SELinux is indeed enabled, but there's no blocking message in audit.log when the error occurs.
After further retries, it seems the error sometimes occurs a while after clamd has started, even 2 minutes: Thu May 5 08:25:38 2016 -> ScanOnAccess: notifying only for access attempts. Thu May 5 08:25:38 2016 -> ScanOnAccess: Protecting '/' and rest of mount. Thu May 5 08:25:38 2016 -> ScanOnAccess: Max file size limited to 5242880 bytes Thu May 5 08:27:29 2016 -> ERROR: ScanOnAccess: Internal error (failed to read data) ... Permission denied I tried passing the --debug flag to the command, but it does not seem to provide any more info. The OS is RHEL 7.2 running on Amazon EC2, kernel: 3.10.0-327.10.1.el7.x86_64 Thanks ________________________________________ From: clamav-users [[email protected]] on behalf of Bond Masuda [[email protected]] Sent: 04 May 2016 19:11 To: ClamAV users ML Subject: Re: [clamav-users] ScanOnAccess issue when clamd launched from systemd Is SELinux enabled on that system? If so, I would look to see if SELinux is blocking. On 05/04/2016 09:29 AM, Mikko Caldara wrote: > Hello, > I'm trying to configure OnAccess scanning on the whole drive, as read in this > post blog: > http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html > (first example) > It works fine if I launch clamd manually, with: /usr/sbin/clamd -c > /etc/clamd.conf & > > If I use systemd to launch the clamd service, the ScanOnAccess functionality > is broken (Permission denied). > > Here's the systemd file: > > > > [Unit] > > Description=ClamAV Daemon > > > [Service] > > ExecStartPre=/usr/bin/mkdir -p /var/run/clamav > > Type=forking > > PIDFile=/var/run/clamav/clamd.pid > > User=root > > ExecStart=/usr/sbin/clamd -c /etc/clamd.conf > > > [Install] > > WantedBy=multi-user.target > > > And here is the partial log, with the error: > > > Wed May 4 15:45:29 2016 -> +++ Started at Wed May 4 15:45:29 2016 > > Wed May 4 15:45:29 2016 -> clamd daemon 0.99.1 (OS: linux-gnu, ARCH: x86_64, > CPU: x86_64) > > Wed May 4 15:45:29 2016 -> Running as user root (UID 0, GID 0) > > [...] > > Wed May 4 15:45:30 2016 -> ScanOnAccess: notifying only for access attempts. > > Wed May 4 15:45:30 2016 -> ScanOnAccess: Protecting '/' and rest of mount. > > Wed May 4 15:45:30 2016 -> ScanOnAccess: Max file size limited to 5242880 > bytes > > Wed May 4 15:45:31 2016 -> ERROR: ScanOnAccess: Internal error (failed to > read data) ... Permission denied > > > Any ideas as of why this is happening? > > > Thanks > > /MC > > > This communication and any attachments contain information which is > confidential and may be subject to legal privilege. It is for intended > recipients only. If you are not the intended recipient you must not copy, > distribute, publish, rely on or otherwise use it without our consent. Some of > our communications may contain confidential information which it could be a > criminal offence for you to disclose or use without authority. If you have > received this email in error please notify [email protected] immediately > and delete the email from your computer. Further information on the > classification and handling of FCA information can be found on the FCA > website (http://www.fca.org.uk/site-info/legal/fca-classified-information). > The FCA (or, if this email originates from the PSR, the FCA on behalf of the > PSR/the PSR) reserves the right to monitor all email communications for > compliance with legal, regulatory and professional standards. > This email is not intended to nor should it be taken to create any legal > relations or contractual relationships. This email has originated from the > Financial Conduct Authority (FCA), or the Payment Systems Regulator (PSR). > The Financial Conduct Authority (FCA) is registered as a limited company in > England and Wales No. 1920623. Registered office: 25 The North Colonnade, > Canary Wharf, London E14 5HS, United Kingdom > The Payment Systems Regulator (PSR) is registered as a limited company in > England and Wales No. 8970864. Registered office: 25 The North Colonnade, > Canary Wharf, London E14 5HS, United Kingdom > Switchboard 020 7066 1000 > Web Site http://www.fca.org.uk (FCA); http://www.psr.org.uk (PSR) > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
