Control: affects -1 clamav-daemon Hi,
(fully quoting so that it's easier for clamav-daemon maintainers to get into the loop) Francois Gouget: > Package: apparmor > Version: 2.11.1-4 > Severity: important > Dear Maintainer, > After upgrading from apparmor 2.11.1-2 to 2.11.1-4 I cannot use clamdscan > anymore; > $ ll -d /bin /bin/true > drwxr-xr-x 2 root root 4,0K déc. 14 18:26 /bin > -rwxr-xr-x 1 root root 31K oct. 2 19:51 /bin/true > $ clamdscan /bin/true > /bin/true: Can't open file or directory ERROR Can you please provide the corresponding AppArmor denial logs you'll find in the Journal or in kern.log? In the clamav-daemon's README.Debian I see: APPARMOR PROFILES If your system uses apparmor, please note that the shipped enforcing profile works with the default installation, and changes in your configuration may require changes to the installed apparmor profile. Please see https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this software. In particular, clamav-daemon runs as it's own user and is confined from accessing all but a limited set of files. These include the home directory of the user calling clamav-daemon, but not system files. If you want to scan files outside of your home directory, the apparmor profile will need to be updated. The freshclam utility is also protected by an enforcing profile. If you want to add files to the /etc/clamav/onerrorexecute.d, /etc/clamav/onupdateexecute.d, or /etc/clamav/virusevent.d directories, appropriate rules need to be added to the apparmor profile. Please see https://wiki.debian.org/AppArmor for information and documentation on modifying apparmor profiles. So it seems intended to not allow reading files anywhere on the system. clamav-daemon maintainers, can you confirm this is expected behavior? > ----------- SCAN SUMMARY ----------- > Infected files: 0 > Total errors: 1 > Time: 0.004 sec (0 m 0 s) > Such a command should have been successful. > As far as I can tell this error is caused by > /etc/apparmor.d/usr.sbin.clamd which, IMO, puts undue restrictions on > the Clam-AV operations. > Note that I did not install apparmor by choice: it was brought in by > linux-image-4.13. It's not like I asked for it but it appears now I will > have to learn how to fix its configuration :-( Yes, we're running an experiment about enabling AppArmor by default in testing/sid since a couple months. I'm sorry it causes trouble for you, but we're learning about issues we could never have guessed without having users of Debian testing/sid actually try it. > -- System Information: > Debian Release: buster/sid > APT prefers testing > APT policy: (990, 'testing'), (500, 'stable') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores) > Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), > LANGUAGE=fr:en_US (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > Versions of packages apparmor depends on: > ii debconf [debconf-2.0] 1.5.65 > ii libc6 2.25-3 > ii lsb-base 9.20170808 > ii python3 3.6.3-2 > apparmor recommends no packages. > Versions of packages apparmor suggests: > pn apparmor-profiles <none> > pn apparmor-profiles-extra <none> > pn apparmor-utils <none> > -- debconf information: > apparmor/homedirs: -- intrigeri _______________________________________________ Pkg-clamav-devel mailing list Pkg-clamav-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel