Ubuntu
clamav package

clamd scanning mimedefang temp files blocked by apparmor

Bug #829089 reported by Imre Gergely on 2011-08-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	clamav (Ubuntu)	Fix Released	Undecided	Scott Kitterman

Bug Description

Testing MIMEDefang with sendmail and clamav-daemon I've found a problem. It seems that clamav-daemon's apparmor denies read access to mimedefang's temporary files, as seen in the logs:

/var/log/mail.log:

Aug 19 01:50:44 utest-nns32 mimedefang.pl[4544]: p7IMohM5005045: Clamd returned error: lstat() failed: Permission denied.
Aug 19 01:50:44 utest-nns32 mimedefang.pl[4544]: Problem running virus scanner: code=999, category=swerr, action=tempfail
Aug 19 01:50:44 utest-nns32 mimedefang.pl[4544]: filter: p7IMohM5005045: tempfail=1
Aug 19 01:50:44 utest-nns32 mimedefang[4543]: p7IMohM5005045: Tempfailing because filter instructed us to
Aug 19 01:50:44 utest-nns32 sm-mta[5045]: p7IMohM5005045: Milter: data, reject=451 4.3.0 Problem running virus-scanner
Aug 19 01:50:44 utest-nns32 sm-mta[5045]: p7IMohM5005045: to=<email address hidden>, delay=00:00:00, pri=31210, stat=Problem running virus-scanner

/var/log/syslog:

Aug 19 01:44:11 utest-nns32 kernel: [ 404.626907] type=1400 audit(1313707451.283:11): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/clamd" name="/var/spool/MIMEDefang/mdefang-p7IMi9Be005007/Work/" pid=5008 comm="clamd" requested_mask="r" denied_mask="r" fsuid=111 ouid=104

This should be fixed in Oneiric before we SRU/backport clamav 0.97.2 back to Natty/Lucid/etc.

Tags:

Related branches

lp://staging/ubuntu/oneiric/clamav

Revision history for this message

Imre Gergely (cemc) wrote on 2011-08-18:

Adding the following rule to /etc/apparmor.d/usr.sbin.clamd resolves the problem apparently

/var/spool/MIMEDefang/** r,

Scanning works:

Aug 19 02:04:31 utest-nns32 mimedefang.pl[4544]: MDLOG,p7IN4UXO005515,virus,Eicar-Test-Signature,172.16.21.1,<email address hidden>,<email address hidden>,[TESTMAIL] eicar test mail
Aug 19 02:04:31 utest-nns32 mimedefang.pl[4544]: Discarding because of virus Eicar-Test-Signature
Aug 19 02:04:31 utest-nns32 mimedefang.pl[4544]: filter: p7IN4UXO005515: discard=1

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-08-19:

'/var/spool/MIMEDefang/** r,' looks good. It is similar for what we are doing with all the others (amavis, havp, etc).

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-08-19:

I'm not up on current mimedefang, but doing something like this would be even better:

/var/spool/MIMEDefang/mdefang-*/Work/ r,
/var/spool/MIMEDefang/mdefang-*/Work/** r,

If mimedefang's spool directory only contains the files to be scanned, then the easier to maintain '/var/spool/MIMEDefang/** r,' is totally fine. If there is other stuff in there, may be it is worth using what I suggested above, but weighed against maintenance/fragility, maybe not.

Revision history for this message

Imre Gergely (cemc) wrote on 2011-08-19:

This is what it looks like:

root@utest-nns32:/var/spool/MIMEDefang/mdefang-p7JIVdIk002047# ls -la
total 32
drwxr-x--- 4 defang defang 4096 2011-08-19 21:31 .
drwxr-x--- 4 defang defang 4096 2011-08-19 21:31 ..
-rw-r----- 1 defang defang 513 2011-08-19 21:31 COMMANDS
-rw-r----- 1 defang defang 569 2011-08-19 21:31 HEADERS
-rw-r----- 1 defang defang 1206 2011-08-19 21:31 INPUTMSG
-rw-r----- 1 defang defang 2 2011-08-19 21:31 RESULTS
drwxr-x--- 2 defang defang 4096 2011-08-19 21:31 tmp
drwxr-x--- 2 defang defang 4096 2011-08-19 21:31 Work

COMMANDS seems to contain the SMTP commands, HEADERS the actual email headers, INPUTMSG is the complete email (headers included), RESULTS and tmp/ I'm not sure what they are and Work/ contains the email body and any attachments it may have.

root@utest-nns32:/var/spool/MIMEDefang/mdefang-p7JIVdIk002047/Work# ls -la
total 16
drwxr-x--- 2 defang defang 4096 2011-08-19 21:31 .
drwxr-x--- 4 defang defang 4096 2011-08-19 21:31 ..
-rw-r----- 1 defang defang 17 2011-08-19 21:31 msg-2040-1.txt <-- email body
-rw-r----- 1 defang defang 184 2011-08-19 21:31 msg-2040-2.zip <-- attachment

I would guess that clamd is only scanning Work/* , but I can't say for sure, I'm not that familiar with mimedefang (first time ever testing it).

Revision history for this message

Imre Gergely (cemc) wrote on 2011-08-19:

usr.sbin.clamd-oneiric.diff Edit (375 bytes, text/plain)

Tested and working with your more restrictive version

root@utest-oos32:/etc/mail# cat /etc/apparmor.d/usr.sbin.clamd | grep -i mimedefang
  # For mimedefang integration
  /var/spool/MIMEDefang/mdefang-*/Work/ r,
  /var/spool/MIMEDefang/mdefang-*/Work/** r,

Aug 19 22:29:29 utest-oos32 kernel: [ 9102.069911] type=1400 audit(1313782169.299:29): apparmor="STATUS" operation="profile_replace" name="/usr/sbin/clamd" pid=20079 comm="apparmor_parser"

Aug 19 22:29:44 utest-oos32 mimedefang.pl[19942]: Discarding because of virus Eicar-Test-Signature
Aug 19 22:29:44 utest-oos32 mimedefang.pl[19942]: filter: p7JJThfN020084: discard=1
Aug 19 22:29:44 utest-oos32 mimedefang[19941]: p7JJThfN020084: Discarding because filter instructed us to
Aug 19 22:29:44 utest-oos32 sm-mta[20084]: p7JJThfN020084: Milter: data, discard
Aug 19 22:29:44 utest-oos32 sm-mta[20084]: p7JJThfN020084: discarded

Patch against apparmor profile attached.

Changed in clamav (Ubuntu):
status:	New → Confirmed

Brian Murray (brian-murray) on 2011-08-20

tags:

added: patch

Scott Kitterman (kitterman) on 2011-08-25

Changed in clamav (Ubuntu):
assignee:	nobody → Scott Kitterman (kitterman)
status:	Confirmed → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-08-25:

This bug was fixed in the package clamav - 0.97.2+dfsg-1ubuntu2

---------------
clamav (0.97.2+dfsg-1ubuntu2) oneiric; urgency=low

  [ Imre Gergely ]
  * Fix clamd apparmor profile to work with mimedefang (LP: #829089)
  * Stop samba related log spamming from freshclam apparmor profile
    (LP: #752833)
-- Scott Kitterman <email address hidden> Thu, 25 Aug 2011 08:43:22 -0400