ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
clamav (Ubuntu) |
Fix Released
|
Undecided
|
Lena Voytek | ||
Bionic |
Fix Released
|
Undecided
|
Lena Voytek | ||
Focal |
Fix Released
|
Undecided
|
Lena Voytek | ||
Hirsute |
Fix Released
|
Undecided
|
Lena Voytek | ||
Impish |
Fix Released
|
Undecided
|
Lena Voytek | ||
Jammy |
Fix Released
|
Undecided
|
Lena Voytek |
Bug Description
[Impact]
When freshclam is enforced by apparmor in Bionic, and clamav packages are updated, the freshclam daemon will fail to restart.
Adding this fix will allow the freshclam daemon to restart automatically without error after an update.
This is fixed by backporting a fix made in Debian version 0.101.1+dfsg-1 that modifies the post-installation process to deploy the freshclam apparmor profile before restarting the daemon.
[Test Plan]
# lxc launch images:
# lxc exec test-failure bash
# apt update
# apt dist-upgrade
# apt install -y apparmor apparmor-utils wget software-
- Install clamav packages of version 1 before current in bionic
# wget https:/
# apt install -y ./*
- enforce apparmor profile for freshclam
# aa-enforce /usr/bin/freshclam
# apt update
# apt upgrade
- Check status of freshclam and notice that it was unable to restart
# systemctl status clamav-freshclam
● clamav-
Loaded: loaded (/lib/systemd/
Drop-In: /run/systemd/
Active: failed (Result: exit-code) since Mon 2021-11-15 20:48:40 UTC; 34s ago
Docs: man:freshclam(1)
https:/
Main PID: 8785 (code=exited, status=2)
Nov 15 20:48:40 test-failure systemd[1]: Started ClamAV virus database updater.
Nov 15 20:48:40 test-failure freshclam[8785]: WARNING: Ignoring deprecated option SafeBrowsing at /etc/clamav/
Nov 15 20:48:40 test-failure freshclam[8785]: ERROR: Problem with internal logger (UpdateLogFile = /var/log/
Nov 15 20:48:40 test-failure freshclam[8785]: ERROR: initialize: libfreshclam init failed.
Nov 15 20:48:40 test-failure freshclam[8785]: ERROR: Initialization error!
Nov 15 20:48:40 test-failure freshclam[8785]: ERROR: Can't open /var/log/
Nov 15 20:48:40 test-failure systemd[1]: clamav-
Nov 15 20:48:40 test-failure systemd[1]: clamav-
[Where problems could occur]
This change contains only part of the commit it is derived from, excluding other items like the 0.101.1 import and openssl apparmor profile modifications.
Since this portion has not yet been released on its own, new problems could arise from the exclusion of the unrelated changes.
Testers should watch for misbehaviors in the apparmor profile with this change. Error messages are often logged to the journal and can be seen by running "journalctl -fk"
[Original Description]
An unattended upgrade upgraded clamav last night, after which clamav-freshclam failed to start:
# systemctl status clamav-freshclam
● clamav-
Loaded: loaded (/lib/systemd/
Active: failed (Result: exit-code) since Tue 2021-04-20 06:59:59 EEST; 6h ago
Docs: man:freshclam(1)
https:/
Main PID: 18433 (code=exited, status=2)
Apr 20 06:59:59 fridge systemd[1]: Started ClamAV virus database updater.
Apr 20 06:59:59 fridge freshclam[18433]: WARNING: Ignoring deprecated option SafeBrowsing at /etc/clamav/
Apr 20 06:59:59 fridge freshclam[18433]: ERROR: Problem with internal logger (UpdateLogFile = /var/log/
Apr 20 06:59:59 fridge freshclam[18433]: ERROR: initialize: libfreshclam init failed.
Apr 20 06:59:59 fridge freshclam[18433]: ERROR: Initialization error!
Apr 20 06:59:59 fridge freshclam[18433]: ERROR: Can't open /var/log/
Apr 20 06:59:59 fridge systemd[1]: clamav-
Apr 20 06:59:59 fridge systemd[1]: clamav-
The permissions of /var/log/
Restarting the clamav-freshclam service makes the error go away.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: clamav-freshclam 0.103.2+
ProcVersionSign
Uname: Linux 4.15.0-142-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.23
Architecture: amd64
Date: Tue Apr 20 13:39:47 2021
ProcEnviron:
LC_CTYPE=
TERM=xterm-
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: clamav
UpgradeStatus: Upgraded to bionic on 2019-09-11 (586 days ago)
Related branches
- Bryce Harrington (community): Approve
- Canonical Server packageset reviewers: Pending requested
- Canonical Server: Pending requested
-
Diff: 164 lines (+36/-60)5 files modifieddebian/changelog (+12/-0)
debian/clamav-daemon.postinst.in (+0/-25)
debian/clamav-freshclam.postinst.in (+18/-35)
debian/control (+1/-0)
debian/rules (+5/-0)
Changed in clamav (Ubuntu Bionic): | |
status: | New → Triaged |
tags: | added: server-next |
Changed in clamav (Ubuntu): | |
assignee: | nobody → Bryce Harrington (bryce) |
Changed in clamav (Ubuntu Bionic): | |
assignee: | nobody → Bryce Harrington (bryce) |
Changed in clamav (Ubuntu Focal): | |
status: | New → Triaged |
Changed in clamav (Ubuntu Hirsute): | |
status: | New → Triaged |
assignee: | nobody → Bryce Harrington (bryce) |
Changed in clamav (Ubuntu Focal): | |
assignee: | nobody → Bryce Harrington (bryce) |
Changed in clamav (Ubuntu): | |
assignee: | Bryce Harrington (bryce) → Lena Voytek (lvoytek) |
Changed in clamav (Ubuntu Focal): | |
assignee: | Bryce Harrington (bryce) → Lena Voytek (lvoytek) |
Changed in clamav (Ubuntu Bionic): | |
assignee: | Bryce Harrington (bryce) → Lena Voytek (lvoytek) |
Changed in clamav (Ubuntu Hirsute): | |
assignee: | Bryce Harrington (bryce) → Lena Voytek (lvoytek) |
Changed in clamav (Ubuntu Impish): | |
assignee: | Bryce Harrington (bryce) → Lena Voytek (lvoytek) |
Changed in clamav (Ubuntu Bionic): | |
status: | Triaged → In Progress |
Changed in clamav (Ubuntu Jammy): | |
status: | Triaged → In Progress |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
Thank you for taking the time to file a bug report.
So, I've spent some time trying to reproduce it here, but was unsuccessful. Here's what I tried:
- Create a Bionic LXD container.
- Grab the .deb files for the last-but-one clamav version that was available in Bionic. They can be found here (for amd64): https:/ /launchpad. net/~ubuntu- security- proposed/ +archive/ ubuntu/ ppa/+build/ 19629559
- Install the files grabbed above. Verify that the "clamav- freshclam. service" is running.
- apt update && apt ugprade. This will upgrade all clamav packages.
- Verify that the "clamav- freshclam. service" is still running.
Given the unsuccessful attempt to reproduce the problem, I tried searching on the internet for similar reports. I've found some people saying that this scenario might happen when there is a freshclam process blocked, which would prevent the new freshclam process (being started by systemd) from manipulating the log file. I don't know if that's your case, though, because I don't see any explicit error messages saying that there is another blocked freshclam process.
I have found https:/ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 972974, which, albeit similar, ended up being an apparmor problem that is not present in Ubuntu. I have also double checked your configuration files, and they both seem normal.
I'm wondering if this is a problem that happened due to very specific conditions: freshclam must have been busy trying to update the database, and coincidentally unattended-upgrades ran at that very moment and tried to restart the service, leading to the error.
Woud you be able to provide a bit more information so that we can try to reproduce the problem determine what's causing it? For example, would you be able to downgrade your freshclam/clamav packages and then update them again? Also, is there anything interesting in journalctl that is worth mentioning here? Some explicit message about the file being locked by another freshclam process, for example?
Since there is not enough information in your report to begin triage or to
differentiate between a local configuration problem and a bug in Ubuntu, I
am marking this bug as "Incomplete". We would be grateful if you would:
provide a more complete description of the problem, explain why you
believe this is a bug in Ubuntu rather than a problem specific to your
system, and then change the bug status back to "New".
For local configuration issues, you can find assistance here: www.ubuntu. com/support/ community
http://