The problem initially reported in Bug #548234 is happening again. Here are the permissions on /var/spool/amavisd with a default installation of amavisd-new: # ls -ld /var/spool/amavisd drwx--x---. 8 amavis amavis 4096 May 10 13:27 /var/spool/amavisd # rpm -q --info amavisd-new Name : amavisd-new Version : 2.8.0 Release : 5.fc19 The permissions and group ownership for /var/spool/amavisd should be: # ls -ld /var/spool/amavisd drwxrwx---. 8 amavis clamupdate 4096 May 10 13:27 /var/spool/amavisd ^^^ ^^^^^^^^^^ +++ This bug was initially created as a clone of Bug #548234 +++ clamav-update (freshclam) is unable to notify clamav of updates to the database via local socket. This is on a fresh newly installed Fedora 12 system (not an upgrade). The following package versions are installed: clamav-0.95.2-5.fc12.i686 clamav-lib-0.95.2-5.fc12.i686 clamav-server-0.95.2-5.fc12.i686 clamav-filesystem-0.95.2-5.fc12.noarch clamav-update-0.95.2-5.fc12.i686 clamav-data-0.95.2-5.fc12.noarch amavisd-new-2.6.4-1.fc12.noarch How reproducible: Every time. Steps to Reproduce: 1. Delete /var/lib/clamav/daily.cld 2. Run freshclam Actual results: Freshclam gets the following error: WARNING: Clamd was NOT notified: Can't connect to clamd through /var/spool/amavisd/clamd.sock connect(): Permission denied Expected results: Notify works correctly. Additional info: I have configured /etc/freshclam.conf with AllowSupplementaryGroups yes and also added the clamupdate user to the amavis group: # grep -E "(amavis|clamupdate)" /etc/passwd clamupdate:x:490:471:Clamav database update user:/var/lib/clamav:/sbin/nologin amavis:x:489:470::/var/spool/amavisd:/sbin/nologin # grep -E "(amavis|clamupdate)" /etc/group clamupdate:x:471: amavis:x:470:clamupdate I can also confirm that freshclam is using the clamupdate user and is loading the supplementary amavis group via strace, where I can see this information near the top of the trace: setgroups32(2, [471, 470]) = 0 setgid32(471) = 0 setuid32(490) = 0 However, freshclam still fails. This is the access failure from the strace: connect(5, {sa_family=AF_FILE, path="/var/spool/amavisd/clamd.sock"}, 110) = -1 EACCES (Permission denied) Permissions on the clamd.sock file are as follows: # ls -l /var/spool/amavisd/clamd.sock srwxrwxrwx 1 amavis amavis 0 2009-12-16 19:04 /var/spool/amavisd/clamd.sock # stat /var/spool/amavisd/clamd.sock File: `/var/spool/amavisd/clamd.sock' Size: 0 Blocks: 0 IO Block: 4096 socket Device: fd01h/64769d Inode: 5243668 Links: 1 Access: (0777/srwxrwxrwx) Uid: ( 489/ amavis) Gid: ( 470/ amavis) Access: 2009-12-16 19:07:10.706297129 -0500 Modify: 2009-12-16 19:04:36.167296751 -0500 Change: 2009-12-16 19:04:36.167296751 -0500 --- Additional comment from Enrico Scholz on 2009-12-17 03:38:52 EST --- what are the permissions for the /var/spool/amavisd directory? Are there SELinux avcs? --- Additional comment from Raman Gupta on 2009-12-17 12:04:13 EST --- Yup, /var/spool/amavisd directory permissions are set to 700 -- sorry I should have noticed that. Changing them to 770 works. Should changing these directory perms be permanently applied to the amavisd-new package? The user/group is amavis and the amavis group has no other users in it by default, so changing the perms to 770 is effectively the same access level by default. However, changing the perm to 770 in the package would allow clamav notifications to work as expected out of the box (with the appropriate config and supplementary group entries of course, but a user expects to make those) [1]. It would also prevent people's notifications from breaking every time there is an update to the amavisd-new package, and the directory permissions are reset. If you think this is a good idea, could you change the component to amavisd-new and mark this as an "enhancement"? [1] Note I don't have selinux enabled so perhaps there might be a package change to selinux perms as well. --- Additional comment from Enrico Scholz on 2010-01-17 05:06:24 EST --- reassigned to amavisd-new --- Additional comment from Bug Zapper on 2010-11-03 23:09:21 EDT --- This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping --- Additional comment from Raman Gupta on 2010-12-01 23:21:45 EST --- This is still a problem on Fedora 14 (freshly installed system). A workaround is to use the yum-plugin-post-transaction-actions plugin to change the permissions of /var/spool/amavisd after every update to the amavisd package. However, that really shouldn't be necessary. --- Additional comment from Fedora Update System on 2011-09-18 22:39:47 EDT --- amavisd-new-2.6.6-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/amavisd-new-2.6.6-1.fc15 --- Additional comment from Fedora Update System on 2011-09-18 22:40:31 EDT --- amavisd-new-2.6.6-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/amavisd-new-2.6.6-1.fc16 --- Additional comment from Fedora Update System on 2011-09-19 14:31:17 EDT --- Package amavisd-new-2.6.6-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing amavisd-new-2.6.6-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/amavisd-new-2.6.6-1.fc16 then log in and leave karma (feedback). --- Additional comment from Fedora Update System on 2011-10-02 14:14:46 EDT --- amavisd-new-2.6.6-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. --- Additional comment from Fedora Update System on 2011-10-02 19:06:03 EDT --- amavisd-new-2.6.6-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
amavisd-new-2.8.1-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/amavisd-new-2.8.1-1.fc20
amavisd-new-2.8.1-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/amavisd-new-2.8.1-1.fc19
Package amavisd-new-2.8.1-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing amavisd-new-2.8.1-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-3711/amavisd-new-2.8.1-1.fc20 then log in and leave karma (feedback).
still saw this bug in amavisd-new-2.8.1-1.fc20
In my tests the daemon is notified, but freshclam gives the error: clamd server '/var/run/clamd.amavisd/clamd.sock' gave '' response Which I think is bug #949838 This is the log of my server: mar 11 14:54:13 foo.example.com freshclam[20352]: Current working dir is /var/lib/clamav mar 11 14:54:13 foo.example.com freshclam[20352]: Max retries == 3 mar 11 14:54:13 foo.example.com freshclam[20352]: ClamAV update process started at Tue Mar 11 14:54:13 2014 mar 11 14:54:13 foo.example.com freshclam[20352]: Using IPv6 aware code mar 11 14:54:13 foo.example.com freshclam[20352]: Querying current.cvd.clamav.net mar 11 14:54:13 foo.example.com freshclam[20352]: TTL: 1389 mar 11 14:54:13 foo.example.com freshclam[20352]: Software version from DNS: 0.98.1 mar 11 14:54:13 foo.example.com freshclam[20352]: main.cvd version from DNS: 55 mar 11 14:54:13 foo.example.com freshclam[20352]: main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) mar 11 14:54:13 foo.example.com freshclam[20352]: Retrieving http://database.clamav.net/daily.cvd mar 11 14:54:13 foo.example.com freshclam[20352]: Trying to download http://database.clamav.net/daily.cvd (IP: 62.201.161.84) mar 11 14:54:20 foo.example.com freshclam[20352]: Downloading daily.cvd [100%] mar 11 14:54:21 foo.example.com freshclam[20353]: Loading signatures from daily.cvd mar 11 14:54:23 foo.example.com freshclam[20353]: Properly loaded 815608 signatures from new daily.cvd mar 11 14:54:24 foo.example.com freshclam[20352]: daily.cvd updated (version: 18572, sigs: 815603, f-level: 63, builder: neo) mar 11 14:54:24 foo.example.com freshclam[20352]: Querying daily.18572.76.1.0.3EC9A154.ping.clamav.net mar 11 14:54:24 foo.example.com freshclam[20352]: bytecode.cvd version from DNS: 236 mar 11 14:54:24 foo.example.com freshclam[20352]: bytecode.cld is up to date (version: 236, sigs: 43, f-level: 63, builder: dgoddard) mar 11 14:54:27 foo.example.com freshclam[20352]: Database updated (3239871 signatures) from database.clamav.net (IP: 62.201.161.84) mar 11 14:54:27 foo.example.com freshclam[20352]: Clamd successfully notified about the update. mar 11 14:54:27 foo.example.com clamd[18844]: Reading databases from /var/lib/clamav mar 11 14:54:27 foo.example.com clamd[18844]: Reading databases from /var/lib/clamav mar 11 14:54:37 foo.example.com clamd[18844]: Database correctly reloaded (3234479 signatures) mar 11 14:54:37 foo.example.com clamd[18844]: Database correctly reloaded (3234479 signatures)
Looks good to me on F19. I see that the location of clamd.sock has changed to /var/run/clamd.amavisd/, which has the correct group permissions: # ls -ld /var/run/clamd.amavisd drwxrwx---. 2 amavis clamupdate 80 Mar 11 10:57 /var/run/clamd.amavisd # ls -l /var/run/clamd.amavisd/ total 4 -rw-rw-r--. 1 amavis amavis 3 Mar 11 10:57 clamd.pid srw-rw-rw-. 1 amavis amavis 0 Mar 11 10:57 clamd.sock I provided positive karma on the update.
amavisd-new-2.8.1-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
amavisd-new-2.8.1-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.