@sergiodj, I was able to reproduce this in a container based on your
instruction but by adding the apparmor package to the mix.
With Apparmor installed, after upgrading from 0.102.4+dfsg-
0ubuntu0.18.04.1 -> 0.103.2+dfsg-0ubuntu0.18.04.1, I have this in
"journalctl -fk":
Apr 21 20:56:57 bclam kernel: audit: type=1400 audit(1619038617.624:2):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="/usr/sbin/clamd" pid=1835 comm="apparmor_parser"
Apr 21 20:57:00 bclam kernel: audit: type=1400 audit(1619038620.980:3):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="/usr/bin/freshclam" pid=1837 comm="apparmor_parser"
Apr 21 20:57:11 bclam kernel: audit: type=1400 audit(1619038631.016:4):
apparmor="DENIED" operation="open" profile="/usr/bin/freshclam"
name="/etc/ssl/openssl.cnf" pid=1840 comm="freshclam" requested_mask="r"
denied_mask="r" fsuid=105 ouid=0
Apr 21 20:57:11 bclam kernel: audit: type=1400 audit(1619038631.048:5):
apparmor="DENIED" operation="open" profile="/usr/bin/freshclam"
name="/etc/ssl/openssl.cnf" pid=1840 comm="freshclam" requested_mask="r"
denied_mask="r" fsuid=105 ouid=0
Apr 21 20:59:30 bclam kernel: audit: type=1400 audit(1619038770.363:6):
apparmor="DENIED" operation="open" profile="/usr/bin/freshclam"
name="/etc/ssl/openssl.cnf" pid=1870 comm="freshclam" requested_mask="r"
denied_mask="r" fsuid=105 ouid=0
Apr 21 21:04:37 bclam kernel: audit: type=1400 audit(1619039077.070:7):
apparmor="DENIED" operation="open" profile="/usr/bin/freshclam"
name="/etc/ssl/openssl.cnf" pid=2800 comm="freshclam" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
Apr 21 21:04:37 bclam kernel: audit: type=1400 audit(1619039077.074:8):
apparmor="DENIED" operation="capable" profile="/usr/bin/freshclam" pid=2800
comm="freshclam" capability=1 capname="dac_override"
The dac_override cap was added in the Apparmor profile shipped in
0.103.2+dfsg-0ubuntu0.18.04.1. It looks like the new profile is deployed
after the freshclam service is restarted which would explain why it
trips on the missing capability.
Manually restarting clamav-freshclam.service works around the problem.
** Changed in: clamav (Ubuntu)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1925182
Title:
ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check
permissions!)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1925182/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
