On 2018-12-29 20:28:23 [+0000], Witold Baryluk wrote: > It looks it is by default on Debian, because libgtk or something depends > on apparmor and then it is automatically enabled. Or some package > suggests it and my apt by default probably install suggests or something. that and the fact that apparmor is enabled by default in the kernel. Earlier, the default was what you can achieve now if add apparmor=0 to the kernel command line (disable kernel support for apparmor).
> I did: > > 1) aa-disable /usr/bin/freshclam … > And it works, it updates a database, and removes temporary directory. perfect. So it works in general but the apparmor profile lacks some permissions. > Reenableing it (aa-enforce), and restarting, bring old behaviour, even if > all databases are up to date, it creates an empty temporary directory > that is not removed when it finished update process. okay. Thanks for the analysis. > openat(AT_FDCWD, > "/var/lib/clamav/clamav-b2d56c174f79ecbf7d1264dd93f6fc1e.tmp", > O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 EACCES (Permission denied) > stat("/var/log/clamav/freshclam.log", {st_mode=S_IFREG|0640, st_size=93037, > ...}) = 0 > > > No idea why it does a 'stat' of the log all the time (maybe log rotation > functionality), because it is in append mode, so it shouldn't be doing > this maybe. It might be part of some higher API. I dunno. > > Anyhow, you can see > > openat(AT_FDCWD, > "/var/lib/clamav/clamav-b2d56c174f79ecbf7d1264dd93f6fc1e.tmp", > O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) > > fails with permission denied message. > > However, it doesn't even attempt to remove the directory in the case of > an error. That is a bug in the freshclam, not apparmor profile. (The > removal might still fail due to apparmor or other issues, like broken > file system, nfs mount, etc, but it does change the fact that clamav > should attempt to clean files and directory even on failure, and if it fails > to remove, emit a log message). hmm. I'm not sure if that is the problem. It might however. If it is the cleaning up part then it should be followed by unlinkat(2) if the openat(2) would not fail. "dmesg" should give you the output you look for. Like "apparmor: denied $this because of $reason". Looking at the profile it should allow creating and removing files/directories below /var/lib/clamav/. But then it only allows reading in /var/lib/clamav and there are cvd written so I miss something. Anyway, I have currently no access to box due to vacation time. I will take a look next week. I would suggest you to remove the freshclam apparmor profile if you want to use apparmor but it seems you do not rely on it. > Regards, > Witold Sebastian