On 3/29/21 1:08 PM, jean-christophe manciot wrote:
Hi Micah,
Thanks for your very detailed answer.
I'm not an apparmor expert either, but I doubt it is related to apparmor:
- the clamd & freshclam profiles authorizes the access to:
+ /etc/clamav/clamd.conf r,
+ /etc/clamav/freshclam.conf r,
+ /var/lib/clamav/ r,
+ /var/lib/clamav/** krw,
- there is no specific dedicated access right for symlinks in
http://manpages.ubuntu.com/manpages/hirsute/man5/apparmor.d.5.html nor
in the capabilities
http://manpages.ubuntu.com/manpages/hirsute/man7/capabilities.7.html,
so it seems fair to assume that 'r - Read mode' and 'w - Write mode'
allow symlinks accesses.
Micah is right and above assumption is wrong. This is how apparmor works.
If you need those symlinks and don't want to modify apparmor config for
clamav, you can add aliases to /etc/apparmor.d/tunables/alias
Regards,
Jacek
_______________________________________________
clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel
Please submit your patches to our Github:
https://github.com/Cisco-Talos/clamav-devel/pulls
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
