On 2021-05-23 08:32:23 [+0800], Paul Wise wrote: > Whenever freshclam gets restarted, either manually or automatically > during package upgrades, I get an apparmor denial in the logs. I > haven't seen any adverse effects from this denial. Reading the > capabilities(7) manual page where CAP_DAC_READ_SEARCH is mentioned, > there doesn't seem to be any reason for freshclam to need this > capability so I don't think the freshclam binary should be using this > capability. I note that the clamav codebase doesn't mention this > capability at all. I note that the apparmor profile mentions > dac_override and a comment next to that mentions a Launchpad bug that > explains this is for the AllowSupplementaryGroups option, which is > disabled by default. I wonder if whatever allows that to work has > switched from dac_override to dac_read_search, but I'm still not sure > why freshclam should also be using that capability.
You still see it I guess? Based on your log you run systemd so that should be same thing I have here for testing. And I don't see it. But you have while freshclam is killed not on start up. There is this in my journal: |Oct 31 23:30:41 debsidamd64 audit[450]: AVC apparmor="DENIED" operation="capable" profile="/usr/bin/freshclam" pid=450 comm="freshclam" capability=1 capname="dac_override" which is from the time before dac_override got added. The Debian bug was #972974. I know that AllowSupplementaryGroups is marked as deprecated but this is the default now. That means initgroups() (the code that was hidden behind AllowSupplementaryGroups) is always executed. Sebastian