Comment 4 for bug 585026

Thanks for reporting this issue.

The default apparmor profile for the freshclam binary doesn't contain rules for scripts added to the /etc/clamav/onupdateexecute.d directory as we can't predict what those scripts will be doing.

You can fix this is one of three ways:

1- Modify the /etc/apparmor.d/usr.bin.freshclam profile to add "/bin/dash ixr," and other rules necessary for your script to run properly. (recommended)

2- Modify the /etc/apparmor.d/usr.bin.freshclam profile to add "/bin/dash Uxr,", which will let scripts run unconfined. This is a security compromise.

3- Disable the freshclam profile by doing "sudo touch /etc/apparmor.d/disable/usr.bin.freshclam". This disables apparmor security for the freshclam tool. This is not recommended.