Hi Mark. Thanks for the reply. I think your guess is correct. Assuming my OnAccess errors directly correlate to the auditd info below[1][2], this appears to be a bug in the AppArmor profiles included with the Ubuntu packages "clamav-daemon" and "clamav-freshclam":
jblaine@ub18test:~$ sudo dpkg -S /etc/apparmor.d/usr.sbin.clamd clamav-daemon: /etc/apparmor.d/usr.sbin.clamd jblaine@ub18test:~$ sudo dpkg -S /etc/apparmor.d/usr.bin.freshclam clamav-freshclam: /etc/apparmor.d/usr.bin.freshclam jblaine@ub18test:~$ I guess I'll head over to the Ubuntu launchpad.net page for ClamAV and file a bug report. Thanks again, Jeff Footnotes: 1. clamd issues found in auditd log: node=ub18test type=AVC msg=audit(1567542270.923:11512): apparmor="DENIED" operation="capable" profile="/usr/sbin/clamd" pid=54842 comm="clamd" capability=2 capname="dac_read_search" node=ub18test type=AVC msg=audit(1567542271.039:11517): apparmor="DENIED" operation="open" profile="/usr/sbin/clamd" name="/etc/ssl/openssl.cnf" pid=54858 comm="clamd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 node=ub18test type=AVC msg=audit(1567542315.684:11521): apparmor="DENIED" operation="capable" profile="/usr/sbin/clamd" pid=54858 comm="clamd" capability=21 capname="sys_admin" 2. freshclam issues found in auditd log: node=ub18test type=AVC msg=audit(1567543073.345:97): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/etc/ssl/openssl.cnf" pid=736 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 node=ub18test type=AVC msg=audit(1567543073.729:103): apparmor="DENIED" operation="capable" profile="/usr/bin/freshclam" pid=736 comm="freshclam" capability=2 capname="dac_read_search" node=ub18test type=AVC msg=audit(1567543073.729:103): apparmor="DENIED" operation="capable" profile="/usr/bin/freshclam" pid=736 comm="freshclam" capability=1 capname="dac_override" Jeff On 9/4/2019 9:14 AM, Mark Fortescue wrote: > Hi Jeff, > > Looks like Apparmor may be stepping in and preventing access. Have you > checked that Apparmor has been changed to give clamd the required > permissions ? > > Regards > Mark. > > On 03/09/2019 22:01, Jeff Blaine via clamav-users wrote: >> Hello all, >> >> I'm experiencing something odd on Ubuntu 18.04. As far as I can tell I >> have done everything I am supposed to in order to get OnAccess scanning >> working. I've already gotten our RHEL 7 hosts working fine. If anyone >> knows what is going wrong here, I would love to hear it. Thank you. >> >> 1. The kernel checks out fine for fanotify: >> >> jblaine@ub18test:/etc/clamav$ uname -a >> Linux ub18test 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC >> 2019 x86_64 x86_64 x86_64 GNU/Linux >> jblaine@ub18test:/etc/clamav$ cat /boot/config-4.15.0-58-generic | grep >> FANOTIFY >> CONFIG_FANOTIFY=y >> CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y >> jblaine@ub18test:/etc/clamav$ >> >> 2. clamd *is* running as root: >> >> root 55172 1 81 16:33 ? 00:00:44 /usr/sbin/clamd >> --foreground=true >> >> 3. clamd complains that it needs to run as root: >> >> Sep 3 16:33:50 ub18test clamd[55172]: ScanOnAccess: fanotify_init >> failed: Operation not permitted >> Sep 3 16:33:50 ub18test clamd[55172]: ScanOnAccess: clamd must be >> started by root >> >> --Jeff >> >> >> _______________________________________________ >> >> clamav-users mailing list >> [email protected] >> https://lists.clamav.net/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
