@Michael
Kudos :-)

On Thu, Oct 29, 2020 at 6:47 PM Michael Borgelt <mich...@borgelt.org> wrote:
>
> Success.
> After adding 'capability dac_override' AND 'capability chown' to the
> /etc/apparmor.d/usr.bin.freshclam profile clamav-freshclam starts
> successfull.
> To succsessfull start clamav-daemon you have to set 'capability chown'
> in '/etc/apparmor.d/usr.sbin.clamd' also.
>
> Thank you
> Michael.
>
> Zitat von jean-christophe manciot <actionmysti...@gmail.com>:
>
> > I've just realized that lchown is only a system call, so it must be
> > used from within /usr/bin/freshclam.
> >
> > On Thu, Oct 29, 2020 at 9:33 AM jean-christophe manciot
> > <actionmysti...@gmail.com> wrote:
> >>
> >> I have tried to add to /etc/apparmor.d/local/usr.bin.freshclam:
> >>   capability dac_override,
> >>
> >> and restarted apparmor then clamav-freshclam, the issue is still there:
> >> # echo 'q' | sudo systemctl --no-pager --full status clamav-freshclam
> >> ● clamav-freshclam.service - ClamAV virus database updater
> >>      Loaded: loaded (/lib/systemd/system/clamav-freshclam.service;
> >> enabled; vendor preset: enabled)
> >>      Active: failed (Result: exit-code) since Thu 2020-10-29 09:06:06
> >> CET; 42s ago
> >>        Docs: man:freshclam(1)
> >>              man:freshclam.conf(5)
> >>              https://www.clamav.net/documents
> >>     Process: 966650 ExecStart=/usr/bin/freshclam -d --foreground=true
> >> (code=exited, status=9)
> >>    Main PID: 966650 (code=exited, status=9)
> >>
> >> Oct 29 09:06:06 hostname systemd[1]: Started ClamAV virus database updater.
> >> Oct 29 09:06:06 hostname freshclam[966650]: ERROR: lchown to user
> >> 'clamav' failed on
> >> Oct 29 09:06:06 hostname freshclam[966650]: log file
> >> '/var/log/clamav/freshclam.log'.
> >> Oct 29 09:06:06 hostname freshclam[966650]: Error was 'Operation
> >> not permitted'
> >> Oct 29 09:06:06 hostname freshclam[966650]: Thu Oct 29 09:06:06 2020
> >> -> ^lchown to user 'clamav' failed on log file
> >> '/var/log/clamav/freshclam.log'.  Error was 'Operation not permitted'
> >> Oct 29 09:06:06 hostname freshclam[966650]: Thu Oct 29 09:06:06 2020
> >> -> !Failed to switch to clamav user.
> >> Oct 29 09:06:06 hostname systemd[1]: clamav-freshclam.service: Main
> >> process exited, code=exited, status=9/n/a
> >> Oct 29 09:06:06 hostname systemd[1]: clamav-freshclam.service: Failed
> >> with result 'exit-code'.
> >>
> >> The error message regarding 'lchown' is strange: I have checked
> >> /etc/init.d/clamav-freshclam, and also config and postinst included in
> >> the DEBIAN folder of the package, none includes such a call.
> >> However, postinst does include 'chown "$dbowner":adm
> >> $FRESHCLAMLOGFILE' (with dbowner=clamav and
> >> FRESHCLAMLOGFILE=/var/log/clamav/freshclam.log), so lchown does not
> >> seem necessary wherever it is located.
> >>
> >> On Thu, Oct 29, 2020 at 12:07 AM Sebastian Andrzej Siewior
> >> <sebast...@breakpoint.cc> wrote:
> >> >
> >> > On 2020-10-27 07:22:22 [+0000], Michael Borgelt wrote:
> >> > > I have tried different permissions for the file and the
> >> directory without
> >> > > success. The obove permissions are after a clean reinstall off clamav
> >> > > package.
> >> >
> >> > The problem appears to be the apparmor or freshclam's profile for it. So
> >> > disabling apparmor should make freshclam work again.
> >> > Probably adding
> >> > |         capability dac_override,
> >> >
> >> > to the profile will help, too. I will test it later today…
> >> >
> >> > Sebastian
> >>
> >>
> >>
> >> --
> >> Jean-Christophe
> >
> >
> >
> > --
> > Jean-Christophe
>
>
>
> --
> Michael Borgelt
> e-mail: mich...@borgelt.org
>


-- 
Jean-Christophe

Reply via email to