Configuration of ClamAV (Daemon - socket): Permission denied (code 13)

l.koutny · January 12, 2026, 8:20pm

Support intro

Sorry to hear you’re facing problems.

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

Official documentation (searchable and regularly updated)
How to topics and FAQs
Forum search

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can.

The Basics

Nextcloud Server version (e.g., 29.x.x):
- Nextcloud Hub 10 (32.0.3)
Operating system and version (e.g., Ubuntu 24.04):
- Linux version 5.14.0-611.13.1.el9_7.x86_64 x86_64 (RedHat 9.7 - Plow)
Web server and version (e.g, Apache 2.4.25):
- Apache 2.4.62
Reverse proxy and version _(e.g. nginx 1.27.2)
- don’t know
PHP version (e.g, 8.3):
- 8.32.28 (I upgraded PHP from 8.2 but didn’t succeeded in uninstalling 8.2, so it’s still running in parallel)
Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- installed from scratch - archive - following this manual
  
  https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html
Are you using CloudfIare, mod_security, or similar? (Yes / No)
- No

Summary of the issue:

Can you please help me with the permission error I am facing when I try to configure ClamAV for my Nextcloud server? Thank you for your time.

I installed ClamAV following this documentation

I want to proceeed with configuration of ClamAV from Nextcloud side.
When i want to save ClamAV Daemon (Socket) configuration (in Administration settings - Security), i get error:

“Cannot connect to “/var/run/clamd.scan/clamd.ctl”: Permission denied (code 13)”

I tried to verify which user runs the apache webserver (commands used with AI help):

sudo grep -E ‘^(User|Group)’ /etc/httpd/conf/httpd.conf

User apache
Group apache

# parent and worker processes

ps -eo user,comm | grep httpd
root httpd #only once
apache httpd
apache httpd
…

in /etc/clamd.d/scan.conf - I have these options:

LogFile /var/log/clamscan/clamd.scan.log
LocalSocket /var/run/clamd.scan/clamd.ctl
LocalSocketMode 660 (#also tried 766, no success)
LocalSocketGroup virusgroup
User clamscan

#groups membership

cat /etc/group
clamupdate:x:981:
virusgroup:x:980:clamupdate,clamscan,apache
clamscan:x:979:

#folders and logs ownership

chown clamupdate:virusgroup /var/log/clamav
chown clamupdate:virusgroup /var/log/clamav/freshclam.log
chown clamscan:virusgroup /var/log/clamscan
chown clamscan:virusgroup /var/log/clamscan/clamd.scan.log
chown clamscan:virusgroup /var/run/clamd.scan

chmod 750 /var/log/clamav
chmod 640 /var/log/clamav/freshclam.log
chmod 750 /var/log/clamscan
chmod 640 /var/log/clamscan/clamd.scan.log
chmod 755 /run/clamd.scan

SELinux (commands by AI)
semanage fcontext -a -t antivirus_log_t “/var/log/clamav(/.)?"
semanage fcontext -a -t antivirus_log_t "/var/log/clamscan(/.)?”
semanage fcontext -a -t antivirus_var_run_t “/var/run/clamd.scan(/.*)?”

restorecon -Rv /var/log/clamav
restorecon -Rv /var/log/clamscan
restorecon -Rv /var/run/clamd.scan

NOTHING OF THE ABOVE HELPS, ERROR STILL PRESENT.

Steps to replicate it (hint: details matter!)

Install ClamAV
Configure Daemon (Socket) in Nextcloud

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

{"reqId":"aWUU3kx2XUzbfCgqjzTIvgAAAEI","level":2,"time":"2026-01-12T15:35:58+00:00","remoteAddr":"10.6.8.202","user":"atlennextcl1padm","app":"PHP","method":"POST","url":"/index.php/apps/files_antivirus/settings/save","message":"stream_socket_client(): Unable to connect to unix:///var/run/clamd.scan/clamd.ctl (Permission denied) at /var/www/html/nextcloud/apps/files_antivirus/lib/Scanner/ExternalClam.php#38","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0","version":"32.0.3.2","data":{"app":"PHP"},"id":"69654bdeb5028"}

Web Browser

If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.

PASTE

Web server / Reverse Proxy

The output of your Apache/nginx/system log in /var/log/httpd/error.log:

[Mon Jan 12 20:51:27.740199 2026] [mpm_event:notice] [pid 57790:tid 57790] AH00492: caught SIGWINCH, shutting down gracefully
[Mon Jan 12 20:51:30.848184 2026] [core:notice] [pid 58129:tid 58129] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Jan 12 20:51:30.849379 2026] [suexec:notice] [pid 58129:tid 58129] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Jan 12 20:51:30.875381 2026] [lbmethod_heartbeat:notice] [pid 58129:tid 58129] AH02282: No slotmem from mod_heartmonitor
[Mon Jan 12 20:51:30.884589 2026] [mpm_event:notice] [pid 58129:tid 58129] AH00489: Apache/2.4.62 (Red Hat Enterprise Linux) OpenSSL/3.5.1 configured -- resuming normal operations
[Mon Jan 12 20:51:30.884628 2026] [core:notice] [pid 58129:tid 58129] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "my.domain.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "32.0.3.2",
        "overwrite.cli.url": "http:\/\/server_IP",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "ldapTLSCert": "\/etc\/pki\/ca-trust\/source\/anchors\/cert_name.pem",
        "loglevel": 2,
        "maintenance": false,
        "twofactor_enforced": "true",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": [],
        "skeletondirectory": "",
        "app_install_overwrite": [],
        "defaultapp": "dashboard",
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory"
    }
}

Apps

The output of occ app:list (if possible).

Enabled:

activity: 5.0.0-dev.0
admin_audit: 1.22.0
app_api: 32.0.0
bruteforcesettings: 5.0.0-dev.0
circles: 32.0.0
cloud_federation_api: 1.16.0
comments: 1.22.0
contactsinteraction: 1.13.1
dashboard: 7.12.0
dav: 1.34.2
federatedfilesharing: 1.22.0
federation: 1.22.0
files: 2.4.0
files_accesscontrol: 3.0.2
files_antivirus: 6.1.0
files_automatedtagging: 3.0.2
files_downloadlimit: 5.0.0-dev.0
files_pdfviewer: 5.0.0-dev.0
files_reminders: 1.5.0
files_retention: 3.0.0
files_sharing: 1.24.1
files_trashbin: 1.22.0
files_versions: 1.25.0
firstrunwizard: 5.0.0-dev.0
impersonate: 3.0.0
logreader: 5.0.0-dev.0
lookup_server_connector: 1.20.0
nextcloud_announcements: 4.0.0-dev.0
notifications: 5.0.0-dev.0
oauth2: 1.20.0
password_policy: 4.0.0-dev.0
photos: 5.0.0-dev.1
privacy: 4.0.0-dev.0
profile: 1.1.0
provisioning_api: 1.22.0
recommendations: 5.0.0-dev.0
related_resources: 3.0.0-dev.0
serverinfo: 4.0.0-dev.0
settings: 1.15.1
sharebymail: 1.22.0
support: 4.0.0-dev.0
survey_client: 4.0.0-dev.0
systemtags: 1.22.0
terms_of_service: 4.6.1
text: 6.0.1
theming: 2.7.0
twofactor_backupcodes: 1.21.0
twofactor_nextcloud_notification: 6.0.0-dev.0
twofactor_totp: 14.0.0
updatenotification: 1.22.0
user_ldap: 1.23.0
user_saml: 7.1.1
user_status: 1.12.0
viewer: 5.0.0-dev.0
weather_status: 1.12.0
webhook_listeners: 1.3.0
workflowengine: 2.14.0

Disabled:

encryption: 2.20.0
files_external: 1.24.0
suspicious_login: 10.0.0-dev.0

Tips for increasing the likelihood of a response

Use the preformatted text formatting option in the editor for all log entries and configuration output.
If screenshots are useful, feel free to include them.
- If possible, also include key error output in text form so it can be searched for.
Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.

ernolf · January 12, 2026, 11:18pm

That looks like caused by SELinux.

Did you read this:

github.com/nextcloud/files_antivirus

RuntimeException: Cannot connect to "/var/run/clamd.scan/clamd.sock": Permission denied (code 13)

opened 01:58PM - 09 May 18 UTC

closed 09:57AM - 11 May 18 UTC

Githopp192

### Steps to reproduce 1. Activate AntiVirus App 2. Upload dummy virus file to… the Nextcloud 3. RuntimeException: Cannot connect to "/var/run/clamd.scan/clamd.sock": Permission denied (code 13) ClamAV Service is running properly: clamd@scan.service - Generic clamav scanner daemon Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2018-05-09 14:33:36 CEST; 1h 19min ago Process: 7531 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/%i.conf (code=exited, status=0/SUCCESS) Main PID: 7538 (clamd) CGroup: /system.slice/system-clamd.slice/clamd@scan.service └─7538 /usr/sbin/clamd -c /etc/clamd.d/scan.conf Socket-File hat got the following permissions: srw-rw-rw-. 1 clamscan clamscan 0 May 9 14:33 /var/run/clamd.scan/clamd.sock Socket File is properly defined into the Nextcloud/AntiVirus Web-Gui ### Expected behaviour ClamAV Scanner should properly detect and report virus file. Nextcloud AntiVirus App should not report Permission denied on /var/run/clamd.scan/clamd.sock ### Actual behaviour RuntimeException: Cannot connect to "/var/run/clamd.scan/clamd.sock": Permission denied (code 13) by uploading any file. ## Server configuration detail **Operating system:** Linux 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 **Webserver:** Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.14 (apache2handler) **Database:** mysql 5.5.56 **PHP version:** 7.1.14 Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, apcu, bcmath, bz2, calendar, ctype, curl, dba, dom, mbstring, fileinfo, ftp, gd, gettext, gmp, iconv, igbinary, imagick, imap, intl, json, ldap, exif, mcrypt, mysqli, PDO, pdo_mysql, pdo_sqlite, Phar, posix, redis, shmop, SimpleXML, soap, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, xml, wddx, xmlreader, xmlwriter, xsl, memcached, zip, Zend OPcache **Nextcloud version:** 13.0.2 - 13.0.2.1 **Updated from an older Nextcloud/ownCloud or fresh install:** Updated from Nextcloud 12.0.6 **Where did you install Nextcloud from:** Automatic WEB-Upgrade by Nextcloud Enabled: - activity: 2.6.1 - admin_notifications: 1.0.1 - announcementcenter: 3.2.1 - apporder: 0.4.1 - bookmarks: 0.11.0 - bruteforcesettings: 1.0.3 - calendar: 1.6.1 - circles: 0.13.6 - comments: 1.3.0 - contacts: 2.1.3 - dav: 1.4.6 - deck: 0.3.1 - federatedfilesharing: 1.3.1 - federation: 1.3.0 - files: 1.8.0 - files_external: 1.4.1 - files_pdfviewer: 1.2.1 - files_rightclick: 0.8.4 - files_sharing: 1.5.0 - files_texteditor: 2.5.1 - files_trashbin: 1.3.0 - files_versions: 1.6.0 - files_videoplayer: 1.2.0 - firstrunwizard: 2.2.1 - gallery: 18.0.0 - impersonate: 1.0.4 - issuetemplate: 0.3.0 - logreader: 2.0.0 - lookup_server_connector: 1.1.0 - mindmaps: 0.1.0 - mood: 0.3.3 - music: 0.5.6 - nextcloud_announcements: 1.2.0 - notes: 2.3.2 - notifications: 2.1.2 - oauth2: 1.1.0 - ownbackup: 17.5.0 - passman: 2.1.4 - password_policy: 1.3.0 - polls: 0.8.1 - provisioning_api: 1.3.0 - quicknotes: 0.1.3 - quota_warning: 1.2.0 - rainloop: 5.0.6 - ransomware_protection: 1.1.0 - serverinfo: 1.3.0 - sharebymail: 1.3.0 - sharepoint: 1.1.0 - socialsharing_diaspora: 1.0.2 - socialsharing_email: 1.0.3 - socialsharing_facebook: 1.0.2 - socialsharing_googleplus: 1.0.2 - socialsharing_twitter: 1.0.2 - spreed: 3.2.0 - survey_client: 1.1.0 - systemtags: 1.3.0 - tasks: 0.9.6 - theming: 1.4.1 - twofactor_backupcodes: 1.2.3 - twofactor_totp: 1.4.1 - updatenotification: 1.3.0 - workflowengine: 1.3.0 Disabled: - admin_audit - appvncsafe - audioplayer - encryption - external - files_antivirus - lsd - ojsxc - richdocuments - spreedme - user_external - user_ldap - weather { "memcache.local": "\\OC\\Memcache\\APCu", "filelocking.enabled": true, "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 0, "dbindex": 0, "timeout": 1.5 }, "instanceid": "***REMOVED SENSITIVE VALUE***", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "xxxxx "xxxxxx", "xxxxxx" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "overwrite.cli.url": "https:\/\/xxxxxx", "dbtype": "mysql", "version": "13.0.2.1", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "maintenance": false, "theme": "", "loglevel": 1, "updater.release.channel": "production", "auth.bruteforce.protection.enabled": true, "check_for_working_htaccess": true, "data-fingerprint": "xxxxxxxx", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "smtp", "mail_smtpauthtype": "LOGIN", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpsecure": "tls", "mail_smtpauth": 1, "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "xxxx", "session_lifetime": xxxx, "session_keepalive": false, "logtimezone": "xxxx", "logfile": "\/media\/nextcloud.log", "log_rotate_size": 104857600, "knowledgebaseenabled": false, "updater.secret": "***REMOVED SENSITIVE VALUE***" } ``` </details> **Are you using external storage, if yes which one:** local/smb/sftp/... no **Are you using encryption:** no **Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/... no <details><summary>LDAP configuration (delete this part if not used)</summary> ``` With access to your command line run e.g.: sudo -u www-data php occ ldap:show-config from within your Nextcloud installation folder Without access to your command line download the data/owncloud.db to your local computer or access your SQL server remotely and run the select query: SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap'; Eventually replace sensitive data as the name/IP-address of your LDAP server or groups. ``` ## Client configuration **Browser:** Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/52.15.25.665 Chrome/52.0.2743.82 Safari/537.36 **Operating system:** Windows 10

h.t.h.

ernolf

l.koutny · January 20, 2026, 4:11pm

Cause of the error was truly SELinux, I changed the mode to permissive , after that it was possible to save the configuration.