On some systems clamdscan gets a permission denied error. We have been unable to determine why it fails on some hosts and not others. I don't see anything in /var/log/audit/audit.log to explain the failure. Information on broken host: $ sudo /usr/bin/clamdscan --fdpass --infected --no-summary --stdout /etc/gshadow /etc/gshadow: File path check failure: Permission denied. ERROR /etc/gshadow: File path check failure: Permission denied. ERROR $ cat /etc/os-release NAME="Red Hat Enterprise Linux" VERSION="8.9 (Ootpa)" ID="rhel" ID_LIKE="fedora" VERSION_ID="8.9" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux 8.9 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_BUGZILLA_PRODUCT_VERSION=8.9 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="8.9" $ getsebool -a | grep antivirus antivirus_can_scan_system --> on antivirus_use_jit --> off $ fips-mode-setup --check FIPS mode is enabled. Information on working host: $ sudo /usr/bin/clamdscan --fdpass --infected --no-summary --stdout /etc/gshadow $ cat /etc/os-release NAME="Red Hat Enterprise Linux" VERSION="8.9 (Ootpa)" ID="rhel" ID_LIKE="fedora" VERSION_ID="8.9" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux 8.9 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8::baseos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 8" REDHAT_BUGZILLA_PRODUCT_VERSION=8.9 REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" REDHAT_SUPPORT_PRODUCT_VERSION="8.9" $ getsebool -a | grep antivirus antivirus_can_scan_system --> on antivirus_use_jit --> off $ fips-mode-setup --check FIPS mode is enabled.
The error disappears if I use "--stream" instead of "--fdpass". Looking at the documentation I see that "--stream" is meant for testing and debugging, so I've stayed away from using this in our regular environment. Is "--stream" something that I should be using all of the time despite the documentation? We are using a central scanning server rather than scanning locally.
Clamav version 0.103.11-1.el8
Does it work in permissive mode? sudo setenforce 0 Any difference in the /etc/clamd.d/scan.conf files between the machines? (assuming that is your clamd config file).
$ sudo setenforce 0 $ sudo /usr/bin/clamdscan --fdpass -v --stdout /etc/gshadow /etc/gshadow: File path check failure: Permission denied. ERROR /etc/gshadow: File path check failure: Permission denied. ERROR ----------- SCAN SUMMARY ----------- Infected files: 0 Total errors: 2 Time: 0.002 sec (0 m 0 s) Start Date: 2024:05:17 08:59:53 End Date: 2024:05:17 08:59:53 This suggests it's not selinux. I checked the config files, they are the same. We push the same config to all hosts using ansible.
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.