** Description changed: - Not sure if this is a bug, or by design (but I would like some - clarification) + [Description] - I recently upgraded my Ubuntu server to 14.04 LTS and notice some error messages regarding Apparmor and Freshclam. - So far I know I didn't had these error message with the previous version (13.10). + Freshclam is not able to notify clamd about new databases because AppArmor + prevents it from connecting to the clamd socket. Clamd will still detect the + database update and force reload, but freshclam should be able to notify clamd. + + AppArmor fixed a bug (LP: #1208988) in its path-based UNIX domain socket + mediation in Saucy. AppArmor now requires both read and write permissions for + those socket paths but freshclam's profile only grants write permission. + + I recently upgraded my Ubuntu server to 14.04 LTS and notice some error + messages regarding Apparmor and Freshclam. So far I know I didn't had these + error message with the previous version (13.10). Syslog reports: kernel: [ 113.304926] type=1400 audit(1398085083.946:37): apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/clamav/clamd.ctl" pid=2372 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=110 ouid=110 Freshclam log reports: WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl - Any reason why freshclam may not read the clamd.ctl? - Of course clamd will detect database update and force reload. - But should freshclam not be able to notify clamd? + [Test Case] + + * Make sure that /etc/clamav/freshclam.conf contains this line: + + NotifyClamd /etc/clamav/clamd.conf + + * Manually remove the main database file + + $ sudo rm /var/lib/clamav/main.cvd + + * Run freshclam + + $ sudo freshclam + + * Verify the following: + + 1) It was successful + 2) There were no warnings about clamd not being notified (see Description) + 3) There were no AppArmor denials in the system logs (See Description) + + [Regression Potential] + + There is essentially no regression potential since we're only loosening up the + freshclam AppArmor profile by adding read permission on the clamd socket.
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to clamav in Ubuntu. https://bugs.launchpad.net/bugs/1313282 Title: apparmor="DENIED" for freshclam (CLAMAV) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1313282/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
