[Pkg-clamav-devel] Bug#913020: Bug#913020: clamd: apparmor denials: cap net_admin, openssl.conf
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Thu Nov 8 22:20:42 GMT 2018
intrigeri, I added you on Cc since you were a help the last time
apparmor came around.
On 2018-11-06 10:45:15 [+0800], Paul Wise wrote:
> Package: clamav-daemon
> Version: 0.100.2+dfsg-1
> Severity: normal
> File: /etc/apparmor.d/usr.sbin.clamd
> Usertags: apparmor
>
> When I restart clamav-daemon I get two apparmor denials in syslog:
>
> AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/clamd" pid=13277 comm="clamd" capability=12 capname="net_admin"
> AVC apparmor="DENIED" operation="open" profile="/usr/sbin/clamd" name="/etc/ssl/openssl.cnf" pid=13277 comm="clamd" requested_mask="r" denied_mask="r" fsuid=111 ouid=0
I have no idea what the first one is one about. If this is related to
#903834 then I think I know what I have to do.
The second one should be required by every application using libssl. Is
there a general rule where it could be allowed for every application to
just read the openssl.cnf file or is the clamd profile too restrictive
and not allowing it by default?
Sebastian
More information about the Pkg-clamav-devel
mailing list