We ran into the same issue, but wanted to avoid installing apparmor-
utils.
In the /etc/apparmor.d/usr.sbin.clam profile, it is possible to set the
clamd profile to complain mode directly (we used Ansible) without having
to install apparmor-utils or use aa-complain.
Before:
/usr/sbin/clamd {
** Changed in: apparmor (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1404762
Title:
apparmor profile usr.sbin.clamd does not
clamd starts with:
1. aa-complain clamd
2. invoke-rc.d clamav-daemon restart
No clamd entries in syslog.
audit.log after starting clamd:
type=USER_AUTH msg=audit(1428468600.638:193): pid=8314 uid=1000 auid=4294967295
ses=4294967295 msg='op=PAM:authentication acct=hartwig exe=/usr/bin/sudo
As another try, I tried to disable the apparmor profile by
cd /etc/apparmor.d/disable
ln -s ./../usr.sbin.clamd
as described by Thomas above. Unexpectedly, that did not get rid of the message
ERROR: initgroups() failed.
I found I had a file usr.sbin(Kopie).clamd in that folder; this file was
Hartwig, great find with the backup copied file! That would definitely
complicate all debugging efforts. Please do report back now that you can
make some forward progress.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to
Now, that on-access scan seems to be working, I tried some cases:
No detections when I copied some Eicar files around in subfolders of
/home/hartwig. However, I got a detection when I placed an Eicar file directly
into that folder (mentioned in /var/log/clamav/clamav.log). It looks like that
no any reaction?
Does that mean on-access scanning does not work with clamav (non-detection of
Eicar file)?
Because of lacking compatibility with apparmor?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
I was describing two issues: One is that root user was needed for
ScanOnAccess. Second was that the apparmor profile does not fit.
Basically, there should be an easy way to use ScanOnAccess with correct
apparmor profile.
Fanotify seems to be a basic feature in conjunction with a virus scanner
Hartwig, are there still AppArmor DENIED lines in your /var/log/syslog
or /var/log/audit/audit.log files even after adding all those extra
capabilities? Granted, a profiled application with all those
capabilities is likely powerful enough to do great damage to the system
anyway...
Thanks
--
You
some further info:
I now have installed auditd to have the log in /var/log/audit/audit.log.
I added to usr.bin.clamd:
capability setgid,
capability setuid,
and used aa-logprof to add some more items:
capability chown,
capability dac_override,
capability fsetid,
capability sys_admin,
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: apparmor (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
I have the same problem, but the above does not help me.
aa-complain clamd needs to be done at every startup, otherwise clamd would not
start.
No /var/log/audit/audit.log
Eicar file can be copied despite clamav on-access running (acc clamav.log)
Details see
Please add
capability setgid,
to the clamd profile and re-enable it (aa-enforce clamd).
If it still doesn't work, set it to complain mode (aa-complain clamd)
so that it permits everything and logs what would be denied. Then use
clamd for a while and provide the clamd-related entries from
13 matches
Mail list logo