I have tried to add to /etc/apparmor.d/local/usr.bin.freshclam: capability dac_override,
and restarted apparmor then clamav-freshclam, the issue is still there: # echo 'q' | sudo systemctl --no-pager --full status clamav-freshclam ● clamav-freshclam.service - ClamAV virus database updater Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2020-10-29 09:06:06 CET; 42s ago Docs: man:freshclam(1) man:freshclam.conf(5) https://www.clamav.net/documents Process: 966650 ExecStart=/usr/bin/freshclam -d --foreground=true (code=exited, status=9) Main PID: 966650 (code=exited, status=9) Oct 29 09:06:06 hostname systemd[1]: Started ClamAV virus database updater. Oct 29 09:06:06 hostname freshclam[966650]: ERROR: lchown to user 'clamav' failed on Oct 29 09:06:06 hostname freshclam[966650]: log file '/var/log/clamav/freshclam.log'. Oct 29 09:06:06 hostname freshclam[966650]: Error was 'Operation not permitted' Oct 29 09:06:06 hostname freshclam[966650]: Thu Oct 29 09:06:06 2020 -> ^lchown to user 'clamav' failed on log file '/var/log/clamav/freshclam.log'. Error was 'Operation not permitted' Oct 29 09:06:06 hostname freshclam[966650]: Thu Oct 29 09:06:06 2020 -> !Failed to switch to clamav user. Oct 29 09:06:06 hostname systemd[1]: clamav-freshclam.service: Main process exited, code=exited, status=9/n/a Oct 29 09:06:06 hostname systemd[1]: clamav-freshclam.service: Failed with result 'exit-code'. The error message regarding 'lchown' is strange: I have checked /etc/init.d/clamav-freshclam, and also config and postinst included in the DEBIAN folder of the package, none includes such a call. However, postinst does include 'chown "$dbowner":adm $FRESHCLAMLOGFILE' (with dbowner=clamav and FRESHCLAMLOGFILE=/var/log/clamav/freshclam.log), so lchown does not seem necessary wherever it is located. On Thu, Oct 29, 2020 at 12:07 AM Sebastian Andrzej Siewior <sebast...@breakpoint.cc> wrote: > > On 2020-10-27 07:22:22 [+0000], Michael Borgelt wrote: > > I have tried different permissions for the file and the directory without > > success. The obove permissions are after a clean reinstall off clamav > > package. > > The problem appears to be the apparmor or freshclam's profile for it. So > disabling apparmor should make freshclam work again. > Probably adding > | capability dac_override, > > to the profile will help, too. I will test it later today… > > Sebastian -- Jean-Christophe