← Back to team overview

touch-packages team mailing list archive

[Bug 1404762] [NEW] apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify

 

Public bug reported:

I tried to enable the ScanOnAccess option in /etc/clamav.conf to get on-
access scanning.

Doing so, /var/log/clamav/clamav.log tells me:
ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted
ScanOnAccess: clamd must be started by root

Setting User to root in /etc/clamav/clamd.conf
makes the clamav-daemon to fail with

service clamav-daemon start
 * Starting ClamAV daemon clamd
ERROR: initgroups() failed.

I had to disable the apparmor.profile with a
cd /etc/apparmor.d/disable
ln -s ./../usr.sbin.clamd

Then, the "ERROR: initgroups() failed." disappears.

The apparmor itself came via apt-get packages. I did not edit it.

Description:	Ubuntu 14.04.1 LTS
Release:	14.04

apt-cache policy apparmor-profiles
apparmor-profiles:
  Installiert:           (keine)
  Installationskandidat: 2.8.95~2430-0ubuntu5.1
  Versionstabelle:
     2.8.95~2430-0ubuntu5.1 0
        500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     2.8.95~2430-0ubuntu5 0
        500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: apparmor-profiles (not installed)
ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11
Uname: Linux 3.13.0-43-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Mon Dec 22 01:23:04 2014
InstallationDate: Installed on 2014-11-29 (22 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
ProcEnviron:
 LANGUAGE=de_DE
 TERM=xterm
 PATH=(custom, no user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7
SourcePackage: apparmor
Syslog:
 
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug trusty

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1404762

Title:
  apparmor profile usr.sbin.clamd does not allow ScanOnAccess via
  fanotify

Status in apparmor package in Ubuntu:
  New

Bug description:
  I tried to enable the ScanOnAccess option in /etc/clamav.conf to get
  on-access scanning.

  Doing so, /var/log/clamav/clamav.log tells me:
  ERROR: ScanOnAccess: fanotify_init failed: Operation not permitted
  ScanOnAccess: clamd must be started by root

  Setting User to root in /etc/clamav/clamd.conf
  makes the clamav-daemon to fail with

  service clamav-daemon start
   * Starting ClamAV daemon clamd
  ERROR: initgroups() failed.

  I had to disable the apparmor.profile with a
  cd /etc/apparmor.d/disable
  ln -s ./../usr.sbin.clamd

  Then, the "ERROR: initgroups() failed." disappears.

  The apparmor itself came via apt-get packages. I did not edit it.

  Description:	Ubuntu 14.04.1 LTS
  Release:	14.04

  apt-cache policy apparmor-profiles
  apparmor-profiles:
    Installiert:           (keine)
    Installationskandidat: 2.8.95~2430-0ubuntu5.1
    Versionstabelle:
       2.8.95~2430-0ubuntu5.1 0
          500 http://de.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
          500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
       2.8.95~2430-0ubuntu5 0
          500 http://de.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: apparmor-profiles (not installed)
  ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11
  Uname: Linux 3.13.0-43-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.6
  Architecture: amd64
  Date: Mon Dec 22 01:23:04 2014
  InstallationDate: Installed on 2014-11-29 (22 days ago)
  InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
  ProcEnviron:
   LANGUAGE=de_DE
   TERM=xterm
   PATH=(custom, no user)
   LANG=de_DE.UTF-8
   SHELL=/bin/bash
  ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-3.13.0-43-generic root=UUID=6408c2d9-1b60-43d7-9a7f-2dceeb40de28 ro rootflags=subvol=@ quiet splash vt.handoff=7
  SourcePackage: apparmor
  Syslog:
   
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1404762/+subscriptions


Follow ups

References