Comment 8 for bug 288942

Stephan,

I reinstalled as per instructions (also removing the previous fix of
using apparmor complain) and it does function correctly.

thank you

Greg

ps I was only loading clamd directly looking for errors

Stefan Lesicnik wrote:
> Hi,
>
> I believe the fix for this is the addition of
>
> #include <abstractions/nameservice>
>
> in /etc/apparmor.d/usr.sbin.clamd.
>
> To test this:
>
> - start from a clean base
> apt-get purge clamav clamav-base clamav-daemon
> rm -rf /var/lib/clamav
>
> - install clamav
> apt-get install clamav-daemon
>
> check clamd is running (ps -afx or the like)
> process should be: /usr/sbin/clamd
>
> Modify clamd to use TCP 3310 and bind to localhost
> Add
>
> TCPAddr localhost
> TCPSocket 3310
>
> to /etc/clamav/clamd.conf
>
> - Restart clamd
> /etc/init.d/clamav-daemon restart
>
> This should segfault now due to the apparmor profile denying access to
> tcp network related files (hosts, nsswitch resolve.conf etc)
>
> To resolve this
>
> Add
>
> #include <abstractions/nameservice>
>
> to /etc/apparmor.d/usr.sbin.clamd
>
> - Reload apparmor
> /etc/init.d/apparmor reload
>
> - Restart clamd
> /etc/init.d/clamav-daemon restart
>
> - This should now start correctly.
>
> clamdrib should also work correctly.
>
>
> <aside>
> Please correct me if I am wrong, but decided 'capability setuid' in this case is not required as clamdscan has the ability to call a file to scan with the - option. ie. clamdscan - <filename. which should run it in as the current user, which i suspect clamdrib is doing therefore shouldnt be necessary to setuid.
> </aside>
>
> Greg - please note that calling clamd or sudo clamd as per your original
> post is the incorrect way to start the daemon, as it should be started
> as root via the init script (/etc/init.d/clamav-daemon) which will
> result in the application dropping privileges to the clamav user. You
> should be doing clamd --config-file=/etc/clamav/clamd.conf
>
>

--
===================================
Greg Eden
<email address hidden>