[Bug 288942] Re: clamd daemon fails to load
This bug was fixed in the package clamav - 0.94.dfsg.1-1ubuntu1 --- clamav (0.94.dfsg.1-1ubuntu1) jaunty; urgency=low * Merge from Debian Unstable (LP: #296704). Remaining Ubuntu changes: - debian/control: Recommends apparmor = 2.1+1075-0ubuntu6 for clamav-daemon and clamav-freshclam - add debian/usr.bin.freshclam and debian/usr.sbin.clamd - debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain - debian/clamav-(daemon|freshclam).install: install profiles - debian/clamav-(daemon|freshclam).preinst: create symlink for force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles profile is unchanged (ie non-enforcing) and upgrades where the profile doesn't exist. - debian/clamav-(daemon|freshclam).postrm: remove symlink in force-complain/ on purge. - debian/clamav-(daemon|freshclam).postinst.in: reload apparmor - update README.Debian with note on Apparmor * Update apparmor profile for clamd to work with TCP sockets (LP: #288942) clamav (0.94.dfsg.1-1) unstable; urgency=low [ Stephen Gran ] * New upstream version (closes: #505134, #502165, #501298) * Handle new option SubmitDetectionStats in freshclam.conf * Remove RAR from the description, since we really don't handle it anymore * Skip 'sleep until -e socket' logic if socket is of type inet (LP #296086) [ Michael Meskes ] * Added myself as uploader. * Changed watch file to account for dfsg extension. * Do not configure temporary directory in clamd.conf anymore unless it is already configured there. * Added Basque debconf translation (closes: #57) [ Michael Tautschnig ] * Use lsb's status_of_proc function to determine the status of the process and return with according exit codes (closes: #486076) * Updated Dutch debconf translation (thanks Paul Gevers [EMAIL PROTECTED]) (closes: #501627) * Changed versioned dependency of clamav-daemon to clamav-base to equals (closes: #500416) * Handle new option DetectionStatsCountry in freshclam.conf * Don't trust the multilib guessing stuff, always use libdir=$prefix/lib * Removed nowadays unused lintian overrides * Create md5sums control file for clamav-dbg as well (thanks, lintian) -- Scott Kitterman [EMAIL PROTECTED] Tue, 11 Nov 2008 22:24:38 -0500 ** Changed in: clamav (Ubuntu) Status: Fix Committed = Fix Released -- clamd daemon fails to load https://bugs.launchpad.net/bugs/288942 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 288942] Re: clamd daemon fails to load
Fix committed to the pkg-clamav git repository for the next upload. ** Changed in: clamav (Ubuntu) Status: Triaged = Fix Committed -- clamd daemon fails to load https://bugs.launchpad.net/bugs/288942 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 288942] Re: clamd daemon fails to load
** Changed in: clamav (Ubuntu) Importance: Undecided = Medium Status: New = Triaged -- clamd daemon fails to load https://bugs.launchpad.net/bugs/288942 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 288942] Re: clamd daemon fails to load
Hi, I believe the fix for this is the addition of #include abstractions/nameservice in /etc/apparmor.d/usr.sbin.clamd. To test this: - start from a clean base apt-get purge clamav clamav-base clamav-daemon rm -rf /var/lib/clamav - install clamav apt-get install clamav-daemon check clamd is running (ps -afx or the like) process should be: /usr/sbin/clamd Modify clamd to use TCP 3310 and bind to localhost Add TCPAddr localhost TCPSocket 3310 to /etc/clamav/clamd.conf - Restart clamd /etc/init.d/clamav-daemon restart This should segfault now due to the apparmor profile denying access to tcp network related files (hosts, nsswitch resolve.conf etc) To resolve this Add #include abstractions/nameservice to /etc/apparmor.d/usr.sbin.clamd - Reload apparmor /etc/init.d/apparmor reload - Restart clamd /etc/init.d/clamav-daemon restart - This should now start correctly. clamdrib should also work correctly. aside Please correct me if I am wrong, but decided 'capability setuid' in this case is not required as clamdscan has the ability to call a file to scan with the - option. ie. clamdscan - filename. which should run it in as the current user, which i suspect clamdrib is doing therefore shouldnt be necessary to setuid. /aside Greg - please note that calling clamd or sudo clamd as per your original post is the incorrect way to start the daemon, as it should be started as root via the init script (/etc/init.d/clamav-daemon) which will result in the application dropping privileges to the clamav user. You should be doing clamd --config-file=/etc/clamav/clamd.conf -- clamd daemon fails to load https://bugs.launchpad.net/bugs/288942 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 288942] Re: clamd daemon fails to load
Patch to usr.sbin.clamd apparmor profile to allow clamd to run as a TCP daemon. ** Attachment added: usr.sbin.clamd-patch http://launchpadlibrarian.net/18953684/usr.sbin.clamd-patch -- clamd daemon fails to load https://bugs.launchpad.net/bugs/288942 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 288942] Re: clamd daemon fails to load
Stephan, I reinstalled as per instructions (also removing the previous fix of using apparmor complain) and it does function correctly. thank you Greg ps I was only loading clamd directly looking for errors Stefan Lesicnik wrote: Hi, I believe the fix for this is the addition of #include abstractions/nameservice in /etc/apparmor.d/usr.sbin.clamd. To test this: - start from a clean base apt-get purge clamav clamav-base clamav-daemon rm -rf /var/lib/clamav - install clamav apt-get install clamav-daemon check clamd is running (ps -afx or the like) process should be: /usr/sbin/clamd Modify clamd to use TCP 3310 and bind to localhost Add TCPAddr localhost TCPSocket 3310 to /etc/clamav/clamd.conf - Restart clamd /etc/init.d/clamav-daemon restart This should segfault now due to the apparmor profile denying access to tcp network related files (hosts, nsswitch resolve.conf etc) To resolve this Add #include abstractions/nameservice to /etc/apparmor.d/usr.sbin.clamd - Reload apparmor /etc/init.d/apparmor reload - Restart clamd /etc/init.d/clamav-daemon restart - This should now start correctly. clamdrib should also work correctly. aside Please correct me if I am wrong, but decided 'capability setuid' in this case is not required as clamdscan has the ability to call a file to scan with the - option. ie. clamdscan - filename. which should run it in as the current user, which i suspect clamdrib is doing therefore shouldnt be necessary to setuid. /aside Greg - please note that calling clamd or sudo clamd as per your original post is the incorrect way to start the daemon, as it should be started as root via the init script (/etc/init.d/clamav-daemon) which will result in the application dropping privileges to the clamav user. You should be doing clamd --config-file=/etc/clamav/clamd.conf -- === Greg Eden [EMAIL PROTECTED] -- clamd daemon fails to load https://bugs.launchpad.net/bugs/288942 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 288942] Re: clamd daemon fails to load
I reviewed the one line addition to the profile and it is appropriate. Please incorporate in the next upload. -- clamd daemon fails to load https://bugs.launchpad.net/bugs/288942 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 288942] Re: clamd daemon fails to load
Greg, Thanks for testing and reporting back! I'm glad this resolves the bug for you. It should be incorporated into the next clamav release. Thanks for reporting this issue. -- clamd daemon fails to load https://bugs.launchpad.net/bugs/288942 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 288942] Re: clamd daemon fails to load
You can shift just the clamav profile to complain mode (and then the plugin works) by running: sudo aa-complain usr.sbin.clamd In complain mode, I get: Oct 25 11:52:33 scott-laptop kernel: [ 5308.432588] type=1502 audit(1224949953.717:3435): operation=socket_accept family=inet sock_type=stream protocol=6 pid=12985 profile=/usr/sbin/clamd Oct 25 11:52:33 scott-laptop kernel: [ 5308.432903] type=1502 audit(1224949953.717:3436): operation=socket_recvmsg family=inet sock_type=stream protocol=6 pid=13341 profile=/usr/sbin/clamd Oct 25 11:52:33 scott-laptop kernel: [ 5308.432924] type=1502 audit(1224949953.717:3437): operation=socket_recvmsg family=inet sock_type=stream protocol=6 pid=13341 profile=/usr/sbin/clamd Oct 25 11:52:33 scott-laptop kernel: [ 5308.433035] type=1502 audit(1224949953.717:3438): operation=inode_permission requested_mask=::r denied_mask=::r fsuid=111 name=/etc/resolv.conf pid=13341 profile=/usr/sbin/clamd Oct 25 11:52:33 scott-laptop kernel: [ 5308.433131] type=1502 audit(1224949953.717:3439): operation=inode_permission requested_mask=::r denied_mask=::r fsuid=111 name=/etc/hosts pid=13341 profile=/usr/sbin/clamd Oct 25 11:52:33 scott-laptop kernel: [ 5308.433202] type=1502 audit(1224949953.717:3440): operation=socket_create family=inet sock_type=stream protocol=0 pid=13341 profile=/usr/sbin/clamd Oct 25 11:52:33 scott-laptop kernel: [ 5308.433225] type=1502 audit(1224949953.717:3441): operation=socket_post_create family=inet sock_type=stream protocol=6 pid=13341 profile=/usr/sbin/clamd Oct 25 11:52:33 scott-laptop kernel: [ 5308.433240] type=1502 audit(1224949953.717:3442): operation=socket_bind family=inet sock_type=stream protocol=6 pid=13341 profile=/usr/sbin/clamd Oct 25 11:52:33 scott-laptop kernel: [ 5308.433254] type=1502 audit(1224949953.717:3443): operation=socket_listen family=inet sock_type=stream protocol=6 pid=13341 profile=/usr/sbin/clamd Oct 25 11:52:33 scott-laptop kernel: [ 5308.433293] type=1502 audit(1224949953.717:3444): operation=socket_sendmsg family=inet sock_type=stream protocol=6 pid=13341 profile=/usr/sbin/clamd I'm going to ask someone who knows more about apparmor than I do to look at this bug. -- clamd daemon fails to load https://bugs.launchpad.net/bugs/288942 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 288942] Re: clamd daemon fails to load
In Ubuntu we have an Apparmor profile for Clamav that Debian does not have. That may be the issue here. You can try sudo sh /etc/init.d/apparmor stop and then see if it works. If it does, that tells us where the problem is. -- clamd daemon fails to load https://bugs.launchpad.net/bugs/288942 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 288942] Re: clamd daemon fails to load
Did you setup clamd to use a tcp socket. You add this to /etc/clamav/clamd.conf: TCPSocket 3310 TCPAddr localhost And then restart clamd: sudo /etc/init.d/clamav-daemon restart I've installed and run this plugin and cannot reproduce your problem. -- clamd daemon fails to load https://bugs.launchpad.net/bugs/288942 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 288942] Re: clamd daemon fails to load
Scott, You are correct. The moment I stopped Apparmor the daemon loaded and clamdrib now works. I reloaded apparmor and it continues to work, I am thinking load order is an issue. I will try a reboot. thanks Greg Scott Kitterman wrote: In Ubuntu we have an Apparmor profile for Clamav that Debian does not have. That may be the issue here. You can try sudo sh /etc/init.d/apparmor stop and then see if it works. If it does, that tells us where the problem is. -- === Greg Eden [EMAIL PROTECTED] -- clamd daemon fails to load https://bugs.launchpad.net/bugs/288942 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 288942] Re: clamd daemon fails to load 2
Scott, As you would expect the reboot put me back to the daemon not working. :( Scott Kitterman wrote: In Ubuntu we have an Apparmor profile for Clamav that Debian does not have. That may be the issue here. You can try sudo sh /etc/init.d/apparmor stop and then see if it works. If it does, that tells us where the problem is. -- === Greg Eden [EMAIL PROTECTED] -- clamd daemon fails to load https://bugs.launchpad.net/bugs/288942 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs