freshclam apparmor error : type=1502 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/proc/28071/status" on hardy-backports

Bug #655058 reported by Martin West on 2010-10-05
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Hardy Backports
High
Scott Kitterman
Jaunty Jackalope Backports
High
Scott Kitterman
clamav (Ubuntu)
High
Scott Kitterman

Bug Description

Binary package hint: clamav

Note: This problem is on Ubuntu 8.10 LTS server. When I run ubuntu-bug on that server from a ssh terminal I get

≪ ↑ ↓ Viewing[SSL] <5bdace70-d060-11df-aa59-0019bbc89224> No Line

I have to kill it from another window and this resulting terminal output

ubuntu-bug -p clamav-freshclam

*** Collecting problem information

The collected information can be sent to the developers to improve the
application. This might take a few minutes.
....

*** Uploading problem information

The collected information is being sent to the bug tracking system.
This might take a few minutes.
37%

Ever time I have run it the last line is 37%

=============================== actual problem ===============================

The actual problem is that since the last install of clamav I get the following messages in the log

Oct 5 07:12:42 lenovo2 kernel: [147662.852990] audit(1286259162.842:24): type=1502 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/proc/28071/status" pid=28071 profile="/usr/bin/freshclam" namespace="default"

for instance this morning they appeared at 1:12 1:15 7:12 8:15

================================= apt log ====================================
Log started: 2010-10-03 19:12:27
(Reading database ... 54118 files and directories currently installed.)^M
Preparing to replace libclamav6 0.96.1+dfsg-3ubuntu5~hardy1 (using .../libclamav6_0.96.3+dfsg-2ubun
tu0.10.04.1~hardy1_i386.deb) ...^M
Unpacking replacement libclamav6 ...^M
Preparing to replace clamav-freshclam 0.96.1+dfsg-3ubuntu5~hardy1 (using .../clamav-freshclam_0.96.
3+dfsg-2ubuntu0.10.04.1~hardy1_i386.deb) ...^M
 * Stopping ClamAV virus database updater freshclam^M
   ...done.^M
Unpacking replacement clamav-freshclam ...^M
Preparing to replace clamav-daemon 0.96.1+dfsg-3ubuntu5~hardy1 (using .../clamav-daemon_0.96.3+dfsg
-2ubuntu0.10.04.1~hardy1_i386.deb) ...^M
 * Stopping ClamAV daemon clamd^M
   ...done.^M
Unpacking replacement clamav-daemon ...^M
Preparing to replace clamav-base 0.96.1+dfsg-3ubuntu5~hardy1 (using .../clamav-base_0.96.3+dfsg-2ub
untu0.10.04.1~hardy1_all.deb) ...^M
Unpacking replacement clamav-base ...^M
Setting up libclamav6 (0.96.3+dfsg-2ubuntu0.10.04.1~hardy1) ...^M
^M
Setting up clamav-base (0.96.3+dfsg-2ubuntu0.10.04.1~hardy1) ...^M
Replacing config file /etc/clamav/clamd.conf with new version^M
^M
Setting up clamav-freshclam (0.96.3+dfsg-2ubuntu0.10.04.1~hardy1) ...^M
Installing new version of config file /etc/apparmor.d/usr.bin.freshclam ...^M
Installing new version of config file /etc/init.d/clamav-freshclam ...^M
apparmor_parser: invalid option -- W^M
Novell/SUSE AppArmor parser version 2.1^M
Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006 Novell Inc.^M
^M
Usage: apparmor_parser [options] [profile]^M
...
Setting up clamav-daemon (0.96.3+dfsg-2ubuntu0.10.04.1~hardy1) ...^M
Installing new version of config file /etc/apparmor.d/usr.sbin.clamd ...^M
Installing new version of config file /etc/init.d/clamav-daemon ...^M
apparmor_parser: invalid option -- W^M
Novell/SUSE AppArmor parser version 2.1^M
....
Processing triggers for libc6 ...^M
ldconfig deferred processing now taking place^M
Log ended: 2010-10-03 19:12:49

lsb_release -rd
Description: Ubuntu 8.04.4 LTS
Release: 8.04

and it is at the latest maintenance level

Thanks

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: clamav-freshclam (not installed)
ProcVersionSignature: Ubuntu 2.6.32-24.43-generic 2.6.32.15+drm33.5
Uname: Linux 2.6.32-24-generic i686
Architecture: i386
Date: Tue Oct 5 10:00:26 2010
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release i386 (20100429)
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: clamav

Scott Kitterman (kitterman) wrote :

@jdstrand: would you please have a look at this? This is from hardy-backports.

Jamie Strandboge (jdstrand) wrote :

Can you please attach /etc/apparmor.d/usr.bin.freshclam?

Changed in clamav (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Incomplete

cut and paste of the above file

# vim:syntax=apparmor
# Author: Jamie Strandboge <email address hidden>
# Last Modified: Sun Aug 3 09:39:03 2008

#include <tunables/global>

/usr/bin/freshclam {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>

  capability setgid,
  capability setuid,

  @{PROC}/filesystems r,
  owner @{PROC}/[0-9]*/status r,

  /etc/clamav/clamd.conf r,
  /etc/clamav/freshclam.conf r,
  /etc/clamav/onerrorexecute.d/* mr,
  /etc/clamav/onupdateexecute.d/* mr,
  /etc/clamav/virusevent.d/* mr,

  owner @{HOME}/.clamtk/db/ rw,
  owner @{HOME}/.clamtk/db/** rwk,

  owner @{HOME}/.klamav/database/ rw,
  owner @{HOME}/.klamav/database/** rwk,

  /usr/bin/freshclam mr,

  /var/lib/clamav/ r,
  /var/lib/clamav/** krw,

  /var/log/clamav/* kw,
  /var/run/clamav/freshclam.pid w,
  /var/run/clamav/clamd.ctl w,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.freshclam>
}

Jamie Strandboge (jdstrand) wrote :

"owner @{PROC}/[0-9]*/status r," is present so this suggests the profile did not get reloaded on upgrade. What is the output of the following:
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.freshclam

Did you see the error in the apt log for the clamav update on the -W flag, similar with the above command ...

apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.freshclam
apparmor_parser: invalid option -- T
Novell/SUSE AppArmor parser version 2.1
Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006 Novell Inc.

Usage: apparmor_parser [options] [profile]

Options:
--------
-a, --add Add apparmor definitions [default]
-d, --debug Debug apparmor definitions
-h, --help Display this text and exit
-r, --replace Replace apparmor definitions
-R, --remove Remove apparmor definitions
-v, --version Display version info and exit
-p, --preprocess Preprocess only
-C, --Complain Force the profile into complain mode
-I n, --Include n Add n to the search path
-b n, --base n Set base dir and cwd
-f n, --subdomainfs n Set location of apparmor filesystem
-S, --stdout Write output to stdout
-m n, --match-string n Use only match features n
-n n, --namespace n Set Namespace for the profile
-q, --quiet Don't emit warnings

This worked ( minus -T -W )

apparmor_parser -r /etc/apparmor.d/usr.bin.freshclam
Replacement succeeded for "/usr/bin/freshclam".

dpkg -l apparmor
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-=================-=================-==================================================
ii apparmor 2.1+1075-0ubuntu9 User-space parser utility for AppArmor

Jamie Strandboge (jdstrand) wrote :

I'm sorry, I forgot that Hardy does not support the -T and -W flags. After performing this:

$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.freshclam

do you still see the errors in kern.log? Note you may have to do:
$ sudo sysctl -w kernel.printk_ratelimit=0

to turn off kernel rate limiting.

I caught the lack of -T on Hardy and dropped it. I didn't catch the lack of -W. Is that in the current package?

Havent seen any errors since the apparmor_parser -r /etc/apparmor.d/usr.bin.freshclam

-W is not in the help displayed above.

Thanks

Hmm, one more this morning but its on the clamd executable

Oct 6 08:10:51 lenovo2 kernel: [160702.723615] audit(1286349051.332:38): type=1502 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/proc/28617/status" pid=28617 profile="/usr/sbin/clamd" namespace="default"

but its probably the same problem, just havent done the apparmor_parser -r on clamd config.

just done
apparmor_parser -r /etc/apparmor.d/usr.sbin.clamd
Replacement succeeded for "/usr/sbin/clamd".

Thanks for the super fast response btw.

Jamie Strandboge (jdstrand) wrote :

The maverick package has:
./clamav-daemon.postinst.in: apparmor_parser -r -T -W "$APP_PROFILE" || true
./clamav-freshclam.postinst.in: apparmor_parser -r -T -W "$APP_PROFILE" || true

Both -T and -W will need to be stripped for hardy and jaunty when doing the backport. Karmic and later support -W and -T.

Changed in clamav (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
status: Incomplete → Triaged
summary: - freshclam apparmour error : type=1502 operation="inode_permission"
- requested_mask="r::" denied_mask="r::" name="/proc/28071/status"
+ freshclam apparmor error : type=1502 operation="inode_permission"
+ requested_mask="r::" denied_mask="r::" name="/proc/28071/status" on
+ hardy-backports
tags: removed: lucid

@jdstrand: I'm mostly offline the next few days, so please take this as whatever blessing you need from ubuntu-backporters to upload a fix for this to hardy and jaunty backports.

Changed in clamav (Ubuntu):
assignee: nobody → Scott Kitterman (kitterman)
status: Triaged → In Progress
Changed in hardy-backports:
status: New → In Progress
assignee: nobody → Scott Kitterman (kitterman)
Changed in jaunty-backports:
status: New → In Progress
assignee: nobody → Scott Kitterman (kitterman)
Changed in hardy-backports:
importance: Undecided → High
Changed in jaunty-backports:
importance: Undecided → High
Changed in clamav (Ubuntu):
importance: Undecided → High
Scott Kitterman (kitterman) wrote :

clamav (0.96.3+dfsg-2ubuntu0.10.04.1~jaunty2) jaunty-backports; urgency=low

  * Drop -T -W from apparmor_parser calls in clamav-daemon and freshclam
    postinsts since it is not supported in Jaunty's apparmor (LP: #655058)
 -- Scott Kitterman <email address hidden> Fri, 08 Oct 2010 09:47:56 -0400

Changed in hardy-backports:
status: In Progress → Fix Released
Scott Kitterman (kitterman) wrote :

clamav (0.96.3+dfsg-2ubuntu0.10.04.1~hardy2) hardy-backports; urgency=low

  * Also drop -W from apparmor_parser calls in clamav-daemon and freshclam
    postinsts since it is not supported in Hardy's apparmor (LP: #655058)
 -- Scott Kitterman <email address hidden> Fri, 08 Oct 2010 09:42:24 -0400

Changed in jaunty-backports:
status: In Progress → Fix Released
Changed in clamav (Ubuntu):
status: In Progress → Invalid
Scott Kitterman (kitterman) wrote :

Packages are building for both hardy and jaunty backports to resolve this issue and should be available within the next few hours.

Package just came in and installed OK, Thanks

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers