Your message dated Sun, 28 Jun 2026 15:53:43 +0000
with message-id <[email protected]>
and subject line Bug#1092882: fixed in clamav 1.4.4+dfsg-2
has caused the Debian Bug report #1092882,
regarding /usr/sbin/clamd: apparmor config incomplete: doesn't allow process to 
read its own "cgroup" file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1092882: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092882
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: clamav-daemon
Version: 1.0.7+dfsg-1~deb12u1
Severity: normal
File: /usr/sbin/clamd

Dear Maintainers,

I noticed in my logcheck emails the below warning from auditd:

kernel: [15870.808220] audit: type=1400 audit(1736697075.886:31):
apparmor="DENIED" operation="open" profile="/usr/sbin/clamd"
name="/proc/1018/cgroup" pid=1018 comm="clamd" requested_mask="r" 
denied_mask="r" fsuid=112 ouid=0

If I understand this correctly, the factory apparmor profile denies
that clam daemon to read its own "cgroup" file.

I assume that a line as follows has to be added to
/etc/apparmor.d/usr.sbin.clamd:

        @{PROC}/[0-9]*/cgroup r,

I did it on my own machine, and it seems to have fixed the issue.

Many thanks in advance for looking into this issue.

Kind regards,

Ralf


-- Package-specific info:
--- configuration ---
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
AlertExceedsMax disabled
PreludeEnable disabled
PreludeAnalyzerName = "ClamAV"
LogFile = "/var/log/clamav/clamav.log"
LogFileUnlock disabled
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogClean disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
PidFile disabled
TemporaryDirectory disabled
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "15"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "12"
ReadTimeout = "180"
CommandReadTimeout = "30"
SendBufTimeout = "200"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "3600"
ConcurrentDatabaseReload = "yes"
DisableCache disabled
VirusEvent disabled
ExitOnOOM disabled
AllowAllMatchScan = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
GenerateMetadataJson disabled
User = "clamav"
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "60000"
BytecodeUnsigned disabled
BytecodeMode = "Auto"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
ScanPE = "yes"
ScanELF = "yes"
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
HeuristicAlerts = "yes"
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
AlertBrokenExecutables disabled
AlertBrokenMedia disabled
AlertEncrypted disabled
StructuredCCOnly disabled
AlertEncryptedArchive disabled
AlertEncryptedDoc disabled
AlertOLE2Macros disabled
AlertPhishingSSLMismatch disabled
AlertPhishingCloak disabled
AlertPartitionIntersection disabled
ScanPDF = "yes"
ScanSWF = "yes"
ScanXMLDOCS = "yes"
ScanHWP3 = "yes"
ScanArchive = "yes"
ForceToDisk disabled
MaxScanTime = "120000"
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxFiles = "10000"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
MaxZipTypeRcg = "1048576"
MaxPartitions = "50"
MaxIconsPE = "100"
MaxRecHWP3 = "16"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"
PCREMaxFileSize = "26214400"
OnAccessMountPath disabled
OnAccessIncludePath disabled
OnAccessExcludePath disabled
OnAccessExcludeRootUID disabled
OnAccessExcludeUID disabled
OnAccessExcludeUname disabled
OnAccessMaxFileSize = "5242880"
OnAccessDisableDDD disabled
OnAccessPrevention disabled
OnAccessExtraScanning disabled
OnAccessCurlTimeout = "5000"
OnAccessMaxThreads = "5"
OnAccessRetryAttempts disabled
OnAccessDenyOnError disabled
DevACOnly disabled
DevACDepth disabled
DevPerformance disabled
DevLiblog disabled
DisableCertCheck disabled
AlgorithmicDetection = "yes"
BlockMax disabled
PhishingAlwaysBlockSSLMismatch disabled
PhishingAlwaysBlockCloak disabled
PartitionIntersection disabled
OLE2BlockMacros disabled
ArchiveBlockEncrypted disabled

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
PidFile disabled
DatabaseDirectory = "/var/lib/clamav"
Foreground disabled
Debug disabled
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseOwner = "clamav"
Checks = "24"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
PrivateMirror disabled
MaxAttempts = "5"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
ExcludeDatabase disabled
DatabaseCustomURL disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamav/clamd.conf"
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "30"
ReceiveTimeout disabled
Bytecode = "yes"

clamav-milter.conf not found

Software settings
-----------------
Version: 1.0.7
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON 

Database information
--------------------
Database directory: /var/lib/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021
bytecode.cld: version 335, sigs: 86, built on Tue Feb 27 15:37:24 2024
daily.cld: version 27516, sigs: 2071934, built on Sun Jan 12 09:37:06 2025
Total number of signatures: 8719447

Platform information
--------------------
uname: Linux 6.1.0-29-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.123-1 
(2025-01-02) x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
Full OS version: Debian GNU/Linux 12 (bookworm)
zlib version: 1.2.13 (1.2.13), compile flags: a9
platform id: 0x0a21a7a708000000000c0200

Build information
-----------------
GNU C: 12.2.0 (12.2.0)
sizeof(void*) = 8
Engine flevel: 167, dconf: 167

--- data dir ---
total 368152
-rw-r--r-- 1 clamav clamav   1411072 Feb 27  2024 bytecode.cld
-rw-r--r-- 1 clamav clamav 205083136 Jan 12 10:01 daily.cld
-rw-r--r-- 1 clamav clamav        69 Jun 15  2023 freshclam.dat
-rw-r--r-- 1 clamav clamav 170479789 Jun 15  2023 main.cvd

-- System Information:
Debian Release: 12.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-29-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages clamav-daemon depends on:
ii  adduser                         3.134
ii  clamav-base                     1.0.7+dfsg-1~deb12u1
ii  clamav-freshclam [clamav-data]  1.0.7+dfsg-1~deb12u1
ii  debconf [debconf-2.0]           1.5.82
ii  dpkg                            1.21.22
ii  init-system-helpers             1.65.2
ii  libc6                           2.36-9+deb12u9
ii  libclamav11                     1.0.7+dfsg-1~deb12u1
ii  libcurl4                        7.88.1-10+deb12u8
ii  libncurses6                     6.4-4
ii  libsystemd0                     252.33-1~deb12u1
ii  libtinfo6                       6.4-4
ii  procps                          2:4.0.2-3
ii  ucf                             3.0043+nmu1+deb12u1
ii  zlib1g                          1:1.2.13.dfsg-1

Versions of packages clamav-daemon recommends:
pn  clamdscan  <none>

Versions of packages clamav-daemon suggests:
ii  apparmor      3.0.8-3
ii  clamav-docs   1.0.7+dfsg-1~deb12u1
pn  daemon        <none>
pn  libclamunrar  <none>

-- Configuration Files:
/etc/logcheck/ignore.d.paranoid/clamav-daemon [Errno 13] Permission denied: 
'/etc/logcheck/ignore.d.paranoid/clamav-daemon'
/etc/logcheck/ignore.d.server/clamav-daemon [Errno 13] Permission denied: 
'/etc/logcheck/ignore.d.server/clamav-daemon'

-- debconf information:
  clamav-daemon/ScanSWF: true
  clamav-daemon/TCPAddr: any
  clamav-daemon/AddGroups: Debian-exim
  clamav-daemon/LogFile: /var/log/clamav/clamav.log
  clamav-daemon/FixStaleSocket: true
  clamav-daemon/LocalSocket: /var/run/clamav/clamd.ctl
  clamav-daemon/Bytecode: true
  clamav-daemon/MaxConnectionQueueLength: 15
  clamav-daemon/DisableCertCheck: false
  clamav-daemon/TCPSocket: 3310
  clamav-daemon/ForceToDisk: false
  clamav-daemon/OnAccessMaxFileSize: 5M
  clamav-daemon/LogSyslog: false
  clamav-daemon/AllowAllMatchScan: true
  clamav-daemon/MaxThreads: 12
  clamav-daemon/FollowDirectorySymlinks: false
  clamav-daemon/MaxScriptNormalize: 5M
  clamav-daemon/SelfCheck: 3600
  clamav-daemon/MaxEmbeddedPE: 10M
  clamav-daemon/ReadTimeout: 180
  clamav-daemon/MaxDirectoryRecursion: 15
  clamav-daemon/LocalSocketGroup: clamav
  clamav-daemon/BytecodeSecurity: TrustSigned
  clamav-daemon/MaxHTMLNoTags: 2M
  clamav-daemon/ScanArchive: true
  clamav-daemon/MaxZipTypeRcg: 1M
  clamav-daemon/ScanMail: true
  clamav-daemon/BytecodeTimeout: 60000
  clamav-daemon/StreamMaxLength: 25
  clamav-daemon/FollowFileSymlinks: false
  clamav-daemon/MaxHTMLNormalize: 10M
  clamav-daemon/debconf: true
  clamav-daemon/LocalSocketMode: 666
  clamav-daemon/User: clamav
  clamav-daemon/LogTime: true
  clamav-daemon/TcpOrLocal: UNIX
  clamav-daemon/LogRotate: true

--- End Message ---
--- Begin Message ---
Source: clamav
Source-Version: 1.4.4+dfsg-2
Done: Sebastian Andrzej Siewior <[email protected]>

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated clamav 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 28 Jun 2026 17:24:13 +0200
Source: clamav
Architecture: source
Version: 1.4.4+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1043428 1089046 1092882 1103001 1123913 1134489 1136481 1138312 1138938
Changes:
 clamav (1.4.4+dfsg-2) unstable; urgency=medium
 .
   [ Sebastian Andrzej Siewior ]
   * Get it compiled aganst OpenSSL 4.0 (Closes: #1138312).
   * Depend on procps for pidof in tests (Closes: #1136481).
   * Update apparmor profile for clamd (Closes: #1092882, #1123913).
   * Remove Scott from the uploads. Thank you for all what you done
     (Closes: 1138938).
   * Don't Enable freshclam once+timer by default (Closes: #1134489).
   * Mention in the README.Debian that clamAV AppArmor profiles do not allow
     OnAccess scanning ("Closes: #1043428).
   * Add Romanian debconf templates translation (Closes: #1103001).
 .
   [ Helmut Grohne ]
   * Improve cross building: (Closes: #1089046)
     + Skip tests in arch-only build with DEB_BUILD_OPTIONS=nocheck.
     + Skip doxygen in arch-only build.
     + Demote/annotate conditional dependencies.
 .
   [ Pétur Ingi Egilsson ]
   * clamav-daemon.postinst.in: honour "none" as a way to disable
     the LogFile directive.
Checksums-Sha1:
 b40da3cf75caf275135885730688832882efa068 3042 clamav_1.4.4+dfsg-2.dsc
 70f79aa4c2ea4b1fa71ea8b2eb1b1cca98b5e316 521176 
clamav_1.4.4+dfsg-2.debian.tar.xz
Checksums-Sha256:
 5706de641944f221c69068407f1c5d01c418369c0b3f3f8a9fa7683f41180d08 3042 
clamav_1.4.4+dfsg-2.dsc
 101b1183c3faa6aeee7af74ea94fb8a3ea7b25908f43923953510a102a6169b0 521176 
clamav_1.4.4+dfsg-2.debian.tar.xz
Files:
 f7db0c0b749b0e676867985b25cf9ea2 3042 utils optional clamav_1.4.4+dfsg-2.dsc
 970a0370a3c118dcc1ceaf1d5cf891e4 521176 utils optional 
clamav_1.4.4+dfsg-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmpBPPAACgkQBWQfF1cS
+lu+BAwAnKObBrkAFdfo30PvOUYOhrogKiXAuuc+VQF91UL2Qjh4VEYILXU0xxP0
evhAc+6hT8sJc7ykvtS4IuOgKPiTYjBx1K0XhUpEFSyIU1kCLhFcTDVoubHbtYA7
tco6uU3YNaV5nvZY3pr4LACcg147Ck4fsRnAZCmSgW9YKha7KKEO4xTTEFta8nuR
98H8b9F49GBEFx0rpD7CffUzE1t0jeZyx83mNekeb6jSHupHSOPx5EcMK7MMts6l
RGeE1QTU4JrbmcoZ6ftsjVAmOS5zvs0RHB/7uP/QIOTNDlNOF/likHNKdigQi0nV
TWtRasfP85ekBYNRJPk4pQofe1aiH15jh3mhF7lKv7zCvm/hzOJL1wFYVUiCbBwn
l2cV3aJFxsO+JbATxHkRI3hP3Gx6G77W3nmSmruTFZeVsCLZNMZa8bkgReTaO+T+
4efH52vbXNkalb4No6FGB8WkpLxkHTFa6S4dLqoMOh3gJ4PxEKXpPvUmFsQBLic8
PXmk9wvb
=bR0i
-----END PGP SIGNATURE-----

Attachment: pgpLwTBV0MaBh.pgp
Description: PGP signature


--- End Message ---

Reply via email to