Binary package hint: clamav
havp content scanner can use clamav to scan for viruses in downloaded files. It can use either libclamav or clamav daemon through socket. When the latter is selected havp fails to start and an entry is made in havp/error.log
TEST CASE:
1. install apparmor, clamav-daemon and havp
1a. usermod -a -G havp clamav (and restart clamav-daemon) !
2. configure havp to use clamav-daemon for scanning, edit /etc/havp/havp.config:
ENABLECLAMLIB false
ENABLECLAMD true
CLAMDSOCKET /var/run/clamav/clamd.ctl
3. try (re)starting havp, it should not start, with the following message:
root@utest-jj:/etc/havp# /etc/init.d/havp start
Mounting /var/lib/havp/havp.loop under /var/spool/havp ...done
Cleaning up /var/spool/havp... done
Starting havp: Starting HAVP Version: 0.89
One or more scanners failed to initialize!
Check errorlog for errors.
Exiting..
4. check the logs for errors
/var/log/havp/error.log:
03/09/2009 14:32:24 === Starting HAVP Version: 0.89
03/09/2009 14:32:24 Running as user: havp, group: havp
03/09/2009 14:32:24 --- Initializing Clamd Socket Scanner
03/09/2009 14:32:24 ERROR: Clamd Socket Scanner failed EICAR virus test! (Access denied.)
/var/log/messages:
Sep 3 14:32:24 utest-jj kernel: [192255.269799] type=1503 audit(1251977544.838:15): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=110 name="/var/spool/havp/havp-iwGmjS" pid=6734 profile="/usr/sbin/clamd"
It means clamd doesn't have access to havp's temporary files to scan them.
5. regression potential is considered very low, as the only change was to make apparmor less restrictive
Here's a possible solution for modifying clamd's apparmor profile.