[Pkg-clamav-devel] Bug#989002: freshclam: apparmor denial: operation="capable" capability=2 capname="dac_read_search"

[Sebastian Andrzej Siewior]

On 2021-05-23 08:32:23 [+0800], Paul Wise wrote:
> Whenever freshclam gets restarted, either manually or automatically
> during package upgrades, I get an apparmor denial in the logs. I
> haven't seen any adverse effects from this denial. Reading the
> capabilities(7) manual page where CAP_DAC_READ_SEARCH is mentioned,
> there doesn't seem to be any reason for freshclam to need this
> capability so I don't think the freshclam binary should be using this
> capability. I note that the clamav codebase doesn't mention this
> capability at all. I note that the apparmor profile mentions
> dac_override and a comment next to that mentions a Launchpad bug that
> explains this is for the AllowSupplementaryGroups option, which is
> disabled by default. I wonder if whatever allows that to work has
> switched from dac_override to dac_read_search, but I'm still not sure
> why freshclam should also be using that capability.

You still see it I guess? Based on your log you run systemd so that
should be same thing I have here for testing. And I don't see it. But
you have while freshclam is killed not on start up.

There is this in my journal:
|Oct 31 23:30:41 debsidamd64 audit[450]: AVC apparmor="DENIED" operation="capable" profile="/usr/bin/freshclam" pid=450 comm="freshclam" capability=1  capname="dac_override"

which is from the time before dac_override got added. The Debian bug was
#972974.
I know that AllowSupplementaryGroups is marked as deprecated but this is
the default now. That means initgroups() (the code that was hidden
behind AllowSupplementaryGroups) is always executed.

Sebastian