[Touch-packages] [Bug 1404762] Re: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify
We ran into the same issue, but wanted to avoid installing apparmor- utils. In the /etc/apparmor.d/usr.sbin.clam profile, it is possible to set the clamd profile to complain mode directly (we used Ansible) without having to install apparmor-utils or use aa-complain. Before: /usr/sbin/clamd { After: /usr/sbin/clamd flags=(complain) { -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1404762 Title: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify Status in apparmor package in Ubuntu: Confirmed Bug description: I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-access scanning. Doing so, /var/log/clamav/clamav.log tells me: ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted ScanOnAccess: clamd must be started by root Setting User to root in /etc/clamav/clamd.conf makes the clamav-daemon to fail with service clamav-daemon start * Starting ClamAV daemon clamd ERROR: initgroups() failed. I had to disable the apparmor.profile with a cd /etc/apparmor.d/disable ln -s ./../usr.sbin.clamd Then, the "ERROR: initgroups() failed." disappears. The apparmor itself came via apt-get packages. I did not edit it. Description: Ubuntu 14.04.1 LTS Release: 14.04 apt-cache policy apparmor-profiles apparmor-profiles: Installiert: (keine) Installationskandidat: 2.8.95~2430-0ubuntu5.1 Versionstabelle: 2.8.95~2430-0ubuntu5.1 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.8.95~2430-0ubuntu5 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor-profiles (not installed) ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11 Uname: Linux 3.13.0-43-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Mon Dec 22 01:23:04 2014 InstallationDate: Installed on 2014-11-29 (22 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) ProcEnviron: LANGUAGE=de_DE TERM=xterm PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404762] Re: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify
** Changed in: apparmor (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1404762 Title: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify Status in apparmor package in Ubuntu: Confirmed Bug description: I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-access scanning. Doing so, /var/log/clamav/clamav.log tells me: ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted ScanOnAccess: clamd must be started by root Setting User to root in /etc/clamav/clamd.conf makes the clamav-daemon to fail with service clamav-daemon start * Starting ClamAV daemon clamd ERROR: initgroups() failed. I had to disable the apparmor.profile with a cd /etc/apparmor.d/disable ln -s ./../usr.sbin.clamd Then, the "ERROR: initgroups() failed." disappears. The apparmor itself came via apt-get packages. I did not edit it. Description: Ubuntu 14.04.1 LTS Release: 14.04 apt-cache policy apparmor-profiles apparmor-profiles: Installiert: (keine) Installationskandidat: 2.8.95~2430-0ubuntu5.1 Versionstabelle: 2.8.95~2430-0ubuntu5.1 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.8.95~2430-0ubuntu5 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor-profiles (not installed) ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11 Uname: Linux 3.13.0-43-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Mon Dec 22 01:23:04 2014 InstallationDate: Installed on 2014-11-29 (22 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) ProcEnviron: LANGUAGE=de_DE TERM=xterm PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404762] Re: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify
Now, that on-access scan seems to be working, I tried some cases: No detections when I copied some Eicar files around in subfolders of /home/hartwig. However, I got a detection when I placed an Eicar file directly into that folder (mentioned in /var/log/clamav/clamav.log). It looks like that only the folder mentioned in the OnAccessIncludePath parameter is scanned, but no subfolders. Any way to include subfolders? However, this behaviour does not seem to be connected to apparmor, so it is off-topic for this bug. I put my observations into the original clamav question https://answers.launchpad.net/ubuntu/+source/clamav/+question/263109. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1404762 Title: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify Status in apparmor package in Ubuntu: Confirmed Bug description: I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-access scanning. Doing so, /var/log/clamav/clamav.log tells me: ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted ScanOnAccess: clamd must be started by root Setting User to root in /etc/clamav/clamd.conf makes the clamav-daemon to fail with service clamav-daemon start * Starting ClamAV daemon clamd ERROR: initgroups() failed. I had to disable the apparmor.profile with a cd /etc/apparmor.d/disable ln -s ./../usr.sbin.clamd Then, the "ERROR: initgroups() failed." disappears. The apparmor itself came via apt-get packages. I did not edit it. Description: Ubuntu 14.04.1 LTS Release: 14.04 apt-cache policy apparmor-profiles apparmor-profiles: Installiert: (keine) Installationskandidat: 2.8.95~2430-0ubuntu5.1 Versionstabelle: 2.8.95~2430-0ubuntu5.1 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.8.95~2430-0ubuntu5 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor-profiles (not installed) ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11 Uname: Linux 3.13.0-43-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Mon Dec 22 01:23:04 2014 InstallationDate: Installed on 2014-11-29 (22 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) ProcEnviron: LANGUAGE=de_DE TERM=xterm PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404762] Re: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify
Hartwig, great find with the backup copied file! That would definitely complicate all debugging efforts. Please do report back now that you can make some forward progress. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1404762 Title: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify Status in apparmor package in Ubuntu: Confirmed Bug description: I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-access scanning. Doing so, /var/log/clamav/clamav.log tells me: ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted ScanOnAccess: clamd must be started by root Setting User to root in /etc/clamav/clamd.conf makes the clamav-daemon to fail with service clamav-daemon start * Starting ClamAV daemon clamd ERROR: initgroups() failed. I had to disable the apparmor.profile with a cd /etc/apparmor.d/disable ln -s ./../usr.sbin.clamd Then, the "ERROR: initgroups() failed." disappears. The apparmor itself came via apt-get packages. I did not edit it. Description: Ubuntu 14.04.1 LTS Release: 14.04 apt-cache policy apparmor-profiles apparmor-profiles: Installiert: (keine) Installationskandidat: 2.8.95~2430-0ubuntu5.1 Versionstabelle: 2.8.95~2430-0ubuntu5.1 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.8.95~2430-0ubuntu5 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor-profiles (not installed) ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11 Uname: Linux 3.13.0-43-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Mon Dec 22 01:23:04 2014 InstallationDate: Installed on 2014-11-29 (22 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) ProcEnviron: LANGUAGE=de_DE TERM=xterm PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404762] Re: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify
As another try, I tried to disable the apparmor profile by cd /etc/apparmor.d/disable ln -s ./../usr.sbin.clamd as described by Thomas above. Unexpectedly, that did not get rid of the message "ERROR: initgroups() failed". I found I had a file "usr.sbin(Kopie).clamd" in that folder; this file was a backup of the original, and got used by apparmor (went into the cache folder). After removing this backup copy (and reload apparmor) clamd could start. Next try: use the original usr.sbin.clamd and add "capability setgid," as recommended by Christian above. After reload apparmor and restart clamd I got "ERROR: Failed to change socket ownership to group clamav Closing the main socket." But at system restart clamd started without error. So, it was the backup file in /etc/apparmor.d which caused the trouble. Maybe, I will gradually find out how to get on-access scan working. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1404762 Title: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify Status in apparmor package in Ubuntu: Confirmed Bug description: I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-access scanning. Doing so, /var/log/clamav/clamav.log tells me: ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted ScanOnAccess: clamd must be started by root Setting User to root in /etc/clamav/clamd.conf makes the clamav-daemon to fail with service clamav-daemon start * Starting ClamAV daemon clamd ERROR: initgroups() failed. I had to disable the apparmor.profile with a cd /etc/apparmor.d/disable ln -s ./../usr.sbin.clamd Then, the "ERROR: initgroups() failed." disappears. The apparmor itself came via apt-get packages. I did not edit it. Description: Ubuntu 14.04.1 LTS Release: 14.04 apt-cache policy apparmor-profiles apparmor-profiles: Installiert: (keine) Installationskandidat: 2.8.95~2430-0ubuntu5.1 Versionstabelle: 2.8.95~2430-0ubuntu5.1 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.8.95~2430-0ubuntu5 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor-profiles (not installed) ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11 Uname: Linux 3.13.0-43-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Mon Dec 22 01:23:04 2014 InstallationDate: Installed on 2014-11-29 (22 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) ProcEnviron: LANGUAGE=de_DE TERM=xterm PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404762] Re: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify
clamd starts with: 1. aa-complain clamd 2. invoke-rc.d clamav-daemon restart No clamd entries in syslog. audit.log after starting clamd: type=USER_AUTH msg=audit(1428468600.638:193): pid=8314 uid=1000 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="hartwig" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/18 res=success' type=USER_ACCT msg=audit(1428468600.638:194): pid=8314 uid=1000 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="hartwig" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/18 res=success' type=USER_START msg=audit(1428468600.658:195): pid=8314 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/18 res=success' type=AVC msg=audit(1428468604.378:196): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/clamd" pid=8319 comm="apparmor_parser" type=SYSCALL msg=audit(1428468604.378:196): arch=4003 syscall=4 success=yes exit=26185 a0=3 a1=9c6677c a2=6649 a3=bfbf36c4 items=0 ppid=8315 pid=8319 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts18 ses=4294967295 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null) type=USER_END msg=audit(1428468604.450:197): pid=8314 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/18 res=success' But - Eicar file can be copied, no error msg, no log entry -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1404762 Title: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify Status in apparmor package in Ubuntu: Confirmed Bug description: I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-access scanning. Doing so, /var/log/clamav/clamav.log tells me: ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted ScanOnAccess: clamd must be started by root Setting User to root in /etc/clamav/clamd.conf makes the clamav-daemon to fail with service clamav-daemon start * Starting ClamAV daemon clamd ERROR: initgroups() failed. I had to disable the apparmor.profile with a cd /etc/apparmor.d/disable ln -s ./../usr.sbin.clamd Then, the "ERROR: initgroups() failed." disappears. The apparmor itself came via apt-get packages. I did not edit it. Description: Ubuntu 14.04.1 LTS Release: 14.04 apt-cache policy apparmor-profiles apparmor-profiles: Installiert: (keine) Installationskandidat: 2.8.95~2430-0ubuntu5.1 Versionstabelle: 2.8.95~2430-0ubuntu5.1 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.8.95~2430-0ubuntu5 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor-profiles (not installed) ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11 Uname: Linux 3.13.0-43-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Mon Dec 22 01:23:04 2014 InstallationDate: Installed on 2014-11-29 (22 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) ProcEnviron: LANGUAGE=de_DE TERM=xterm PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404762] Re: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify
Hartwig, are there still AppArmor DENIED lines in your /var/log/syslog or /var/log/audit/audit.log files even after adding all those extra capabilities? Granted, a profiled application with all those capabilities is likely powerful enough to do great damage to the system anyway... Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1404762 Title: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify Status in apparmor package in Ubuntu: Confirmed Bug description: I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-access scanning. Doing so, /var/log/clamav/clamav.log tells me: ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted ScanOnAccess: clamd must be started by root Setting User to root in /etc/clamav/clamd.conf makes the clamav-daemon to fail with service clamav-daemon start * Starting ClamAV daemon clamd ERROR: initgroups() failed. I had to disable the apparmor.profile with a cd /etc/apparmor.d/disable ln -s ./../usr.sbin.clamd Then, the "ERROR: initgroups() failed." disappears. The apparmor itself came via apt-get packages. I did not edit it. Description: Ubuntu 14.04.1 LTS Release: 14.04 apt-cache policy apparmor-profiles apparmor-profiles: Installiert: (keine) Installationskandidat: 2.8.95~2430-0ubuntu5.1 Versionstabelle: 2.8.95~2430-0ubuntu5.1 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.8.95~2430-0ubuntu5 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor-profiles (not installed) ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11 Uname: Linux 3.13.0-43-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Mon Dec 22 01:23:04 2014 InstallationDate: Installed on 2014-11-29 (22 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) ProcEnviron: LANGUAGE=de_DE TERM=xterm PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404762] Re: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify
I was describing two issues: One is that root user was needed for ScanOnAccess. Second was that the apparmor profile does not fit. Basically, there should be an easy way to use ScanOnAccess with correct apparmor profile. Fanotify seems to be a basic feature in conjunction with a virus scanner (which can simply run in user space without a kernel module, still getting notified about changes in files). With the two changes I described, ScanOnAccess is working for me with root privileges and apparmor profile disabled. Therefore, it also detects Eicar testfiles. I'd suggest to make ScanOnAccess more accessible to an average user. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1404762 Title: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify Status in apparmor package in Ubuntu: Confirmed Bug description: I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-access scanning. Doing so, /var/log/clamav/clamav.log tells me: ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted ScanOnAccess: clamd must be started by root Setting User to root in /etc/clamav/clamd.conf makes the clamav-daemon to fail with service clamav-daemon start * Starting ClamAV daemon clamd ERROR: initgroups() failed. I had to disable the apparmor.profile with a cd /etc/apparmor.d/disable ln -s ./../usr.sbin.clamd Then, the "ERROR: initgroups() failed." disappears. The apparmor itself came via apt-get packages. I did not edit it. Description: Ubuntu 14.04.1 LTS Release: 14.04 apt-cache policy apparmor-profiles apparmor-profiles: Installiert: (keine) Installationskandidat: 2.8.95~2430-0ubuntu5.1 Versionstabelle: 2.8.95~2430-0ubuntu5.1 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.8.95~2430-0ubuntu5 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor-profiles (not installed) ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11 Uname: Linux 3.13.0-43-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Mon Dec 22 01:23:04 2014 InstallationDate: Installed on 2014-11-29 (22 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) ProcEnviron: LANGUAGE=de_DE TERM=xterm PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404762] Re: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify
no any reaction? Does that mean on-access scanning does not work with clamav (non-detection of Eicar file)? Because of lacking compatibility with apparmor? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1404762 Title: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify Status in apparmor package in Ubuntu: Confirmed Bug description: I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-access scanning. Doing so, /var/log/clamav/clamav.log tells me: ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted ScanOnAccess: clamd must be started by root Setting User to root in /etc/clamav/clamd.conf makes the clamav-daemon to fail with service clamav-daemon start * Starting ClamAV daemon clamd ERROR: initgroups() failed. I had to disable the apparmor.profile with a cd /etc/apparmor.d/disable ln -s ./../usr.sbin.clamd Then, the "ERROR: initgroups() failed." disappears. The apparmor itself came via apt-get packages. I did not edit it. Description: Ubuntu 14.04.1 LTS Release: 14.04 apt-cache policy apparmor-profiles apparmor-profiles: Installiert: (keine) Installationskandidat: 2.8.95~2430-0ubuntu5.1 Versionstabelle: 2.8.95~2430-0ubuntu5.1 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.8.95~2430-0ubuntu5 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor-profiles (not installed) ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11 Uname: Linux 3.13.0-43-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Mon Dec 22 01:23:04 2014 InstallationDate: Installed on 2014-11-29 (22 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) ProcEnviron: LANGUAGE=de_DE TERM=xterm PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404762] Re: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify
some further info: I now have installed auditd to have the log in /var/log/audit/audit.log. I added to usr.bin.clamd: capability setgid, capability setuid, and used aa-logprof to add some more items: capability chown, capability dac_override, capability fsetid, capability sys_admin, But, after reload apparmor, aa-enforce clamd, and restart clamd I still have "ERROR: initgroups() failed" at clamd start. It still needs aa-complain clamd to successfully start clamd -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1404762 Title: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify Status in apparmor package in Ubuntu: Confirmed Bug description: I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-access scanning. Doing so, /var/log/clamav/clamav.log tells me: ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted ScanOnAccess: clamd must be started by root Setting User to root in /etc/clamav/clamd.conf makes the clamav-daemon to fail with service clamav-daemon start * Starting ClamAV daemon clamd ERROR: initgroups() failed. I had to disable the apparmor.profile with a cd /etc/apparmor.d/disable ln -s ./../usr.sbin.clamd Then, the "ERROR: initgroups() failed." disappears. The apparmor itself came via apt-get packages. I did not edit it. Description: Ubuntu 14.04.1 LTS Release: 14.04 apt-cache policy apparmor-profiles apparmor-profiles: Installiert: (keine) Installationskandidat: 2.8.95~2430-0ubuntu5.1 Versionstabelle: 2.8.95~2430-0ubuntu5.1 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.8.95~2430-0ubuntu5 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor-profiles (not installed) ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11 Uname: Linux 3.13.0-43-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Mon Dec 22 01:23:04 2014 InstallationDate: Installed on 2014-11-29 (22 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) ProcEnviron: LANGUAGE=de_DE TERM=xterm PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404762] Re: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify
I have the same problem, but the above does not help me. aa-complain clamd needs to be done at every startup, otherwise clamd would not start. No /var/log/audit/audit.log Eicar file can be copied despite clamav on-access running (acc clamav.log) Details see https://answers.launchpad.net/ubuntu/+source/clamav/+question/263109 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1404762 Title: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify Status in apparmor package in Ubuntu: Confirmed Bug description: I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-access scanning. Doing so, /var/log/clamav/clamav.log tells me: ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted ScanOnAccess: clamd must be started by root Setting User to root in /etc/clamav/clamd.conf makes the clamav-daemon to fail with service clamav-daemon start * Starting ClamAV daemon clamd ERROR: initgroups() failed. I had to disable the apparmor.profile with a cd /etc/apparmor.d/disable ln -s ./../usr.sbin.clamd Then, the "ERROR: initgroups() failed." disappears. The apparmor itself came via apt-get packages. I did not edit it. Description: Ubuntu 14.04.1 LTS Release: 14.04 apt-cache policy apparmor-profiles apparmor-profiles: Installiert: (keine) Installationskandidat: 2.8.95~2430-0ubuntu5.1 Versionstabelle: 2.8.95~2430-0ubuntu5.1 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.8.95~2430-0ubuntu5 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor-profiles (not installed) ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11 Uname: Linux 3.13.0-43-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Mon Dec 22 01:23:04 2014 InstallationDate: Installed on 2014-11-29 (22 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) ProcEnviron: LANGUAGE=de_DE TERM=xterm PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404762] Re: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1404762 Title: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify Status in apparmor package in Ubuntu: Confirmed Bug description: I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-access scanning. Doing so, /var/log/clamav/clamav.log tells me: ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted ScanOnAccess: clamd must be started by root Setting User to root in /etc/clamav/clamd.conf makes the clamav-daemon to fail with service clamav-daemon start * Starting ClamAV daemon clamd ERROR: initgroups() failed. I had to disable the apparmor.profile with a cd /etc/apparmor.d/disable ln -s ./../usr.sbin.clamd Then, the "ERROR: initgroups() failed." disappears. The apparmor itself came via apt-get packages. I did not edit it. Description: Ubuntu 14.04.1 LTS Release: 14.04 apt-cache policy apparmor-profiles apparmor-profiles: Installiert: (keine) Installationskandidat: 2.8.95~2430-0ubuntu5.1 Versionstabelle: 2.8.95~2430-0ubuntu5.1 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.8.95~2430-0ubuntu5 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor-profiles (not installed) ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11 Uname: Linux 3.13.0-43-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Mon Dec 22 01:23:04 2014 InstallationDate: Installed on 2014-11-29 (22 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) ProcEnviron: LANGUAGE=de_DE TERM=xterm PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1404762] Re: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify
Please add capability setgid, to the clamd profile and re-enable it ("aa-enforce clamd"). If it still doesn't work, set it to complain mode ("aa-complain clamd") so that it permits everything and logs what would be denied. Then use clamd for a while and provide the clamd-related entries from /var/log/audit/audit.log. You can also update the profile yourself using aa-logprof, and set the profile back to enforce mode with "aa-enforce clamd". -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1404762 Title: apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify Status in apparmor package in Ubuntu: New Bug description: I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-access scanning. Doing so, /var/log/clamav/clamav.log tells me: ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted ScanOnAccess: clamd must be started by root Setting User to root in /etc/clamav/clamd.conf makes the clamav-daemon to fail with service clamav-daemon start * Starting ClamAV daemon clamd ERROR: initgroups() failed. I had to disable the apparmor.profile with a cd /etc/apparmor.d/disable ln -s ./../usr.sbin.clamd Then, the "ERROR: initgroups() failed." disappears. The apparmor itself came via apt-get packages. I did not edit it. Description: Ubuntu 14.04.1 LTS Release: 14.04 apt-cache policy apparmor-profiles apparmor-profiles: Installiert: (keine) Installationskandidat: 2.8.95~2430-0ubuntu5.1 Versionstabelle: 2.8.95~2430-0ubuntu5.1 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.8.95~2430-0ubuntu5 0 500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: apparmor-profiles (not installed) ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11 Uname: Linux 3.13.0-43-generic x86_64 ApportVersion: 2.14.1-0ubuntu3.6 Architecture: amd64 Date: Mon Dec 22 01:23:04 2014 InstallationDate: Installed on 2014-11-29 (22 days ago) InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2) ProcEnviron: LANGUAGE=de_DE TERM=xterm PATH=(custom, no user) LANG=de_DE.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7 SourcePackage: apparmor Syslog: UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp