[pkg-apparmor] Bug#959915: Bug#959915: redundant freshclam profile since it's shipped in-package

Christian Boltz debian-bugs at cboltz.de
Mon May 25 20:19:48 BST 2020


Hello,

Am Montag, 25. Mai 2020, 11:22:01 CEST schrieb intrigeri:
> FTR, here's the profile shipped in the clamav-freshclam package:
> https://salsa.debian.org/clamav-team/clamav/-/blob/unstable/debian/usr
> .bin.freshclam It has been updated a few times in the last few years.
> 
> And here's the upstream one from the AppArmor project:
> https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/p
> rofiles/extras/usr.bin.freshclam It has been updated once in the last
> 10 years.

... and it works on my openSUSE servers (and nobody reported issues from 
other distros), which means there was no reason for additional updates 
;-)

> I would love to see cross-distro collaboration on this profile, but
> our current infrastructure & processes are not ready for that yet,
> and I lack time/energy to push this forward myself.

I compared both profiles, and to cover both Debian and openSUSE, you'd 
need to add the following lines to the Debian profile:


  #include <abstractions/consoles>   # rule exists since the original 
                # profile version in 2006, no idea if it's really needed

  # openSUSE configfile paths
  /etc/clamd.conf r,
  /etc/freshclam.conf r,

I'd recommend to change the pidfile rule to have the owner restriction 
if possible:
  #    /{,var/}run/clamav/freshclam.pid w,  # from Debian profile
  owner /{,var/}run/clamav/freshclam.pid w,  # upstream profiles/extra

I also wonder about ~/.clamtk/db/ and ~/.klamav/database/ (which I 
obviously don't need for server usage) - but I'm sure Jamie had good 
reasons to allow that ;-)


If you open a merge request upstream, I'll happily review it ;-)
Feel free to commit the Debian profile + the additional rules listed 
above - that's probably easier than integrating the profiles the other 
way round.


Regards,

Christian Boltz
-- 
>> emoenke at ftp4:4 /mirr/bin > du -s /pub/opensuse/distribution/*
> Using `du -sh` might be more readable. ;-)
Not for me - only for so called "humans".
[> houghi and Eberhard Moenkeberg in opensuse]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20200525/63b3d4ba/attachment-0002.sig>


More information about the pkg-apparmor-team mailing list