apparmor="DENIED" for freshclam (CLAMAV)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
clamav (Ubuntu) |
Fix Released
|
High
|
Tyler Hicks | ||
Trusty |
Fix Released
|
High
|
Scott Kitterman | ||
Utopic |
Fix Released
|
High
|
Tyler Hicks |
Bug Description
[Impact]
Freshclam is not able to notify clamd about new databases because AppArmor
prevents it from connecting to the clamd socket. Clamd will still detect the
database update and force reload, but freshclam should be able to notify clamd.
AppArmor fixed a bug (LP: #1208988) in its path-based UNIX domain socket
mediation in Saucy. AppArmor now requires both read and write permissions for
those socket paths but freshclam's profile only grants write permission.
I recently upgraded my Ubuntu server to 14.04 LTS and notice some error
messages regarding Apparmor and Freshclam. So far I know I didn't had these
error message with the previous version (13.10).
Syslog reports:
kernel: [ 113.304926] type=1400 audit(139808508
Freshclam log reports:
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/
[Test Case]
* Make sure that /etc/clamav/
NotifyClamd /etc/clamav/
* Manually remove the main database file
$ sudo rm /var/lib/
* Run freshclam
$ sudo freshclam
* Verify the following:
1) It was successful and printed "Clamd successfully notified about the
update."
2) There were no warnings about clamd not being notified (see Impact)
3) There were no AppArmor denials in the system logs (see Impact)
[Regression Potential]
There is essentially no regression potential since we're only loosening up the
freshclam AppArmor profile by adding read permission on the clamd socket.
Changed in clamav (Ubuntu): | |
importance: | Undecided → Medium |
Changed in clamav (Ubuntu): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
importance: | Medium → High |
Changed in clamav (Ubuntu Trusty): | |
status: | New → Fix Committed |
status: | Fix Committed → In Progress |
Changed in clamav (Ubuntu Utopic): | |
status: | Triaged → Fix Committed |
Changed in clamav (Ubuntu Trusty): | |
importance: | Undecided → High |
assignee: | nobody → Scott Kitterman (kitterman) |
milestone: | none → ubuntu-14.04.1 |
description: | updated |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
It's not intentional. Thanks for the report.