clamdscan: File path check failure: Permission denied. ERROR selinux

[mfld]

Describe the bug

Running clamdscan on files with selinux context set results in permission denied errors on rhel 8.1 workstation and Rocky Linux 8.5.

Expected clamdscan to succeed on directories like /etc or /var/log when run as root (which also owns /var/run/clamd.scan/clamd.sock)

How to reproduce the problem

# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.1 (Ootpa)

# rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
# dnf install clamd clamav -y

# rpm -qa | grep clam
clamav-filesystem-0.103.5-1.el8.noarch
clamd-0.103.5-1.el8.x86_64
clamav-lib-0.103.5-1.el8.x86_64
clamav-0.103.5-1.el8.x86_64
clamav-data-0.103.5-1.el8.noarch

# semanage boolean --modify antivirus_can_scan_system --on
# semanage boolean -l | grep antivirus
antivirus_can_scan_system      (on   ,   on)  Allow antivirus to can scan system
antivirus_use_jit              (off  ,  off)  Allow antivirus to use jit
polyinstantiation_enabled      (off  ,  off)  Allow polyinstantiation to enabled

# systemctl cat clamd.service
# /etc/systemd/system/clamd.service
[Unit]
Description=ClamAV daemon
Documentation=man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents
#After=clamd@scan.service syslog.target network.target

[Service]
Type=simple
User=root
Group=root
ExecStart=/usr/sbin/clamd -F --config-file=/etc/clamd.d/scan.conf
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target

# systemctl start clamd

# ls -lZ /var/run/clamd.scan/
total 0
srw-rw-rw-. 1 root root system_u:object_r:antivirus_var_run_t:s0 0 Jan 26 16:37 clamd.sock

# whoami
root

# clamdscan -v  -m /etc/audit/auditd.conf 
/etc/audit/auditd.conf: File path check failure: Permission denied. ERROR
/etc/audit/auditd.conf: File path check failure: Permission denied. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 2
Time: 0.001 sec (0 m 0 s)
Start Date: 2022:01:26 16:47:13
End Date:   2022:01:26 16:47:13

[root@localhost ~]# ls -lZ /etc/audit/auditd.conf 
-rw-r-----. 1 root root system_u:object_r:auditd_etc_t:s0 856 Jul 25  2019 /etc/audit/auditd.conf

output of clamconf -n

# clamconf -n
Checking configuration files in /etc

Config file: clamd.d/scan.conf
------------------------------
LogSyslog = "yes"
ExtendedDetectionInfo = "yes"
LocalSocket = "/run/clamd.scan/clamd.sock"
MaxThreads = "2"
MaxQueue = "200"
CrossFilesystems disabled
SelfCheck = "3600"
MaxScanSize = "209715200"
MaxFileSize = "104857600"
OnAccessExcludeRootUID = "yes"
OnAccessPrevention = "yes"

freshclam.conf not found

mail/clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.5
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON 

Database information
--------------------
Database directory: /var/lib/clamav
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 16:21:51 2021
daily.cvd: version 26420, sigs: 1970864, built on Wed Jan 12 10:26:28 2022
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 14:32:42 2021
Total number of signatures: 8618383

Platform information
--------------------
uname: Linux 4.18.0-147.el8.x86_64 #1 SMP Thu Sep 26 15:52:44 UTC 2019 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a217e7e0800000002080500

Build information
-----------------
GNU C: 8.5.0 20210514 (Red Hat 8.5.0-4) (8.5.0)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
LDFLAGS: -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed  -lprelude
Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 126, dconf: 126

[anotherbugmaster]

Hey @mfld! Just encountered the same issue, seems like you need to pass the file descriptor of user who owns the target file, like described here. Worked for me, hope it will for you too!

[mfld]

Hi, passing the file descriptor via fdpass generates a different error for me.

# /usr/bin/clamdscan --fdpass --stdout --config-file=/etc/clamd.d/scan.conf -m /etc/audit/auditd.conf 
ERROR: Communication error
ERROR: Clamd closed the connection before scanning all files.

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.000 sec (0 m 0 s)
Start Date: 2022:02:14 09:29:34
End Date:   2022:02:14 09:29:34

[life5ign]

Hey @mfld! Just encountered the same issue, seems like you need to pass the file descriptor of user who owns the target file, like described here. Worked for me, hope it will for you too!

Using --fdpass fixed this issue for me while scanning a file owned by root. My instance of clamd was running as the user clamav. Here's my config, the file scanned, a successful scan and the original failed scan:

θ67° [root:~] 2 # clamconf | grep -iE 'User|Socket'
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
FixStaleSocket = "yes"
TCPSocket disabled
User = "clamav"
HTTPProxyUsername disabled
HTTPUserAgent disabled
θ67° [root:~] 2 # ls -la foo
-rw-r--r-- 1 root root 0 Apr 28 14:29 foo
θ67° [root:~] 2 # clamdscan --fdpass foo
/root/foo: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.000 sec (0 m 0 s)
Start Date: 2022:04:28 14:42:04
End Date:   2022:04:28 14:42:04
θ67° [root:~] 2 # clamdscan foo
/root/foo: File path check failure: Permission denied. ERROR
/root/foo: File path check failure: Permission denied. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 2
Time: 0.000 sec (0 m 0 s)
Start Date: 2022:04:28 14:42:11
End Date:   2022:04:28 14:42:11

[mfld]

Hi @life5ign,

It is likely due to selinux rather than scanning with fdpass in it self. scanning /etc/audit/auditd.conf still results in error.

ls -lZ /etc/audit/auditd.conf
-rw-r-----. 1 root root system_u:object_r:auditd_etc_t:s0 872 Oct 26  2021 /etc/audit/auditd.conf

#  clamdscan --fdpass /etc/audit/auditd.conf
/etc/audit/auditd.conf: no reply from clamd

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)
Start Date: 2022:04:29 12:52:50
End Date:   2022:04:29 12:52:50

following your example with foo, no issues

# touch foo
# ls -lZ foo
-rw-r-----. 1 root root unconfined_u:object_r:admin_home_t:s0 0 Apr 29 12:40 foo

#  clamdscan --fdpass foo
/root/foo: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.006 sec (0 m 0 s)
Start Date: 2022:04:29 12:40:23
End Date:   2022:04:29 12:40:23

[funxiun]

Hi @mfld

I have, I think, the exact problem on a RHEL 8.5 environment.

After fiddling around with different settings, I found that using the --stream parameter resolves my problem.

clamdscan --stream /home

Documentation states the following:

       --stream
              Forces file streaming to clamd. This is generally not needed as clamdscan detects automatically if streaming is required. This option only exists for  debugging
              and testing purposes, in all other cases --fdpass is preferred.

I guess the autodetect doesn't work properly.

I can only reproduce this error when I'm using TCPSocket. When using a LocalSocket I can use clamdscan with --fdpass without any problems.

[RafiraRangga]

I tried re-downloading and it worked

I was doing a clamscan failed file, and I re-downloaded it then tried again and it worked

[ugogou]

Hey @mfld! Just encountered the same issue, seems like you need to pass the file descriptor of user who owns the target file, like described here. Worked for me, hope it will for you too!

Using --fdpass fixed this issue for me while scanning a file owned by root. My instance of clamd was running as the user clamav. Here's my config, the file scanned, a successful scan and the original failed scan:

θ67° [root:~] 2 # clamconf | grep -iE 'User|Socket'
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
FixStaleSocket = "yes"
TCPSocket disabled
User = "clamav"
HTTPProxyUsername disabled
HTTPUserAgent disabled
θ67° [root:~] 2 # ls -la foo
-rw-r--r-- 1 root root 0 Apr 28 14:29 foo
θ67° [root:~] 2 # clamdscan --fdpass foo
/root/foo: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.000 sec (0 m 0 s)
Start Date: 2022:04:28 14:42:04
End Date:   2022:04:28 14:42:04
θ67° [root:~] 2 # clamdscan foo
/root/foo: File path check failure: Permission denied. ERROR
/root/foo: File path check failure: Permission denied. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 2
Time: 0.000 sec (0 m 0 s)
Start Date: 2022:04:28 14:42:11
End Date:   2022:04:28 14:42:11

It works! Thank you!