apparmor deny freshclam mask="r" on /var/run/samba/unexpected.tdb

Bug #752833 reported by Léa GRIS on 2011-04-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Scott Kitterman

Bug Description

Binary package hint: clamav-freshclam

Package version : 0.96.5+dfsg-1ubuntu1.10.10.2 (maverick-updates)

kern.log fills with Apr 5 17:55:08 lea-desktop kernel: [856121.953216] type=1400 audit(1302018908.231:3436): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/freshclam" name="/var/run/samba/unexpected.tdb" pid=2407 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=124 ouid=0

apparmor profile troo restrictive for clamav-fresclam
Hint: /etc/apparmor.d/usr.bin.freshclam

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: clamav-freshclam 0.96.5+dfsg-1ubuntu1.10.10.2
ProcVersionSignature: Ubuntu 2.6.35-28.49-generic
Uname: Linux 2.6.35-28-generic x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
Date: Wed Apr 6 21:13:51 2011
 PATH=(custom, no user)
SourcePackage: clamav

Related branches

Léa GRIS (lea-gris) wrote :
tags: added: apparmor
Dave Walker (davewalker) on 2011-04-19
Changed in clamav (Ubuntu):
status: New → Confirmed
Changed in clamav (Ubuntu Maverick):
status: New → Confirmed
Imre Gergely (cemc) wrote :

lea-gris: can you post some specifics about that system, what's it used for or what samba-related stuff do you have set up, did you make any changes to freshclam's config, etc. ?

I'm curious as to why freshclam tries to access that file.

Léa GRIS (lea-gris) wrote :

This was with default configuration. Since I re-installed with 11.04 and did not bring back Clamav so it no longer log this error.

Imre Gergely (cemc) wrote :

Talked it over with jdstrand, and the conclusion is that we will add another deny rule (or better yet, extend the existing one), to stop the log spamming. I've attached the rule suggested by jdstrand.
We can't really reproduce this bug but the rule can be added safely as it doesn't change the default behavior, the access still gets denied, but not logged anymore.
With this rule added, freshclam works the same.

Léa GRIS (lea-gris) wrote :

Thank you so much for the patch. The new silent rules makes sense.
Your follow-up on that not-reproduced and minor bug is greatly appreciated.

Changed in clamav (Ubuntu):
assignee: nobody → Scott Kitterman (kitterman)
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.97.2+dfsg-1ubuntu2

clamav (0.97.2+dfsg-1ubuntu2) oneiric; urgency=low

  [ Imre Gergely ]
  * Fix clamd apparmor profile to work with mimedefang (LP: #829089)
  * Stop samba related log spamming from freshclam apparmor profile
    (LP: #752833)
 -- Scott Kitterman <email address hidden> Thu, 25 Aug 2011 08:43:22 -0400

Changed in clamav (Ubuntu):
status: In Progress → Fix Released
Adolfo Jayme (fitojb) on 2013-07-06
Changed in clamav (Ubuntu Maverick):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers