Ubuntu
clamav package

freshclam blocked by apparmor

  1. Intrepid (8.10)
  2. Bug #312695
Bug #312695 reported by Dave M
8
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Fix Released
Medium
Scott Kitterman
Ubuntu ubuntu-9.04-beta
Intrepid
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: clamav

The freshclam command cannot be run by anyone other than root while apparmor is enabled. So long as freshclam is given writable directories, it should be able to be run by anyone, like so:

freshclam --log=/home/user --datadir=/home/user

Shutting down apparmor (sudo /etc/init.d/apparmor stop) enables this to work as it should.

Distro: Ubuntu 8.10
Executable path: /usr/bin/freshclam
SourcePackage: clamav

Scott Kitterman (kitterman)
Changed in clamav:
assignee: nobody → kitterman
importance: Undecided → Medium
milestone: none → ubuntu-9.04-beta
status: New → In Progress
Revision history for this message
Scott Kitterman (kitterman) wrote :

I'm fixing this in Jaunty (what will become 9.04). I will not do a special upload to 8.10 (Intrepid) for this, but fold it into the next update we do for security patches.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.94.dfsg.2-1ubuntu3

---------------
clamav (0.94.dfsg.2-1ubuntu3) jaunty; urgency=low

  * Update apparmor profile in debian/usr.bin/freshclam to allow freshclam to
    update virus signatures in user home directories (LP: #312695)

 -- Scott Kitterman <email address hidden> Wed, 07 Jan 2009 08:03:57 -0500

Changed in clamav:
status: In Progress → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Accepted into intrepid-proposed; please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in clamav (Ubuntu Intrepid):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Dave M (dave-nerd) wrote :

Not working for me on Jaunty or Intrepid using ClamTk 4.11.

Intrepid is already running ClamAV 0.95.1 - I haven't been able to test it with the exact version mentioned here because of updates. Here are the apparmor error messages:

Apr 18 10:17:25 ubuntu kernel: [ 8898.947706] type=1503 audit(1240067845.137:15): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=1000 name="/home/user/.clamtk/db/main.cvd" pid=7255 profile="/usr/bin/freshclam"

Apr 18 10:17:25 ubuntu kernel: [ 8899.117702] type=1503 audit(1240067845.306:16): operation="inode_create" requested_mask="a::" denied_mask="a::" fsuid=1000 name="/home/user/.clamtk/db/clamav-6b1c24ca4cc115bc26e31fb14c06f1e1" pid=7255 profile="/usr/bin/freshclam"

If there is a way to test with the version Scott uploaded, please let me know how.

Revision history for this message
Scott Kitterman (kitterman) wrote :

I just pushed a copy of the final upload that's pending for Jaunty to the Ubuntu Clamav PPA. See:

https://launchpad.net/~ubuntu-clamav/+archive/ppa

It may be some time before it's built and published, but please try that package and see if it works for you.

Revision history for this message
Dave M (dave-nerd) wrote :

I just tested that on Jaunty - works great! Thanks.

Revision history for this message
Scott Kitterman (kitterman) wrote :

There is a slight difference between the PPA package and what got accepted into Jaunty, so please install the final version from the repos and make sure ...

Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.

Changed in clamav (Ubuntu Intrepid):
status: Fix Committed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.