> I have a couple of inputs I'll try to get you in the morning.
>
> Scott K
One user (hi leonel) of the test package I made for Ubuntu of 0.95-1
reported:
ScottK: Setting up clamav-base (0.95+dfsg-1~ppa2) ...
chown: cannot access `/var/run/clamav': No such file or directory
dpkg: error processing clamav-base (--configure):
subprocess post-installation script returned error exit status 1
leonel: Does /var/run/clamav exist?
If it does, then I'm thinking apparmor.
ScottK: was an upgrade and the dir didn't existed
ScottK: created and upgrade went fine
On Ubuntu /var/run defaults to a tempfs (and this is a config the package
supports). I looked on the postinst and while the postinst chown's
/var/run/clamav, I don't see where it ensures it's been created by that
time. So I think this needs to be addressed. I confess not to have had a
lot of time to look into this, so I might have missed something.
Several months ago I added make check to debian/rules in Ubuntu. Except
for a lot of failures from the valgrind checks (which led to upstream
disabling the valgrind checks by default), I haven't had any problems. I
think running the tests during the build is a generally good practice and
now, at the start of a release cycle, is a good time for Debian to do this
too.
Finally, we've discussed before adding apparmor as a suggests (it doesn't
exist in the Debian archive, but Debian users may have added it locally)
and incorporating the Ubuntu apparmor profile in the package. The bind9
package in Debian also does this, so there is precedent. Patch attached.
That's all I have. This covers all of the current Debian/Ubuntu diff in
the package.
Scott K
diff -u clamav-0.95+dfsg/debian/control clamav-0.95+dfsg/debian/control
--- clamav-0.95+dfsg/debian/control
+++ clamav-0.95+dfsg/debian/control
@@ -125,7 +126,7 @@
Package: clamav-daemon
Architecture: any
Depends: ${shlibs:Depends}, clamav-base (= ${source:Version}), clamav-freshclam | clamav-data, lsb-base (>= 3.2-13), ucf, ${misc:Depends}
-Suggests: daemon, clamav-docs
+Suggests: daemon, clamav-docs, apparmor (>= 2.1+1075-0ubuntu6)
Description: anti-virus utility for Unix - scanner daemon
Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of
this software is the integration with mail servers (attachment
@@ -163,7 +164,7 @@
Architecture: any
Conflicts: clamav-data, libclamav3, libclamav2
Provides: clamav-data
-Suggests: clamav-docs
+Suggests: clamav-docs, apparmor (>= 2.1+1075-0ubuntu6)
Depends: ${misc:Depends}, clamav-base (>= ${source:Version}), ${shlibs:Depends}, ucf, logrotate, lsb-base (>= 3.2-13)
Description: anti-virus utility for Unix - virus database update utility
Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of
diff -u clamav-0.95+dfsg/debian/clamav-freshclam.postrm clamav-0.95+dfsg/debian/clamav-freshclam.postrm
--- clamav-0.95+dfsg/debian/clamav-freshclam.postrm
+++ clamav-0.95+dfsg/debian/clamav-freshclam.postrm
@@ -52,6 +52,8 @@
[ ! -d "${workdir}/main.inc/" ] || rmdir --ignore-fail-on-non-empty ${workdir}/main.inc/
[ ! -d "${workdir}/daily.inc/" ] || rmdir --ignore-fail-on-non-empty ${workdir}/daily.inc/
update-rc.d clamav-freshclam remove >/dev/null
+
+ rm -f /etc/apparmor.d/force-complain/usr.bin.freshclam >/dev/null 2>&1 || true
;;
remove)
rm -f /var/lib/clamav/main.cvd
diff -u clamav-0.95+dfsg/debian/clamav-daemon.install clamav-0.95+dfsg/debian/clamav-daemon.install
--- clamav-0.95+dfsg/debian/clamav-daemon.install
+++ clamav-0.95+dfsg/debian/clamav-daemon.install
@@ -4,0 +5 @@
+debian/usr.sbin.clamd etc/apparmor.d/
diff -u clamav-0.95+dfsg/debian/clamav-daemon.postrm clamav-0.95+dfsg/debian/clamav-daemon.postrm
--- clamav-0.95+dfsg/debian/clamav-daemon.postrm
+++ clamav-0.95+dfsg/debian/clamav-daemon.postrm
@@ -29,6 +29,8 @@
rm -f $LOGROTATE_FILE
fi
fi
+
+ rm -f /etc/apparmor.d/force-complain/usr.sbin.clamd >/dev/null 2>&1 || true
;;
remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
;;
diff -u clamav-0.95+dfsg/debian/clamav-freshclam.install clamav-0.95+dfsg/debian/clamav-freshclam.install
--- clamav-0.95+dfsg/debian/clamav-freshclam.install
+++ clamav-0.95+dfsg/debian/clamav-freshclam.install
@@ -6,0 +7 @@
+debian/usr.bin.freshclam etc/apparmor.d/
diff -u clamav-0.95+dfsg/debian/clamav-freshclam.postinst.in clamav-0.95+dfsg/debian/clamav-freshclam.postinst.in
--- clamav-0.95+dfsg/debian/clamav-freshclam.postinst.in
+++ clamav-0.95+dfsg/debian/clamav-freshclam.postinst.in
@@ -244,6 +244,11 @@
chown "$dbowner":adm $FRESHCLAMCONFFILE
+ # Reload AppArmor profile
+ if [ -x /etc/init.d/apparmor ]; then
+ invoke-rc.d apparmor force-reload || true
+ fi
+
if [ "$runas" = 'daemon' ]; then
if [ -x "/etc/init.d/clamav-freshclam" ]; then
update-rc.d clamav-freshclam defaults >/dev/null
diff -u clamav-0.95+dfsg/debian/README.Debian clamav-0.95+dfsg/debian/README.Debian
--- clamav-0.95+dfsg/debian/README.Debian
+++ clamav-0.95+dfsg/debian/README.Debian
@@ -270,0 +271,8 @@
+APPARMOR PROFILES
+
+ If your system uses apparmor, please note that the shipped enforcing profile
+ works with the default installation, and changes in your configuration may
+ require changes to the installed apparmor profile. Please see
+ https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this
+ software.
+
diff -u clamav-0.95+dfsg/debian/clamav-daemon.dirs clamav-0.95+dfsg/debian/clamav-daemon.dirs
--- clamav-0.95+dfsg/debian/clamav-daemon.dirs
+++ clamav-0.95+dfsg/debian/clamav-daemon.dirs
@@ -5,0 +6 @@
+etc/apparmor.d/force-complain
diff -u clamav-0.95+dfsg/debian/clamav-daemon.postinst.in clamav-0.95+dfsg/debian/clamav-daemon.postinst.in
--- clamav-0.95+dfsg/debian/clamav-daemon.postinst.in
+++ clamav-0.95+dfsg/debian/clamav-daemon.postinst.in
@@ -75,6 +75,11 @@
fi
fi
+ # Reload AppArmor profile
+ if [ -x /etc/init.d/apparmor ]; then
+ invoke-rc.d apparmor force-reload || true
+ fi
+
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
only in patch2:
unchanged:
--- clamav-0.95+dfsg.orig/debian/clamav-daemon.preinst
+++ clamav-0.95+dfsg/debian/clamav-daemon.preinst
@@ -0,0 +1,35 @@
+#! /bin/sh
+# preinst script for #PACKAGE#
+#
+
+set -e
+
+APP_PROFILE="usr.sbin.clamd"
+APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE"
+APP_COMPLAIN="/etc/apparmor.d/force-complain/$APP_PROFILE"
+if [ "$1" = "upgrade" ]; then
+ mkdir -p `dirname $APP_COMPLAIN` 2>/dev/null || true
+ if dpkg --compare-versions $2 lt 0.92.1~dfsg2-1.1~feisty3 ; then
+ # force-complain for pre-apparmor upgrades
+ ln -sf $APP_CONFFILE $APP_COMPLAIN
+ elif dpkg --compare-versions $2 lt 0.93.3.dfsg-1ubuntu1 ; then
+ if [ -e "$APP_CONFFILE" ]; then
+ md5sum="`md5sum \"$APP_CONFFILE\" | sed -e \"s/ .*//\"`"
+ pkg_md5sum="`sed -n -e \"/^Conffiles:/,/^[^ ]/{\\\\' $APP_CONFFILE'{s/.* //;p}}\" /var/lib/dpkg/status`"
+ if [ "$md5sum" = "$pkg_md5sum" ]; then
+ # force-complain on upgrade from pre-shipped profile and
+ # existing profile is same as in conffiles
+ ln -sf $APP_CONFFILE $APP_COMPLAIN
+ fi
+ else
+ # force-complain on upgrade from pre-shipped profile and
+ # there is no existing profile
+ ln -sf $APP_CONFFILE $APP_COMPLAIN
+ fi
+ fi
+fi
+
+#DEBHELPER#
+
+exit 0
+
only in patch2:
unchanged:
--- clamav-0.95+dfsg.orig/debian/usr.sbin.clamd
+++ clamav-0.95+dfsg/debian/usr.sbin.clamd
@@ -0,0 +1,32 @@
+# vim:syntax=apparmor
+# Author: Jamie Strandboge <[email protected]>
+# Last Modified: Sun Aug 3 09:39:03 2008
+
+#include <tunables/global>
+
+/usr/sbin/clamd {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ /etc/clamav/clamd.conf r,
+
+ /usr/sbin/clamd mr,
+
+ /tmp/ rw,
+ /tmp/** krw,
+
+ /var/lib/clamav/ r,
+ /var/lib/clamav/** krw,
+ /var/log/clamav/* krw,
+
+ /var/run/clamav/clamd.ctl w,
+ /var/run/clamav/clamd.pid w,
+
+ /var/spool/clamsmtp/* r,
+
+ # For amavisd-new integration
+ /var/lib/amavis/tmp/** r,
+
+ # For use with exim
+ /var/spool/exim4/** r,
+}
only in patch2:
unchanged:
--- clamav-0.95+dfsg.orig/debian/usr.bin.freshclam
+++ clamav-0.95+dfsg/debian/usr.bin.freshclam
@@ -0,0 +1,35 @@
+# vim:syntax=apparmor
+# Author: Jamie Strandboge <[email protected]>
+# Last Modified: Sun Aug 3 09:39:03 2008
+
+#include <tunables/global>
+
+/usr/bin/freshclam {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ capability setgid,
+ capability setuid,
+
+ /etc/clamav/clamd.conf r,
+ /etc/clamav/freshclam.conf r,
+ /etc/clamav/onerrorexecute.d/* mr,
+ /etc/clamav/onupdateexecute.d/* mr,
+ /etc/clamav/virusevent.d/* mr,
+
+ owner /home/*/.clamtk/db/daily.cld r,
+ owner /home/*/.clamtk/db/freshclam.log wk,
+ owner /home/*/.clamtk/db/main.cld r,
+
+ /usr/bin/freshclam mr,
+
+ /var/lib/clamav/ r,
+ /var/lib/clamav/** krw,
+
+ /var/log/clamav/* kw,
+ /var/run/clamav/freshclam.pid w,
+ /var/run/clamav/clamd.ctl w,
+
+ deny /var/run/samba/gencache.tdb mrwkl,
+}
only in patch2:
unchanged:
--- clamav-0.95+dfsg.orig/debian/clamav-freshclam.preinst
+++ clamav-0.95+dfsg/debian/clamav-freshclam.preinst
@@ -0,0 +1,35 @@
+#! /bin/sh
+# preinst script for #PACKAGE#
+#
+
+set -e
+
+APP_PROFILE="usr.bin.freshclam"
+APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE"
+APP_COMPLAIN="/etc/apparmor.d/force-complain/$APP_PROFILE"
+if [ "$1" = "upgrade" ]; then
+ mkdir -p `dirname $APP_COMPLAIN` 2>/dev/null || true
+ if dpkg --compare-versions $2 lt 0.92.1~dfsg2-1.1~feisty3 ; then
+ # force-complain for pre-apparmor upgrades
+ ln -sf $APP_CONFFILE $APP_COMPLAIN
+ elif dpkg --compare-versions $2 lt 0.93.3.dfsg-1ubuntu1 ; then
+ if [ -e "$APP_CONFFILE" ]; then
+ md5sum="`md5sum \"$APP_CONFFILE\" | sed -e \"s/ .*//\"`"
+ pkg_md5sum="`sed -n -e \"/^Conffiles:/,/^[^ ]/{\\\\' $APP_CONFFILE'{s/.* //;p}}\" /var/lib/dpkg/status`"
+ if [ "$md5sum" = "$pkg_md5sum" ]; then
+ # force-complain on upgrade from pre-shipped profile and
+ # existing profile is same as in conffiles
+ ln -sf $APP_CONFFILE $APP_COMPLAIN
+ fi
+ else
+ # force-complain on upgrade from pre-shipped profile and
+ # there is no existing profile
+ ln -sf $APP_CONFFILE $APP_COMPLAIN
+ fi
+ fi
+fi
+
+#DEBHELPER#
+
+exit 0
+_______________________________________________
Pkg-clamav-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/pkg-clamav-devel
