Mailing List Archive

Forgot to mention: this is the "0.100.3" version as available via apt on
an otherwise stock Ubuntu 18 host.

On 9/3/2019 5:01 PM, Jeff Blaine via clamav-users wrote:
> Hello all,
>
> I'm experiencing something odd on Ubuntu 18.04. As far as I can tell I
> have done everything I am supposed to in order to get OnAccess scanning
> working. I've already gotten our RHEL 7 hosts working fine. If anyone
> knows what is going wrong here, I would love to hear it. Thank you.
>
> 1. The kernel checks out fine for fanotify:
>
> jblaine@ub18test:/etc/clamav$ uname -a
> Linux ub18test 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC
> 2019 x86_64 x86_64 x86_64 GNU/Linux
> jblaine@ub18test:/etc/clamav$ cat /boot/config-4.15.0-58-generic | grep
> FANOTIFY
> CONFIG_FANOTIFY=y
> CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
> jblaine@ub18test:/etc/clamav$
>
> 2. clamd *is* running as root:
>
> root 55172 1 81 16:33 ? 00:00:44 /usr/sbin/clamd
> --foreground=true
>
> 3. clamd complains that it needs to run as root:
>
> Sep 3 16:33:50 ub18test clamd[55172]: ScanOnAccess: fanotify_init
> failed: Operation not permitted
> Sep 3 16:33:50 ub18test clamd[55172]: ScanOnAccess: clamd must be
> started by root
>
> --Jeff
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Jeff,

Looks like Apparmor may be stepping in and preventing access. Have you
checked that Apparmor has been changed to give clamd the required
permissions ?

Regards
Mark.

On 03/09/2019 22:01, Jeff Blaine via clamav-users wrote:
> Hello all,
>
> I'm experiencing something odd on Ubuntu 18.04. As far as I can tell I
> have done everything I am supposed to in order to get OnAccess scanning
> working. I've already gotten our RHEL 7 hosts working fine. If anyone
> knows what is going wrong here, I would love to hear it. Thank you.
>
> 1. The kernel checks out fine for fanotify:
>
> jblaine@ub18test:/etc/clamav$ uname -a
> Linux ub18test 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC
> 2019 x86_64 x86_64 x86_64 GNU/Linux
> jblaine@ub18test:/etc/clamav$ cat /boot/config-4.15.0-58-generic | grep
> FANOTIFY
> CONFIG_FANOTIFY=y
> CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
> jblaine@ub18test:/etc/clamav$
>
> 2. clamd *is* running as root:
>
> root 55172 1 81 16:33 ? 00:00:44 /usr/sbin/clamd
> --foreground=true
>
> 3. clamd complains that it needs to run as root:
>
> Sep 3 16:33:50 ub18test clamd[55172]: ScanOnAccess: fanotify_init
> failed: Operation not permitted
> Sep 3 16:33:50 ub18test clamd[55172]: ScanOnAccess: clamd must be
> started by root
>
> --Jeff
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Mark. Thanks for the reply.

I think your guess is correct. Assuming my OnAccess errors directly
correlate to the auditd info below[1][2], this appears to be a bug in
the AppArmor profiles included with the Ubuntu packages "clamav-daemon"
and "clamav-freshclam":

jblaine@ub18test:~$ sudo dpkg -S /etc/apparmor.d/usr.sbin.clamd
clamav-daemon: /etc/apparmor.d/usr.sbin.clamd
jblaine@ub18test:~$ sudo dpkg -S /etc/apparmor.d/usr.bin.freshclam
clamav-freshclam: /etc/apparmor.d/usr.bin.freshclam
jblaine@ub18test:~$

I guess I'll head over to the Ubuntu launchpad.net page for ClamAV and
file a bug report.

Thanks again,
Jeff

Footnotes:

1. clamd issues found in auditd log:

node=ub18test type=AVC msg=audit(1567542270.923:11512):
apparmor="DENIED" operation="capable" profile="/usr/sbin/clamd"
pid=54842 comm="clamd" capability=2 capname="dac_read_search"

node=ub18test type=AVC msg=audit(1567542271.039:11517):
apparmor="DENIED" operation="open" profile="/usr/sbin/clamd"
name="/etc/ssl/openssl.cnf" pid=54858 comm="clamd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0

node=ub18test type=AVC msg=audit(1567542315.684:11521):
apparmor="DENIED" operation="capable" profile="/usr/sbin/clamd"
pid=54858 comm="clamd" capability=21 capname="sys_admin"

2. freshclam issues found in auditd log:

node=ub18test type=AVC msg=audit(1567543073.345:97): apparmor="DENIED"
operation="open" profile="/usr/bin/freshclam"
name="/etc/ssl/openssl.cnf" pid=736 comm="freshclam" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0

node=ub18test type=AVC msg=audit(1567543073.729:103): apparmor="DENIED"
operation="capable" profile="/usr/bin/freshclam" pid=736
comm="freshclam" capability=2 capname="dac_read_search"

node=ub18test type=AVC msg=audit(1567543073.729:103): apparmor="DENIED"
operation="capable" profile="/usr/bin/freshclam" pid=736
comm="freshclam" capability=1 capname="dac_override"

Jeff

On 9/4/2019 9:14 AM, Mark Fortescue wrote:
> Hi Jeff,
>
> Looks like Apparmor may be stepping in and preventing access. Have you
> checked that Apparmor has been changed to give clamd the required
> permissions ?
>
> Regards
>     Mark.
>
> On 03/09/2019 22:01, Jeff Blaine via clamav-users wrote:
>> Hello all,
>>
>> I'm experiencing something odd on Ubuntu 18.04. As far as I can tell I
>> have done everything I am supposed to in order to get OnAccess scanning
>> working. I've already gotten our RHEL 7 hosts working fine. If anyone
>> knows what is going wrong here, I would love to hear it. Thank you.
>>
>> 1. The kernel checks out fine for fanotify:
>>
>> jblaine@ub18test:/etc/clamav$ uname -a
>> Linux ub18test 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC
>> 2019 x86_64 x86_64 x86_64 GNU/Linux
>> jblaine@ub18test:/etc/clamav$ cat /boot/config-4.15.0-58-generic | grep
>> FANOTIFY
>> CONFIG_FANOTIFY=y
>> CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
>> jblaine@ub18test:/etc/clamav$
>>
>> 2. clamd *is* running as root:
>>
>> root     55172     1 81 16:33 ?        00:00:44 /usr/sbin/clamd
>> --foreground=true
>>
>> 3. clamd complains that it needs to run as root:
>>
>> Sep  3 16:33:50 ub18test clamd[55172]: ScanOnAccess: fanotify_init
>> failed: Operation not permitted
>> Sep  3 16:33:50 ub18test clamd[55172]: ScanOnAccess: clamd must be
>> started by root
>>
>> --Jeff
>>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml