Ubuntu
apparmor package

Bug #292580
Comment #8

Comment 8 for bug 292580

Revision history for this message

raphi78 (trance202) wrote on 2008-11-02: Re: [Bug 292580] Re: clamav-freshclam update dns problem

Ah, exactly, here this I can see in syslog, before doing aa-complain...

Nov 2 18:55:59 xyz kernel: [30172.149684] type=1503
audit(1225648559.221:215): operation="inode_permission"
requested_mask="::r" denied_mask="::r" fsuid=112
name="/etc/resolvconf/run/resolv.conf" pid=9156
profile="/usr/bin/freshclam"

On 02.Nov 2008 17:45, Scott Kitterman wrote:
> One thing that's new in Intrepid for clamav is an AppArmor profile for
> increased security. It may be that freshclam needs access to some
> resource on your system that AppArmor is blocking. You can switch the
> profile to complain mode and see if that helps:
>
> sudo aa-complain usr.bin.feshclam
>
> If it works after doing that, then it's an profile issue. We'll need
> the relevant log entries to figure out exactly what is needed. They
> look something like:
>
> Oct 25 11:52:33 scott-laptop kernel: [ 5308.432588] type=1502
> audit(1224949953.717:3435): operation="socket_accept" family="inet"
> sock_type="stream" protocol=6 pid=12985 profile="/usr/bin/freshclam"
>
> --
> clamav-freshclam update dns problem
> https://bugs.launchpad.net/bugs/292580
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “clamav” source package in Ubuntu: New
>
> Bug description:
> Binary package hint: clamav-freshclam
>
> on Kubuntu 8.10 (newest from archive) it's not possible to update the clamav db with "sudo freshclam".
>
> it allways report, dns resolving don't work. But, with nslookup, dig and host it's possible to resolve the domain-names (like described in the FAQ of clamav.org). I don't have any idea to resolve this... maybe a permission-problem, but it's executed as root. Also the daemon has the same problem of clamav, not only the manual update.
>
> Any idea how to do more exactly debugging?
> thanks.
>
> exact output:
> ClamAV update process started at Sun Nov 2 13:02:14 2008
> WARNING: Can't query current.cvd.clamav.net
> WARNING: Invalid DNS reply. Falling back to HTTP mode.
> Reading CVD header (main.cvd): WARNING: Can't get information about database.clamav.net: Name or service not known
> WARNING: Can't read main.cvd header from database.clamav.net (IP: )
> Trying again in 5 secs...
>

Ah, exactly, here this I can see in syslog, before doing aa-complain...

Nov  2 18:55:59 xyz kernel: [30172.149684] type=1503
audit(1225648559.221:215): operation="inode_permission"
requested_mask="::r" denied_mask="::r" fsuid=112
name="/etc/resolvconf/run/resolv.conf" pid=9156
profile="/usr/bin/freshclam"

On  02.Nov 2008 17:45, Scott Kitterman wrote:
> One thing that's new in Intrepid for clamav is an AppArmor profile for
> increased security.  It may be that freshclam needs access to some
> resource on your system that AppArmor is blocking.  You can switch the
> profile to complain mode and see if that helps:
> 
> sudo aa-complain usr.bin.feshclam
> 
> If it works after doing that, then it's an profile issue.  We'll need
> the relevant log entries to figure out exactly what is needed.  They
> look something like:
> 
> Oct 25 11:52:33 scott-laptop kernel: [ 5308.432588] type=1502
> audit(1224949953.717:3435): operation="socket_accept" family="inet"
> sock_type="stream" protocol=6 pid=12985 profile="/usr/bin/freshclam"
> 
> -- 
> clamav-freshclam update dns problem
> https://bugs.launchpad.net/bugs/292580
> You received this bug notification because you are a direct subscriber
> of the bug.
> 
> Status in “clamav” source package in Ubuntu: New
> 
> Bug description:
> Binary package hint: clamav-freshclam
> 
> on Kubuntu 8.10 (newest from archive) it's not possible to update the clamav db with "sudo freshclam".
> 
> it allways report, dns resolving don't work. But, with nslookup, dig and host it's possible to resolve the domain-names (like described in the FAQ of clamav.org). I don't have any idea to resolve this... maybe a permission-problem, but it's executed as root. Also the daemon has the same problem of clamav, not only the manual update.
> 
> Any idea how to do more exactly debugging?
> thanks.
> 
> exact output:
> ClamAV update process started at Sun Nov  2 13:02:14 2008
> WARNING: Can't query current.cvd.clamav.net
> WARNING: Invalid DNS reply. Falling back to HTTP mode.
> Reading CVD header (main.cvd): WARNING: Can't get information about database.clamav.net: Name or service not known
> WARNING: Can't read main.cvd header from database.clamav.net (IP: )
> Trying again in 5 secs...
>

Ubuntuapparmor package

Comment 8 for bug 292580

Ubuntu
apparmor package