[clamav-users] fanotify allowed in kernel, clamd running as root, clamd complaining it needs to run as root
Jeff Blaine
jblaine at kickflop.net
Wed Sep 4 15:44:02 UTC 2019
Hi Mark. Thanks for the reply.
I think your guess is correct. Assuming my OnAccess errors directly
correlate to the auditd info below[1][2], this appears to be a bug in
the AppArmor profiles included with the Ubuntu packages "clamav-daemon"
and "clamav-freshclam":
jblaine at ub18test:~$ sudo dpkg -S /etc/apparmor.d/usr.sbin.clamd
clamav-daemon: /etc/apparmor.d/usr.sbin.clamd
jblaine at ub18test:~$ sudo dpkg -S /etc/apparmor.d/usr.bin.freshclam
clamav-freshclam: /etc/apparmor.d/usr.bin.freshclam
jblaine at ub18test:~$
I guess I'll head over to the Ubuntu launchpad.net page for ClamAV and
file a bug report.
Thanks again,
Jeff
Footnotes:
1. clamd issues found in auditd log:
node=ub18test type=AVC msg=audit(1567542270.923:11512):
apparmor="DENIED" operation="capable" profile="/usr/sbin/clamd"
pid=54842 comm="clamd" capability=2 capname="dac_read_search"
node=ub18test type=AVC msg=audit(1567542271.039:11517):
apparmor="DENIED" operation="open" profile="/usr/sbin/clamd"
name="/etc/ssl/openssl.cnf" pid=54858 comm="clamd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
node=ub18test type=AVC msg=audit(1567542315.684:11521):
apparmor="DENIED" operation="capable" profile="/usr/sbin/clamd"
pid=54858 comm="clamd" capability=21 capname="sys_admin"
2. freshclam issues found in auditd log:
node=ub18test type=AVC msg=audit(1567543073.345:97): apparmor="DENIED"
operation="open" profile="/usr/bin/freshclam"
name="/etc/ssl/openssl.cnf" pid=736 comm="freshclam" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
node=ub18test type=AVC msg=audit(1567543073.729:103): apparmor="DENIED"
operation="capable" profile="/usr/bin/freshclam" pid=736
comm="freshclam" capability=2 capname="dac_read_search"
node=ub18test type=AVC msg=audit(1567543073.729:103): apparmor="DENIED"
operation="capable" profile="/usr/bin/freshclam" pid=736
comm="freshclam" capability=1 capname="dac_override"
Jeff
On 9/4/2019 9:14 AM, Mark Fortescue wrote:
> Hi Jeff,
>
> Looks like Apparmor may be stepping in and preventing access. Have you
> checked that Apparmor has been changed to give clamd the required
> permissions ?
>
> Regards
> Mark.
>
> On 03/09/2019 22:01, Jeff Blaine via clamav-users wrote:
>> Hello all,
>>
>> I'm experiencing something odd on Ubuntu 18.04. As far as I can tell I
>> have done everything I am supposed to in order to get OnAccess scanning
>> working. I've already gotten our RHEL 7 hosts working fine. If anyone
>> knows what is going wrong here, I would love to hear it. Thank you.
>>
>> 1. The kernel checks out fine for fanotify:
>>
>> jblaine at ub18test:/etc/clamav$ uname -a
>> Linux ub18test 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC
>> 2019 x86_64 x86_64 x86_64 GNU/Linux
>> jblaine at ub18test:/etc/clamav$ cat /boot/config-4.15.0-58-generic | grep
>> FANOTIFY
>> CONFIG_FANOTIFY=y
>> CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
>> jblaine at ub18test:/etc/clamav$
>>
>> 2. clamd *is* running as root:
>>
>> root 55172 1 81 16:33 ? 00:00:44 /usr/sbin/clamd
>> --foreground=true
>>
>> 3. clamd complains that it needs to run as root:
>>
>> Sep 3 16:33:50 ub18test clamd[55172]: ScanOnAccess: fanotify_init
>> failed: Operation not permitted
>> Sep 3 16:33:50 ub18test clamd[55172]: ScanOnAccess: clamd must be
>> started by root
>>
>> --Jeff
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
More information about the clamav-users
mailing list