[Pkg-clamav-devel] Bug#972974: Bug#972974: clamav-freshclam start faild.

Thu Oct 29 17:47:40 GMT 2020

Success.
After adding 'capability dac_override' AND 'capability chown' to the  
/etc/apparmor.d/usr.bin.freshclam profile clamav-freshclam starts  
successfull.
To succsessfull start clamav-daemon you have to set 'capability chown'  
in '/etc/apparmor.d/usr.sbin.clamd' also.

Thank you
Michael.

Zitat von jean-christophe manciot <actionmystique at gmail.com>:

> I've just realized that lchown is only a system call, so it must be
> used from within /usr/bin/freshclam.
>
> On Thu, Oct 29, 2020 at 9:33 AM jean-christophe manciot
> <actionmystique at gmail.com> wrote:
>>
>> I have tried to add to /etc/apparmor.d/local/usr.bin.freshclam:
>>   capability dac_override,
>>
>> and restarted apparmor then clamav-freshclam, the issue is still there:
>> # echo 'q' | sudo systemctl --no-pager --full status clamav-freshclam
>> ● clamav-freshclam.service - ClamAV virus database updater
>>      Loaded: loaded (/lib/systemd/system/clamav-freshclam.service;
>> enabled; vendor preset: enabled)
>>      Active: failed (Result: exit-code) since Thu 2020-10-29 09:06:06
>> CET; 42s ago
>>        Docs: man:freshclam(1)
>>              man:freshclam.conf(5)
>>              https://www.clamav.net/documents
>>     Process: 966650 ExecStart=/usr/bin/freshclam -d --foreground=true
>> (code=exited, status=9)
>>    Main PID: 966650 (code=exited, status=9)
>>
>> Oct 29 09:06:06 hostname systemd[1]: Started ClamAV virus database updater.
>> Oct 29 09:06:06 hostname freshclam[966650]: ERROR: lchown to user
>> 'clamav' failed on
>> Oct 29 09:06:06 hostname freshclam[966650]: log file
>> '/var/log/clamav/freshclam.log'.
>> Oct 29 09:06:06 hostname freshclam[966650]: Error was 'Operation  
>> not permitted'
>> Oct 29 09:06:06 hostname freshclam[966650]: Thu Oct 29 09:06:06 2020
>> -> ^lchown to user 'clamav' failed on log file
>> '/var/log/clamav/freshclam.log'.  Error was 'Operation not permitted'
>> Oct 29 09:06:06 hostname freshclam[966650]: Thu Oct 29 09:06:06 2020
>> -> !Failed to switch to clamav user.
>> Oct 29 09:06:06 hostname systemd[1]: clamav-freshclam.service: Main
>> process exited, code=exited, status=9/n/a
>> Oct 29 09:06:06 hostname systemd[1]: clamav-freshclam.service: Failed
>> with result 'exit-code'.
>>
>> The error message regarding 'lchown' is strange: I have checked
>> /etc/init.d/clamav-freshclam, and also config and postinst included in
>> the DEBIAN folder of the package, none includes such a call.
>> However, postinst does include 'chown "$dbowner":adm
>> $FRESHCLAMLOGFILE' (with dbowner=clamav and
>> FRESHCLAMLOGFILE=/var/log/clamav/freshclam.log), so lchown does not
>> seem necessary wherever it is located.
>>
>> On Thu, Oct 29, 2020 at 12:07 AM Sebastian Andrzej Siewior
>> <sebastian at breakpoint.cc> wrote:
>> >
>> > On 2020-10-27 07:22:22 [+0000], Michael Borgelt wrote:
>> > > I have tried different permissions for the file and the  
>> directory without
>> > > success. The obove permissions are after a clean reinstall off clamav
>> > > package.
>> >
>> > The problem appears to be the apparmor or freshclam's profile for it. So
>> > disabling apparmor should make freshclam work again.
>> > Probably adding
>> > |         capability dac_override,
>> >
>> > to the profile will help, too. I will test it later today…
>> >
>> > Sebastian
>>
>>
>>
>> --
>> Jean-Christophe
>
>
>
> --
> Jean-Christophe

-- 
Michael Borgelt
e-mail: Michael at borgelt.org