[Bug 1925182] Re: ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!)

Fri, 23 Apr 2021 10:41:40 -0700 

I just took a closer look and the postinst is clearly wrong. The
freshclam daemon is started before the profile is deployed:

cat /var/lib/dpkg/info/clamav-freshclam.postinst:
...
case "$1" in
  configure)
...

  if [ "$runas" = 'daemon' ]; then
    update-rc.d clamav-freshclam defaults >/dev/null
    invoke-rc.d clamav-freshclam start
  elif [ "$runas" = 'ifup.d' ]; then
...
  fi
  ;;
  abort-upgrade|abort-remove|abort-deconfigure)
  ;;
  *)
  echo "postinst called with unknown argument \`$1'" >&2
  exit 1
  ;;
esac

# AppArmor integration
if [ "$1" = "configure" ]; then
    APP_PROFILE=/etc/apparmor.d/usr.bin.freshclam
    if [ -f "$APP_PROFILE" ]; then
        # Add the local/ include
        LOCAL_APP_PROFILE=/etc/apparmor.d/local/usr.bin.freshclam

        test -e "$LOCAL_APP_PROFILE" || {
            tmp=`mktemp`
        cat <<EOM > "$tmp"
# Site-specific additions and overrides for usr.bin.freshclam.
# For more details, please see /etc/apparmor.d/local/README.
EOM
            mkdir `dirname $LOCAL_APP_PROFILE` 2>/dev/null || true
            mv -f "$tmp" "$LOCAL_APP_PROFILE"
            chmod 644 "$LOCAL_APP_PROFILE"
        }

        # Reload the profile, including any abstraction updates
        if aa-status --enabled 2>/dev/null; then
            apparmor_parser -r -T -W "$APP_PROFILE" || true
        fi
    fi
fi
...

So post-installation, freshclam runs unconfined:

root@bclam:~# aa-status 
apparmor module is loaded.
6 profiles are loaded.
6 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/freshclam
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/clamd
0 profiles are in complain mode.
1 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
1 processes are unconfined but have a profile defined.
   /usr/bin/freshclam (823) 


That's something that is better fixed in Debian. I'll try to send a merge 
request through Salsa.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1925182

Title:
  ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check
  permissions!)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1925182/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to