Ubuntu
clamav package

apparmor deny freshclam mask="r" on /var/run/samba/unexpected.tdb

Bug #752833 reported by Léa GRIS on 2011-04-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	clamav (Ubuntu)	Fix Released	Undecided	Scott Kitterman
	Maverick	Won't Fix	Undecided	Unassigned

Bug Description

Binary package hint: clamav-freshclam

Package version : 0.96.5+dfsg-1ubuntu1.10.10.2 (maverick-updates)

kern.log fills with Apr 5 17:55:08 lea-desktop kernel: [856121.953216] type=1400 audit(1302018908.231:3436): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/freshclam" name="/var/run/samba/unexpected.tdb" pid=2407 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=124 ouid=0

apparmor profile troo restrictive for clamav-fresclam
Hint: /etc/apparmor.d/usr.bin.freshclam

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: clamav-freshclam 0.96.5+dfsg-1ubuntu1.10.10.2
ProcVersionSignature: Ubuntu 2.6.35-28.49-generic 2.6.35.11
Uname: Linux 2.6.35-28-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Wed Apr 6 21:13:51 2011
ProcEnviron:
LANGUAGE=fr_FR:en
PATH=(custom, no user)
LANG=fr_FR.UTF-8
SHELL=/bin/bash
SourcePackage: clamav

Tags:

Related branches

lp:ubuntu/oneiric/clamav

Revision history for this message

Léa GRIS (lea-gris) wrote on 2011-04-06:

Dependencies.txt Edit (1.1 KiB, text/plain; charset="utf-8")

Serge Hallyn (serge-hallyn) on 2011-04-06

tags:

added: apparmor

Dave Walker (davewalker) on 2011-04-19

Changed in clamav (Ubuntu):
status:	New → Confirmed
Changed in clamav (Ubuntu Maverick):
status:	New → Confirmed

Revision history for this message

Imre Gergely (cemc) wrote on 2011-08-19:

lea-gris: can you post some specifics about that system, what's it used for or what samba-related stuff do you have set up, did you make any changes to freshclam's config, etc. ?

I'm curious as to why freshclam tries to access that file.

Revision history for this message

Léa GRIS (lea-gris) wrote on 2011-08-19:

This was with default configuration. Since I re-installed with 11.04 and did not bring back Clamav so it no longer log this error.

Revision history for this message

Imre Gergely (cemc) wrote on 2011-08-25:

usr.bin.freshclam-oneiric.diff Edit (434 bytes, text/plain)

Talked it over with jdstrand, and the conclusion is that we will add another deny rule (or better yet, extend the existing one), to stop the log spamming. I've attached the rule suggested by jdstrand.
We can't really reproduce this bug but the rule can be added safely as it doesn't change the default behavior, the access still gets denied, but not logged anymore.
With this rule added, freshclam works the same.

Revision history for this message

Léa GRIS (lea-gris) wrote on 2011-08-25:

Thank you so much for the patch. The new silent rules makes sense.
Your follow-up on that not-reproduced and minor bug is greatly appreciated.
Regards.

Scott Kitterman (kitterman) on 2011-08-25

Changed in clamav (Ubuntu):
assignee:	nobody → Scott Kitterman (kitterman)
status:	Confirmed → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-08-25:

This bug was fixed in the package clamav - 0.97.2+dfsg-1ubuntu2

---------------
clamav (0.97.2+dfsg-1ubuntu2) oneiric; urgency=low

  [ Imre Gergely ]
  * Fix clamd apparmor profile to work with mimedefang (LP: #829089)
  * Stop samba related log spamming from freshclam apparmor profile
    (LP: #752833)
-- Scott Kitterman <email address hidden> Thu, 25 Aug 2011 08:43:22 -0400