Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1464270

Summary: PrivateTmp = true breaks all ScanOnAccess features
Product: [Fedora] Fedora EPEL Reporter: James Ralston <ralston>
Component: clamavAssignee: Robert Scheck <redhat-bugzilla>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel7CC: extras-qa, janfrode, j, ondrejj, orion, redhat-bugzilla, rhbugs, sergio, steve
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1464269 Environment:
Last Closed: 2018-01-08 02:01:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1464269    
Bug Blocks:    

Description James Ralston 2017-06-22 20:59:54 UTC 
+++ This bug was initially created as a clone of Bug #1464269 +++

"PrivateTmp = true" was added to the clamd@.service unit file per request of Dan Walsh in bug 782488.

Since version 0.99, Clam AntiVirus has been able to use fanotify() in order to provide on-access scanning:

http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html

Unfortunately, using "PrivateTmp = true" silently breaks all on-access scanning features. Not only does on-access scanning for /tmp and /var/tmp not work (because the clamd service is not looking at the real /tmp and /var/tmp directories), but all other uses of OnAccessIncludePath and OnAccessMountPath silently fail as well.

This is trivial to test. As root:

$ cat >/etc/clamd.d/root.conf <<EOF
ExtendedDetectionInfo yes
LocalSocket /var/run/clamd.sock
ScanOnAccess yes
OnAccessExcludeUID 0
OnAccessExtraScanning yes
OnAccessMountPath /home
OnAccessMountPath /tmp
OnAccessMountPath /var/tmp
EOF

$ systemctl start clamd@root

As a regular user, cd to your home directory, and do:

$ cat >/home/testuser/eicar.com <<EOF
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
EOF

Result: the clamd daemon will not receive a fanotify event, and therefore will not detect the creation of the test virus file.

Now turn off the PrivateTmp feature. As root:

$ cat >/etc/systemd/system/clamd@.service
.include /usr/lib/systemd/system/clamd@.service

[Service]
PrivateTmp = false
EOF

$ systemctl daemon-reload
$ systemctl restart clamd@root

As the regular user, cat the eicar.com test file:

$ cat eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Now, the clam daemon will receive the fanotify event, and emit something like this:

2017-06-22T16:41:41.758517-04:00 host.example.org clamd: ScanOnAccess: /home/testuser/eicar.com: Eicar-Test-Signature(69630e4574ec6798239b091cda43dca0:69) FOUND

While in general, "PrivateTmp = true" is a good idea, it *MUST NOT* be used with clamav, because a service with PrivateTmp = true will never receive any fanotify() events, which breaks clamav core functionality.

Please remove the "PrivateTmp = true" line from the clamd@.service file.
Comment 1 Sergio Basto 2018-01-08 02:01:12 UTC 

*** This bug has been marked as a duplicate of bug 1464269 ***