Problem: clamav socket parent folder problems in centos

[scollazo]

In centos 7, with selinux enabled, and /var/run pointing to /run (a tmpfs mount), archivematica doesn't work after a server reboot, because the parent folder for the clamav socket doesn't allow others to read it:

drwx--x---. 2 clamscan clamscan 60 Dec  5 10:35 /var/run/clamd.scan
srw-rw-rw-. 1 clamscan clamscan 0 Dec  5 10:35 /var/run/clamd.scan/clamd.sock

This folder is created with each reboot, in /lib/tmpfiles.d/clamd.scan.conf , so we should add our own config file in /etc/tmpfiles.d/ in order to override the default permissions.

[sevein]

@scollazo if this is going to be hard to solve talk to @ross-spencer because he's working on a new PR where you should be able to manually choose the backend and default to clamscan (passing certain environment string to MCPClient) which doesn't rely on clamd. Not ideal maybe because clamd can be faster but perhaps a good compromise due our time constraints for the AM17 release.

[scollazo]

It's not difficult to solve, we only need to put a file with the following content:

d /var/run/clamd.scan 0775 clamscan clamscan

In /etc/tmpfiles/archivematica-clamd.conf (example name)

[mamedin]

Hi,

The socket file is created after a system reboot uncommenting the following line at /etc/clamd.d/scan.conf :

LocalSocket /var/run/clamd.scan/clamd.sock

This file has the active config:

[centos@maml-centos-issue-102 ~]$ grep -vE '(^#|^\s*$)' /etc/clamd.d/scan.conf
LogSyslog yes
LocalSocket /var/run/clamd.scan/clamd.sock
TCPSocket 3310
User clamscan
AllowSupplementaryGroups yes

The TCP socket is still listening:

[centos@maml-centos-issue-102 ~]$ sudo netstat -putan | grep clam
tcp        0      0 0.0.0.0:3310            0.0.0.0:*               LISTEN      841/clamd
tcp6       0      0 :::3310                 :::*                    LISTEN      841/clamd

[scollazo]

As we now use a tcp socket, I'm closing this