no reply from clamd

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 8
Time: 0.006 sec (0 m 0 s)
Start Date: 2021:06:14 14:30:02
End Date:   2021:06:14 14:30:02

6. This is what /var/log/messages showed after the scan:

Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server clamd[27696]: Control message truncated, no control data received, 9 bytes read(Is SELinux/AppArmor enabled, and blocking file descriptor passing?)
Jun 14 14:30:02 centos7-server clamd[27696]: Error condition on fd 10
Jun 14 14:30:02 centos7-server jdoe: root  192.168.0.10  [23471]: Jun 14 14:30:02 clamdscan --fdpass  /var/log/audit /etc/*shadow* /etc/security/opasswd /etc/selinux/ /etc/audit/ [2]

7. When I checked audit.log to see why SELinux was blocking the scan, it came back with nothing:

# ausearch -ts recent | audit2why
Nothing to do

8. If I set SELinux to Permissive mode, clamdscan is able to scan those files & directories and finds the EICAR file:

# setenforce 0
# clamdscan --fdpass /var/log/audit /etc/*shadow* /etc/security/opasswd /etc/selinux/ /etc/audit/
/var/log/audit/eicar.txt: Eicar-Signature FOUND
/etc/gshadow: OK
/etc/gshadow-: OK
/etc/shadow: OK
/etc/shadow-: OK
/etc/security/opasswd: OK
/etc/selinux: OK
/etc/audit: OK
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 24.001 sec (0 m 24 s)
Start Date: 2021:06:14 14:34:37
End Date:   2021:06:14 14:35:01

9. Again, audit.log doesn't show what would've been blocked if SELinux was in Enforcing mode:

# ausearch -ts recent | audit2why
Nothing to do

10. Looking at the SELinux context of the files & directories, I narrowed it down to 4 types that seem to be problematic for clamdscan and SElinux:

# ls -lZ /var/log/audit /etc/*shadow* /etc/security/opasswd /etc/selinux/ /etc/audit/ | grep '_t' | cut -d: -f3 | sort -u
auditd_etc_t
auditd_log_t
selinux_config_t
shadow_t

----- QUESTIONS -----
Is this a bug with ClamAV or just SELinux working as designed?