[Pkg-clamav-devel] Bug#902601: freshclam apparmor profile prevents some operations
Robie Basak
robie.basak at ubuntu.com
Thu Jun 28 10:27:53 BST 2018
Package: clamav-freshclam
Version: 0.100.0+dfsg-1
Tags: patch
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu cosmic ubuntu-patch
Hi,
We've received a downstream report of the following AppArmor denial:
Jun 26 16:31:12 localhost kernel: [21690.397358] audit: type=1400 audit(1530048672.329:116): apparmor="DENIED" operation="rename_src" profile="/usr/bin/freshclam" name="/var/log/clamav/freshclam.log" pid=2604 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=121 ouid=121
The suggestion is to change, in debian/usr.bin.freshclam:
/var/log/clamav/* kw,
to:
/var/log/clamav/* krw,
Downstream bug:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1778812
Upstream discussion:
https://lists.ubuntu.com/archives/apparmor/2018-June/011711.html
Here's the patch:
diff --git a/debian/usr.bin.freshclam b/debian/usr.bin.freshclam
index de970a4..90490ac 100644
--- a/debian/usr.bin.freshclam
+++ b/debian/usr.bin.freshclam
@@ -32,7 +32,7 @@
/var/lib/clamav/ r,
/var/lib/clamav/** krw,
- /var/log/clamav/* kw,
+ /var/log/clamav/* krw,
/{,var/}run/clamav/freshclam.pid w,
/{,var/}run/clamav/clamd.ctl rw,
I haven't verified this, but it seems trivial and reasonable enough that
I think it should be fine just to land.
Thanks,
Robie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20180628/310f801b/attachment.sig>
More information about the Pkg-clamav-devel
mailing list