We're trying to use clamav on a centos 7 server in order to scan directly files on our web apps (Moodle for example).
When trying to execute a clamdscan from apache, we got this error (the file belong to apache:apache and has correct rights 755)
<?php
exec('/usr/bin/clamdscan --stdout --fdpass /var/www/html/test/filetoscan', $output, $return);
print "<pre>";
print_r($output);
print_r($return);
?>
And the return is :
Array
(
[0] => Failed to parse reply: "No file descriptor received. ERROR"
[1] =>
[2] => ----------- SCAN SUMMARY -----------
[3] => Infected files: 0
[4] => Total errors: 1
[5] => Time: 0.000 sec (0 m 0 s)
)
2
Of course, if we try to do it directly through command lines, we have same error..
su -l apache -s /bin/bash
/usr/bin/clamdscan --stdout --fdpass /var/www/html/test/filetoscan
How can I allow apache to execute clamdscan (or resolve the file descriptor problem) ? of course if the command is launched by an other user everything works fine.
Thanks for your help 🙂
Regards.
Diego
Best Answer
Neither applying
setsebool -P antivirus_can_scan_system 1
(from this setup procedure) or disabling completely SELinux in/etc/selinux/config
have improved the situation.As a result, a
strace
has been generated to understand what happens, running asapache
:First accessing the unix socket file
/var/run/clamd.scan/clamd.sock
failed, then the fallback to TCP communication127.0.0.1/3301
failed for another reason.Probably adding
apache
in the required group to access the unix socket will fix your issue.