[Bug 1313282] Re: apparmor="DENIED" for freshclam (CLAMAV)

Tyler Hicks tyhicks at canonical.com
Mon Apr 28 21:40:28 UTC 2014 

** Description changed:

- Not sure if this is a bug, or by design (but I would like some
- clarification)
+ [Description]
  
- I recently upgraded my Ubuntu server to 14.04 LTS and notice some error messages regarding Apparmor and Freshclam.
- So far I know I didn't had these error message with the previous version (13.10).
+ Freshclam is not able to notify clamd about new databases because AppArmor
+ prevents it from connecting to the clamd socket. Clamd will still detect the
+ database update and force reload, but freshclam should be able to notify clamd.
+ 
+ AppArmor fixed a bug (LP: #1208988) in its path-based UNIX domain socket
+ mediation in Saucy. AppArmor now requires both read and write permissions for
+ those socket paths but freshclam's profile only grants write permission.
+ 
+ I recently upgraded my Ubuntu server to 14.04 LTS and notice some error
+ messages regarding Apparmor and Freshclam. So far I know I didn't had these
+ error message with the previous version (13.10).
  
  Syslog reports:
  kernel: [ 113.304926] type=1400 audit(1398085083.946:37): apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/clamav/clamd.ctl" pid=2372 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=110 ouid=110
  
  Freshclam log reports:
  WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl
  
- Any reason why freshclam may not read the clamd.ctl?
- Of course clamd will detect database update and force reload.
- But should freshclam not be able to notify clamd?
+ [Test Case]
+ 
+ * Make sure that /etc/clamav/freshclam.conf contains this line:
+ 
+     NotifyClamd /etc/clamav/clamd.conf
+ 
+ * Manually remove the main database file
+ 
+     $ sudo rm /var/lib/clamav/main.cvd
+ 
+ * Run freshclam
+ 
+     $ sudo freshclam
+ 
+ * Verify the following:
+ 
+     1) It was successful
+     2) There were no warnings about clamd not being notified (see Description)
+     3) There were no AppArmor denials in the system logs (See Description)
+ 
+ [Regression Potential]
+ 
+ There is essentially no regression potential since we're only loosening up the
+ freshclam AppArmor profile by adding read permission on the clamd socket.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to clamav in Ubuntu.
https://bugs.launchpad.net/bugs/1313282

Title:
  apparmor="DENIED" for freshclam (CLAMAV)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1313282/+subscriptions

More information about the Ubuntu-server-bugs mailing list