@Michael Kudos :-) On Thu, Oct 29, 2020 at 6:47 PM Michael Borgelt <mich...@borgelt.org> wrote: > > Success. > After adding 'capability dac_override' AND 'capability chown' to the > /etc/apparmor.d/usr.bin.freshclam profile clamav-freshclam starts > successfull. > To succsessfull start clamav-daemon you have to set 'capability chown' > in '/etc/apparmor.d/usr.sbin.clamd' also. > > Thank you > Michael. > > Zitat von jean-christophe manciot <actionmysti...@gmail.com>: > > > I've just realized that lchown is only a system call, so it must be > > used from within /usr/bin/freshclam. > > > > On Thu, Oct 29, 2020 at 9:33 AM jean-christophe manciot > > <actionmysti...@gmail.com> wrote: > >> > >> I have tried to add to /etc/apparmor.d/local/usr.bin.freshclam: > >> capability dac_override, > >> > >> and restarted apparmor then clamav-freshclam, the issue is still there: > >> # echo 'q' | sudo systemctl --no-pager --full status clamav-freshclam > >> ● clamav-freshclam.service - ClamAV virus database updater > >> Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; > >> enabled; vendor preset: enabled) > >> Active: failed (Result: exit-code) since Thu 2020-10-29 09:06:06 > >> CET; 42s ago > >> Docs: man:freshclam(1) > >> man:freshclam.conf(5) > >> https://www.clamav.net/documents > >> Process: 966650 ExecStart=/usr/bin/freshclam -d --foreground=true > >> (code=exited, status=9) > >> Main PID: 966650 (code=exited, status=9) > >> > >> Oct 29 09:06:06 hostname systemd[1]: Started ClamAV virus database updater. > >> Oct 29 09:06:06 hostname freshclam[966650]: ERROR: lchown to user > >> 'clamav' failed on > >> Oct 29 09:06:06 hostname freshclam[966650]: log file > >> '/var/log/clamav/freshclam.log'. > >> Oct 29 09:06:06 hostname freshclam[966650]: Error was 'Operation > >> not permitted' > >> Oct 29 09:06:06 hostname freshclam[966650]: Thu Oct 29 09:06:06 2020 > >> -> ^lchown to user 'clamav' failed on log file > >> '/var/log/clamav/freshclam.log'. Error was 'Operation not permitted' > >> Oct 29 09:06:06 hostname freshclam[966650]: Thu Oct 29 09:06:06 2020 > >> -> !Failed to switch to clamav user. > >> Oct 29 09:06:06 hostname systemd[1]: clamav-freshclam.service: Main > >> process exited, code=exited, status=9/n/a > >> Oct 29 09:06:06 hostname systemd[1]: clamav-freshclam.service: Failed > >> with result 'exit-code'. > >> > >> The error message regarding 'lchown' is strange: I have checked > >> /etc/init.d/clamav-freshclam, and also config and postinst included in > >> the DEBIAN folder of the package, none includes such a call. > >> However, postinst does include 'chown "$dbowner":adm > >> $FRESHCLAMLOGFILE' (with dbowner=clamav and > >> FRESHCLAMLOGFILE=/var/log/clamav/freshclam.log), so lchown does not > >> seem necessary wherever it is located. > >> > >> On Thu, Oct 29, 2020 at 12:07 AM Sebastian Andrzej Siewior > >> <sebast...@breakpoint.cc> wrote: > >> > > >> > On 2020-10-27 07:22:22 [+0000], Michael Borgelt wrote: > >> > > I have tried different permissions for the file and the > >> directory without > >> > > success. The obove permissions are after a clean reinstall off clamav > >> > > package. > >> > > >> > The problem appears to be the apparmor or freshclam's profile for it. So > >> > disabling apparmor should make freshclam work again. > >> > Probably adding > >> > | capability dac_override, > >> > > >> > to the profile will help, too. I will test it later today… > >> > > >> > Sebastian > >> > >> > >> > >> -- > >> Jean-Christophe > > > > > > > > -- > > Jean-Christophe > > > > -- > Michael Borgelt > e-mail: mich...@borgelt.org >
-- Jean-Christophe
