+++ This bug was initially created as a clone of Bug #1464269 +++ "PrivateTmp = true" was added to the clamd@.service unit file per request of Dan Walsh in bug 782488. Since version 0.99, Clam AntiVirus has been able to use fanotify() in order to provide on-access scanning: http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html Unfortunately, using "PrivateTmp = true" silently breaks all on-access scanning features. Not only does on-access scanning for /tmp and /var/tmp not work (because the clamd service is not looking at the real /tmp and /var/tmp directories), but all other uses of OnAccessIncludePath and OnAccessMountPath silently fail as well. This is trivial to test. As root: $ cat >/etc/clamd.d/root.conf <<EOF ExtendedDetectionInfo yes LocalSocket /var/run/clamd.sock ScanOnAccess yes OnAccessExcludeUID 0 OnAccessExtraScanning yes OnAccessMountPath /home OnAccessMountPath /tmp OnAccessMountPath /var/tmp EOF $ systemctl start clamd@root As a regular user, cd to your home directory, and do: $ cat >/home/testuser/eicar.com <<EOF X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* EOF Result: the clamd daemon will not receive a fanotify event, and therefore will not detect the creation of the test virus file. Now turn off the PrivateTmp feature. As root: $ cat >/etc/systemd/system/clamd@.service .include /usr/lib/systemd/system/clamd@.service [Service] PrivateTmp = false EOF $ systemctl daemon-reload $ systemctl restart clamd@root As the regular user, cat the eicar.com test file: $ cat eicar.com X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Now, the clam daemon will receive the fanotify event, and emit something like this: 2017-06-22T16:41:41.758517-04:00 host.example.org clamd: ScanOnAccess: /home/testuser/eicar.com: Eicar-Test-Signature(69630e4574ec6798239b091cda43dca0:69) FOUND While in general, "PrivateTmp = true" is a good idea, it *MUST NOT* be used with clamav, because a service with PrivateTmp = true will never receive any fanotify() events, which breaks clamav core functionality. Please remove the "PrivateTmp = true" line from the clamd@.service file.
*** This bug has been marked as a duplicate of bug 1464269 ***