Bug 1284253

Summary: permissions on /var/run/clamd.scan directory should be 755 not 710
Product: [Fedora] Fedora Reporter: dan
Component: clamavAssignee: Sergio Basto <sergio>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 28CC: bugzilla, j, mstevens, nathanael, ondrejj, redhat-bugzilla, sergio
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-18 01:11:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dan 2015-11-22 12:26:42 UTC 
Description of problem:  Freshclam does not provide a systemctl service file.  Additionally, the distributed clamd@.service and clamd file structure does not seem to make sense.  And there is a permission issue with the directory containing the socket file which causes failures.

To workaround, create a /usr/lib/systemd/system/clam-freshclam.service file:

[Unit]
Description = freshclam scanner
After = network.target

[Service]
Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true

[Install]
WantedBy=multi-user.target

There are two distributed clamd@*.service files distrbuted, clamd@.service and clamd.  clamd@.service is not a valid unit name.

clamd seems to simply include clamd@.service and add an [Install] section.

On my system I enable and start clamd.

Lastly, there is a directory permissions issue if the clamd socket file is created at /var/run/clamd.scan/clamd.sock as specified by /etc/clamd.d/scan.conf.  When /var/run/clamd.scan is created is it not world readable and executable by default.  This causes permission related issues until a chmod 755 /var/run/clamd.scan is run.

Please let me know if I can supply additional data.
Comment 1 Robert Scheck 2015-11-22 20:51:32 UTC 
Is the cronjob shipped by default not good enough? And if so, why?
Comment 2 dan 2015-11-22 22:36:50 UTC 
@Robert...for some reason my database was not updating and I overlooked the cronjob.  I will disable the freshclam systemd process, verify the cronjob and withdraw that part of this report for the time being.

Any thoughts on the structure of the clamd@scan and clamd@ service files and including setting the directory permission for the socket in the systemd file?
Comment 3 dan 2015-11-23 13:45:41 UTC 
Suggested resolution for the permissions on /var/run/clamd.scan.

/etc/tmpfiles.d/clamd.scan.conf currently contains:

d /var/run/clamd.scan 0710 clamscan clamscan

This should be changed to:

d /var/run/clamd.scan 0755 clamscan clamscan
Comment 4 dan 2015-11-27 14:04:51 UTC 
Updated title to reflect current outstanding issue.
Comment 5 Fedora End Of Life 2016-07-19 19:59:32 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 6 Sergio Basto 2017-12-24 15:59:30 UTC 
to review
Comment 7 Fedora End Of Life 2018-02-20 15:28:16 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.
Comment 8 Sergio Basto 2018-07-18 01:11:09 UTC 
Latest conclusions and resume starts here: https://bugzilla.redhat.com/show_bug.cgi?id=787434#c47

*** This bug has been marked as a duplicate of bug 787434 ***