** Description changed: - [Description] + [Impact] Freshclam is not able to notify clamd about new databases because AppArmor prevents it from connecting to the clamd socket. Clamd will still detect the database update and force reload, but freshclam should be able to notify clamd. AppArmor fixed a bug (LP: #1208988) in its path-based UNIX domain socket mediation in Saucy. AppArmor now requires both read and write permissions for those socket paths but freshclam's profile only grants write permission. I recently upgraded my Ubuntu server to 14.04 LTS and notice some error messages regarding Apparmor and Freshclam. So far I know I didn't had these error message with the previous version (13.10). Syslog reports: kernel: [ 113.304926] type=1400 audit(1398085083.946:37): apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/clamav/clamd.ctl" pid=2372 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=110 ouid=110 Freshclam log reports: WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl [Test Case] * Make sure that /etc/clamav/freshclam.conf contains this line: - NotifyClamd /etc/clamav/clamd.conf + NotifyClamd /etc/clamav/clamd.conf * Manually remove the main database file - $ sudo rm /var/lib/clamav/main.cvd + $ sudo rm /var/lib/clamav/main.cvd * Run freshclam - $ sudo freshclam + $ sudo freshclam * Verify the following: - 1) It was successful - 2) There were no warnings about clamd not being notified (see Description) - 3) There were no AppArmor denials in the system logs (See Description) + 1) It was successful and printed "Clamd successfully notified about the + update." + 2) There were no warnings about clamd not being notified (see Impact) + 3) There were no AppArmor denials in the system logs (see Impact) [Regression Potential] There is essentially no regression potential since we're only loosening up the freshclam AppArmor profile by adding read permission on the clamd socket.
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to clamav in Ubuntu. https://bugs.launchpad.net/bugs/1313282 Title: apparmor="DENIED" for freshclam (CLAMAV) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1313282/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
