Hello, Am Montag, 25. Mai 2020, 11:22:01 CEST schrieb intrigeri: > FTR, here's the profile shipped in the clamav-freshclam package: > https://salsa.debian.org/clamav-team/clamav/-/blob/unstable/debian/usr > .bin.freshclam It has been updated a few times in the last few years. > > And here's the upstream one from the AppArmor project: > https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor/p > rofiles/extras/usr.bin.freshclam It has been updated once in the last > 10 years.
... and it works on my openSUSE servers (and nobody reported issues from
other distros), which means there was no reason for additional updates
;-)
> I would love to see cross-distro collaboration on this profile, but
> our current infrastructure & processes are not ready for that yet,
> and I lack time/energy to push this forward myself.
I compared both profiles, and to cover both Debian and openSUSE, you'd
need to add the following lines to the Debian profile:
#include <abstractions/consoles> # rule exists since the original
# profile version in 2006, no idea if it's really needed
# openSUSE configfile paths
/etc/clamd.conf r,
/etc/freshclam.conf r,
I'd recommend to change the pidfile rule to have the owner restriction
if possible:
# /{,var/}run/clamav/freshclam.pid w, # from Debian profile
owner /{,var/}run/clamav/freshclam.pid w, # upstream profiles/extra
I also wonder about ~/.clamtk/db/ and ~/.klamav/database/ (which I
obviously don't need for server usage) - but I'm sure Jamie had good
reasons to allow that ;-)
If you open a merge request upstream, I'll happily review it ;-)
Feel free to commit the Debian profile + the additional rules listed
above - that's probably easier than integrating the profiles the other
way round.
Regards,
Christian Boltz
--
>> emoenke@ftp4:4 /mirr/bin > du -s /pub/opensuse/distribution/*
> Using `du -sh` might be more readable. ;-)
Not for me - only for so called "humans".
[> houghi and Eberhard Moenkeberg in opensuse]
signature.asc
Description: This is a digitally signed message part.
