Bug 2280855

Summary: On some systems clamdscan gets a permission denied error
Product: [Fedora] Fedora EPEL Reporter: Jon Schewe <jon.schewe>
Component: clamavAssignee: Orion Poplawski <orion>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel8CC: anon.amish, bennie.joubert, gk, j, lee.jnk, ondrejj, orion, pgnd, redhat-bugzilla, rh-bugzilla, steve
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jon Schewe 2024-05-16 17:42:50 UTC 
On some systems clamdscan gets a permission denied error. We have been unable to determine why it fails on some hosts and not others.
I don't see anything in /var/log/audit/audit.log to explain the failure.

Information on broken host:
$ sudo /usr/bin/clamdscan --fdpass --infected --no-summary --stdout /etc/gshadow
/etc/gshadow: File path check failure: Permission denied. ERROR
/etc/gshadow: File path check failure: Permission denied. ERROR

$ cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.9 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.9"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.9 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.9
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.9"

$ getsebool -a | grep antivirus
antivirus_can_scan_system --> on
antivirus_use_jit --> off

$ fips-mode-setup --check                                                                                                                    
FIPS mode is enabled.



Information on working host:
$ sudo /usr/bin/clamdscan --fdpass --infected --no-summary --stdout /etc/gshadow

$ cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="8.9 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.9"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.9 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_BUGZILLA_PRODUCT_VERSION=8.9
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.9"

$ getsebool -a | grep antivirus
antivirus_can_scan_system --> on
antivirus_use_jit --> off

$ fips-mode-setup --check                                                                                                                    
FIPS mode is enabled.
Comment 1 Jon Schewe 2024-05-16 17:45:28 UTC 
The error disappears if I use "--stream" instead of "--fdpass". Looking at the documentation I see that "--stream" is meant for testing and debugging, so I've stayed away from using this in our regular environment. Is "--stream" something that I should be using all of the time despite the documentation?

We are using a central scanning server rather than scanning locally.
Comment 2 Jon Schewe 2024-05-16 17:46:48 UTC 
Clamav version  0.103.11-1.el8
Comment 3 Orion Poplawski 2024-05-17 02:26:27 UTC 
Does it work in permissive mode?

sudo setenforce 0

Any difference in the /etc/clamd.d/scan.conf files between the machines? (assuming that is your clamd config file).
Comment 4 Jon Schewe 2024-05-17 13:02:07 UTC 
$ sudo setenforce 0
$ sudo /usr/bin/clamdscan  --fdpass -v  --stdout /etc/gshadow
/etc/gshadow: File path check failure: Permission denied. ERROR
/etc/gshadow: File path check failure: Permission denied. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 2
Time: 0.002 sec (0 m 0 s)
Start Date: 2024:05:17 08:59:53
End Date:   2024:05:17 08:59:53

This suggests it's not selinux.

I checked the config files, they are the same. We push the same config to all hosts using ansible.
Comment 5 Fedora Admin user for bugzilla script actions 2025-06-21 03:40:57 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.