clamd daemon fails to load

In Ubuntu we have an Apparmor profile for Clamav that Debian does not have. That may be the issue here.

You can try sudo sh /etc/init.d/apparmor stop and then see if it works. If it does, that tells us where the problem is.

Did you setup clamd to use a tcp socket. You add this to /etc/clamav/clamd.conf:

TCPSocket 3310
TCPAddr localhost

And then restart clamd:

sudo /etc/init.d/clamav-daemon restart

I've installed and run this plugin and cannot reproduce your problem.

Scott,

You are correct. The moment I stopped Apparmor the daemon loaded and
clamdrib now works. I reloaded apparmor and it continues to work, I am
thinking load order is an issue. I will try a reboot.

thanks

Greg

Scott Kitterman wrote:
> In Ubuntu we have an Apparmor profile for Clamav that Debian does not
> have. That may be the issue here.
>
> You can try sudo sh /etc/init.d/apparmor stop and then see if it works.
> If it does, that tells us where the problem is.
>
>

--
===================================
Greg Eden
<email address hidden>

Scott,

As you would expect the reboot put me back to the daemon not working.

:(

Scott Kitterman wrote:
> In Ubuntu we have an Apparmor profile for Clamav that Debian does not
> have. That may be the issue here.
>
> You can try sudo sh /etc/init.d/apparmor stop and then see if it works.
> If it does, that tells us where the problem is.
>
>

--
===================================
Greg Eden
<email address hidden>

You can shift just the clamav profile to complain mode (and then the plugin works) by running:

sudo aa-complain usr.sbin.clamd

In complain mode, I get:

Oct 25 11:52:33 scott-laptop kernel: [ 5308.432588] type=1502 audit(1224949953.717:3435): operation="socket_accept" family="inet" sock_type="stream" protocol=6 pid=12985 profile="/usr/sbin/clamd"
Oct 25 11:52:33 scott-laptop kernel: [ 5308.432903] type=1502 audit(1224949953.717:3436): operation="socket_recvmsg" family="inet" sock_type="stream" protocol=6 pid=13341 profile="/usr/sbin/clamd"
Oct 25 11:52:33 scott-laptop kernel: [ 5308.432924] type=1502 audit(1224949953.717:3437): operation="socket_recvmsg" family="inet" sock_type="stream" protocol=6 pid=13341 profile="/usr/sbin/clamd"
Oct 25 11:52:33 scott-laptop kernel: [ 5308.433035] type=1502 audit(1224949953.717:3438): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=111 name="/etc/resolv.conf" pid=13341 profile="/usr/sbin/clamd"
Oct 25 11:52:33 scott-laptop kernel: [ 5308.433131] type=1502 audit(1224949953.717:3439): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=111 name="/etc/hosts" pid=13341 profile="/usr/sbin/clamd"
Oct 25 11:52:33 scott-laptop kernel: [ 5308.433202] type=1502 audit(1224949953.717:3440): operation="socket_create" family="inet" sock_type="stream" protocol=0 pid=13341 profile="/usr/sbin/clamd"
Oct 25 11:52:33 scott-laptop kernel: [ 5308.433225] type=1502 audit(1224949953.717:3441): operation="socket_post_create" family="inet" sock_type="stream" protocol=6 pid=13341 profile="/usr/sbin/clamd"
Oct 25 11:52:33 scott-laptop kernel: [ 5308.433240] type=1502 audit(1224949953.717:3442): operation="socket_bind" family="inet" sock_type="stream" protocol=6 pid=13341 profile="/usr/sbin/clamd"
Oct 25 11:52:33 scott-laptop kernel: [ 5308.433254] type=1502 audit(1224949953.717:3443): operation="socket_listen" family="inet" sock_type="stream" protocol=6 pid=13341 profile="/usr/sbin/clamd"
Oct 25 11:52:33 scott-laptop kernel: [ 5308.433293] type=1502 audit(1224949953.717:3444): operation="socket_sendmsg" family="inet" sock_type="stream" protocol=6 pid=13341 profile="/usr/sbin/clamd"

I'm going to ask someone who knows more about apparmor than I do to look at this bug.

Hi,

I believe the fix for this is the addition of

  #include <abstractions/nameservice>

in /etc/apparmor.d/usr.sbin.clamd.

To test this:

- start from a clean base
apt-get purge clamav clamav-base clamav-daemon
rm -rf /var/lib/clamav

- install clamav
apt-get install clamav-daemon

check clamd is running (ps -afx or the like)
process should be: /usr/sbin/clamd

Modify clamd to use TCP 3310 and bind to localhost
Add

TCPAddr localhost
TCPSocket 3310

to /etc/clamav/clamd.conf

- Restart clamd
/etc/init.d/clamav-daemon restart

This should segfault now due to the apparmor profile denying access to tcp network related files (hosts, nsswitch resolve.conf etc)

To resolve this

Add

 #include <abstractions/nameservice>

to /etc/apparmor.d/usr.sbin.clamd

- Reload apparmor
/etc/init.d/apparmor reload

- Restart clamd
/etc/init.d/clamav-daemon restart

- This should now start correctly.

clamdrib should also work correctly.

<aside>
Please correct me if I am wrong, but decided 'capability setuid' in this case is not required as clamdscan has the ability to call a file to scan with the - option. ie. clamdscan - <filename. which should run it in as the current user, which i suspect clamdrib is doing therefore shouldnt be necessary to setuid.
</aside>

Greg - please note that calling clamd or sudo clamd as per your original post is the incorrect way to start the daemon, as it should be started as root via the init script (/etc/init.d/clamav-daemon) which will result in the application dropping privileges to the clamav user. You should be doing clamd --config-file=/etc/clamav/clamd.conf

Patch to usr.sbin.clamd apparmor profile to allow clamd to run as a TCP daemon.

Stephan,

I reinstalled as per instructions (also removing the previous fix of
using apparmor complain) and it does function correctly.

thank you

Greg

ps I was only loading clamd directly looking for errors

Stefan Lesicnik wrote:
> Hi,
>
> I believe the fix for this is the addition of
>
> #include <abstractions/nameservice>
>
> in /etc/apparmor.d/usr.sbin.clamd.
>
> To test this:
>
> - start from a clean base
> apt-get purge clamav clamav-base clamav-daemon
> rm -rf /var/lib/clamav
>
> - install clamav
> apt-get install clamav-daemon
>
> check clamd is running (ps -afx or the like)
> process should be: /usr/sbin/clamd
>
> Modify clamd to use TCP 3310 and bind to localhost
> Add
>
> TCPAddr localhost
> TCPSocket 3310
>
> to /etc/clamav/clamd.conf
>
> - Restart clamd
> /etc/init.d/clamav-daemon restart
>
> This should segfault now due to the apparmor profile denying access to
> tcp network related files (hosts, nsswitch resolve.conf etc)
>
> To resolve this
>
> Add
>
> #include <abstractions/nameservice>
>
> to /etc/apparmor.d/usr.sbin.clamd
>
> - Reload apparmor
> /etc/init.d/apparmor reload
>
> - Restart clamd
> /etc/init.d/clamav-daemon restart
>
> - This should now start correctly.
>
> clamdrib should also work correctly.
>
>
> <aside>
> Please correct me if I am wrong, but decided 'capability setuid' in this case is not required as clamdscan has the ability to call a file to scan with the - option. ie. clamdscan - <filename. which should run it in as the current user, which i suspect clamdrib is doing therefore shouldnt be necessary to setuid.
> </aside>
>
> Greg - please note that calling clamd or sudo clamd as per your original
> post is the incorrect way to start the daemon, as it should be started
> as root via the init script (/etc/init.d/clamav-daemon) which will
> result in the application dropping privileges to the clamav user. You
> should be doing clamd --config-file=/etc/clamav/clamd.conf
>
>

--
===================================
Greg Eden
<email address hidden>

I reviewed the one line addition to the profile and it is appropriate. Please incorporate in the next upload.

Greg,

Thanks for testing and reporting back! I'm glad this resolves the bug for you. It should be incorporated into the next clamav release.

Thanks for reporting this issue.

Fix committed to the pkg-clamav git repository for the next upload.

This bug was fixed in the package clamav - 0.94.dfsg.1-1ubuntu1

---------------
clamav (0.94.dfsg.1-1ubuntu1) jaunty; urgency=low

  * Merge from Debian Unstable (LP: #296704). Remaining Ubuntu changes:
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
      clamav-daemon and clamav-freshclam
    - add debian/usr.bin.freshclam and debian/usr.sbin.clamd
    - debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
    - debian/clamav-(daemon|freshclam).install: install profiles
    - debian/clamav-(daemon|freshclam).preinst: create symlink for
      force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
      profile is unchanged (ie non-enforcing) and upgrades where the profile
      doesn't exist.
    - debian/clamav-(daemon|freshclam).postrm: remove symlink in
      force-complain/ on purge.
    - debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
    - update README.Debian with note on Apparmor
  * Update apparmor profile for clamd to work with TCP sockets (LP: #288942)

clamav (0.94.dfsg.1-1) unstable; urgency=low

  [ Stephen Gran ]
  * New upstream version (closes: #505134, #502165, #501298)
  * Handle new option SubmitDetectionStats in freshclam.conf
  * Remove RAR from the description, since we really don't handle it anymore
  * Skip 'sleep until -e socket' logic if socket is of type inet (LP #296086)

  [ Michael Meskes ]
  * Added myself as uploader.
  * Changed watch file to account for dfsg extension.
  * Do not configure temporary directory in clamd.conf anymore unless it is
    already configured there.
  * Added Basque debconf translation (closes: #500007)

  [ Michael Tautschnig ]
  * Use lsb's status_of_proc function to determine the status of the process
    and return with according exit codes (closes: #486076)
  * Updated Dutch debconf translation (thanks Paul Gevers <email address hidden>)
    (closes: #501627)
  * Changed versioned dependency of clamav-daemon to clamav-base to equals
    (closes: #500416)
  * Handle new option DetectionStatsCountry in freshclam.conf
  * Don't trust the multilib guessing stuff, always use libdir=$prefix/lib
  * Removed nowadays unused lintian overrides
  * Create md5sums control file for clamav-dbg as well (thanks, lintian)

 -- Scott Kitterman <email address hidden> Tue, 11 Nov 2008 22:24:38 -0500