Apparmor message

Hi William. According to the /var/log/kern.log message You have to add one rule to the /etc/apparmor.d/usr.bin.freshclam profile. To do this, please:

1) edit /etc/apparmor.d/usr.bin.freshclam profile (here is an example with leafpad text editor):

$ sudo leafpad /etc/apparmor.d/usr.bin.freshclam

2) add this rule related to the DENIED entry; /proc/2453/status and requestes/denied_mask="r";

@{PROC}/[0-9]*/status r,

3) save file and load a "new" profile to the Linux kernel with apparmor_parser(8) utility;

$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.freshclam

NOTE: after 1.st step You will need to enter your user password (because of sudo(8)). I dont't know which Ubuntu version You are using -- I'm asking because of AppArmor version.

I hope, that it will help You.

Best regards.

Hi. I'm sorry for writing message one by one. One more thing; in my post I used leafpad editor. You have to check, which one is installed in your system. It can be for example: gedit, nano(1) (which is - if I remember correctly - always installed) etc. If You decide to use nano(1) editor then You should;

1) edit freshclam AppArmor profile;

$ sudo nano /etc/apparmor.d/usr.bin.freshclam

2) add rule related to the /proc entry;

@{PROC}/[0-9]*/status r,

3) save changes and exit;

press 'ctrl + o' then 'Enter' -- to save changes
press 'ctrl +x' then 'Enter' -- to exit

4) load a "new" freshclam profile into Linux kernel;

$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.freshclam

That's all. On the next system boot, there should not be any AppArmor error. At least related to a freshclam etc. Once again -- sorry for a double messages.

Cheers.

Geez! One more thing: /proc rule (see. step 2.) should be added between (this is an example);

# Last Modified: Sun 23 Apr 13:24

/usr/bin/freshclam {
       #include <tunables/global>
       #include <abstractions/*>
       #include <abstractions/*>

RULES...

@{PROC}/[0-9]*/status r,

}

So, /proc rule must be somewhere "/usr/bin/freshclam {" and "}"

Daniel:
Thanks for answering. I'll try to follow your instructions, but, dealing with kernel stuff for me is treading in unfamiliar territory. I'm showing below the contents of my usr.bin.freshclam file so that you can see it and advise where to add the rule you are talking about. One thing I didn't tell you is that there are two DENIED messages in the kernel log. One has a PID=2453, and the other has a PID=7504.

The content of the file:

# vim:syntax=apparmor
# Author: Jamie Strandboge <email address hidden>
# Last Modified: Sun Aug 3 09:39:03 2008

#include <tunables/global>

/usr/bin/freshclam {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  capability setgid,
  capability setuid,

  @{PROC}/filesystems r,
  owner @{PROC}/[0-9]*/status r,

  /etc/clamav/clamd.conf r,
  /etc/clamav/freshclam.conf r,
  /etc/clamav/onerrorexecute.d/* mr,
  /etc/clamav/onupdateexecute.d/* mr,
  /etc/clamav/virusevent.d/* mr,

  owner @{HOME}/.clamtk/db/ rw,
  owner @{HOME}/.clamtk/db/** rwk,

  owner @{HOME}/.klamav/database/ rw,
  owner @{HOME}/.klamav/database/** rwk,

  /usr/bin/freshclam mr,

  /var/lib/clamav/ r,
  /var/lib/clamav/** krw,

  /var/log/clamav/* kw,
  /{,var/}run/clamav/freshclam.pid w,
  /{,var/}run/clamav/clamd.ctl rw,

  deny /{,var/}run/samba/{gencache,unexpected}.tdb mrwkl,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.freshclam>
}

Info about my machine:

williepabon@WP-Macmini:~$ lsb_release -a
LSB Version: core-9.20160110ubuntu0.2-amd64:core-9.20160110ubuntu0.2-noarch:printing-9.20160110ubuntu0.2-amd64:printing-9.20160110ubuntu0.2-noarch:security-9.20160110ubuntu0.2-amd64:security-9.20160110ubuntu0.2-noarch
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
williepabon@WP-Macmini:~$ uname -a
Linux WP-Macmini 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
williepabon@WP-Macmini:~$

Thanks again.
wp

Hi William. Thank You for additional informations. You're using 16.04 LTS release with newer AppArmor version. So, I think that /proc rule should looks this way;

@{PROC}/@{pid}/status r,

As You can see, In newer AppArmor version, process pid number is used as: "@{pid}". Older version used "[0-9]*". Don't worry about two DENIED entry and pid numbers -- this rule will take care of all, future, process pids etc.

I think You can add above rule ("@{PROC}/@{pid}/status r,") for example after two "capability" rules and before "@{PROC}/filesystems r," rule. So, it will looks like:

#include <tunables/global>

/usr/bin/freshclam {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  capability setgid,
  capability setuid,

  ## Rule added because of requested/denied_mask="r"
  ## and AppArmor message after system boot up;
  @{PROC}/@{pid}/status r,

  @{PROC}/filesystems r,
  owner @{PROC}/[0-9]*/status r,

  [THE REST OF THE PROFILE...]

Save freshclam profile and load a "new" one to the Linux kernel using apparmor_parser(8) utility (see my above posts.)

Best regards.

Wait a moment! There is already rule for 'status' -- "owner @{PROC}/[0-9]*/status r,". Sorry, I didn't notice it. So, please try to remove this second one rule and leave this one: "@{PROC}/@{pid}/status r,". Of course add an "onwer" prefix. So, now it will be looks this way:

owner @{PROC}/@{pid}/status r,

And load profile with apparmor_parser(8) utility. I'm wondering why there is a DENIED message. There is already rule for 'status'. Maybe the reason is a new AppArmor version and changes in rules writing? I mean "@{pid}" instead of "[0-9]*" (which is in your profile.) I'm not pretty sure. We will see.

Cheers.

Daniel:
I thank you very much for your efforts to clarify and resolve the issue. I will include in the file your last suggestion and will consider this question solved. Thanks again.
wp

Daniel:
I'm sorry to report that the Apparmor message started to appear again. I beleive that it came after a recent kernel uptdate. But now the DENIED messages are different. The urls below show you those:

https://drive.google.com/open?id=0B_ZOUN6JcLCXVW01T1I1UHRubTg

https://drive.google.com/open?id=0B_ZOUN6JcLCXRWFLTEZmNE0tVVU

As I told you before, doing kernel modifications are unfamiliar territory to me, so, I need careful advise (I really would not like to mess things up in the kernel). This is the latest kernel installed.

williepabon@WP-Macmini:~$ uname -a
Linux WP-Macmini 4.4.0-75-generic #96-Ubuntu SMP Thu Apr 20 09:56:33 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Thanks again for your help.
wp

Daniel:

Don't know how to explain this, but the DENIED messages stopped showing on the past two days! Checked the kern.log file and there are no DENIED messages for days 4/28 and 4/29. Maybe the system heals itself! I'm astonished. Just to inform you. Thanks.

Daniel:
Apparently, everytime there's an update in the kernel (yesterday it was updated to 4.4.0-77-generic) I get the infamous AppArmor message. I will monitor if for how many days it keeps showing. Thanks.
wp

Hello William. I'm sorry for such a long time without answer. The DENIED entries from your post #8 are related to Evince - document (PostScript, PDF) viewer and dbus, which is "simple interprocess messaging system". You are using 16.04 LTS (just like me) and I think that Evince profile contains already all needed <abstractions/dbus-*> rules. However, something is missing. (Just as it's in Firefox; see <https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1659988> There are also needed more dbus-related rules etc.)

Honestly, I've never noticed such entries - I also use Evince. If You want, You can try to add something like this one:

* 1.st link (<https://drive.google.com/file/d/0B_ZOUN6JcLCXVW01T1I1UHRubTg/view>):

Open Evince profile (it's "/etc/apparmor.d/usr.bin.evince" file) and find "/usr/bin/evince-previewer {" section.

dbus send
          bus=system
          interface=org.freedesktop.Avahi.Server
          member={ServiceBrowserNew}

* 2.nd link (<https://drive.google.com/file/d/0B_ZOUN6JcLCXRWFLTEZmNE0tVVU/view>)

The same place as above: "/usr/bin/evince-previewer" section.

dbus send
         bus=system
         path=/org/freedesktop/ColorManager
         interface=org.freedesktop.DBus.Properties
         member={GetAll}

Of course try to load a "new" profile with apparmor_parser(8) utility. See my first post - there is a proper command to use. I have no idea why Evidence is complaining about these things.

William, please remember, that I could be wrong. I don't understand well these new dbus rules yet. If during loading a "new" profile there arise some problems, please, paste it here and remove above rules from Evince and - of course - reload profile. It will be simpler to find a solution etc.

Best regards.

This question was expired because it remained in the 'Open' state without activity for the last 15 days.