6

Whenever I try to execute a ClamAV scan on a file in many of my bin directories, it fails with a

Can't open file or directory ERROR

message. I know it's possible to get ClamdScan to scan the bin directory but I can't figure out how. Any suggestions?

$ clamdscan /bin/true
/bin/true: Can't open file or directory ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)

I can't find any differences between the AppArmor configuration files on the machine where it works and on the machine where it doesn't. I did get it to scan with a workaround by adding:

/bin/** r,

to:

/etc/apparmor.d/local/usr.sbin.clamd

But this line isn't present on the other machine's local clamd AppArmor permissions file so I'm still confused and such a shot-gun solution of just saying ClamAV can access everything in /bin and below mainly because if this is the solution then I have to add /sbin /usr/bin and /usr/sbin to AppArmor as well, and that just seems counter-intuitive.

Hennes
  • 65,804
  • 7
  • 115
  • 169
TimeHorse
  • 241

2 Answers2

8

It was AppArmor preventing me from accessing bin. I changed:

/etc/apparmor.d/local/usr.sbin.clamd

by adding:

/bin/** r,

To it and was able to scan the files in /bin. If I want to add other directories I need to just add lines to that file to include them. The AppArmor line above means /bin and all child folders, recursively, with read-only access, which is all the ClamAV needs. The file in question is AppArmor's directive for what special permissions /usr/sbin/clamd will receive which is the ClamAV service daemon. So this was all I needed to do to get it working. Thanks @Ramhound for the hint!

TimeHorse
  • 241
3

I had issues while scanning an imported NFS file system like /data/nfs/dir1/file.jpg

clamdscan /data/nfs/dir1/file.jpg: Can't open file or directory ERROR

Adding "/data/nfs/* r" in the /etc/apparmor.d/local/usr.sbin.clamd didn't do the trick for me. Running the apparmor_status shows that clamd process is in enforced mode:

2 processes are in enforce mode.
   /usr/bin/freshclam (18572) 
   /usr/sbin/clamd (18677)

So, I've installed the apparmor-utils package and than set the clamd process as complain:

aa-complain /usr/sbin/clamd

Than, I was able to scan the file

clamdscan /data/nfs/dir1/file.jpg
/data/nfs/dir1/file.jpg: OK
catalin
  • 335