Comment 6 for bug 288942

Hi,

I believe the fix for this is the addition of

  #include <abstractions/nameservice>

in /etc/apparmor.d/usr.sbin.clamd.

To test this:

- start from a clean base
apt-get purge clamav clamav-base clamav-daemon
rm -rf /var/lib/clamav

- install clamav
apt-get install clamav-daemon

check clamd is running (ps -afx or the like)
process should be: /usr/sbin/clamd

Modify clamd to use TCP 3310 and bind to localhost
Add

TCPAddr localhost
TCPSocket 3310

to /etc/clamav/clamd.conf

- Restart clamd
/etc/init.d/clamav-daemon restart

This should segfault now due to the apparmor profile denying access to tcp network related files (hosts, nsswitch resolve.conf etc)

To resolve this

Add

 #include <abstractions/nameservice>

to /etc/apparmor.d/usr.sbin.clamd

- Reload apparmor
/etc/init.d/apparmor reload

- Restart clamd
/etc/init.d/clamav-daemon restart

- This should now start correctly.

clamdrib should also work correctly.

<aside>
Please correct me if I am wrong, but decided 'capability setuid' in this case is not required as clamdscan has the ability to call a file to scan with the - option. ie. clamdscan - <filename. which should run it in as the current user, which i suspect clamdrib is doing therefore shouldnt be necessary to setuid.
</aside>

Greg - please note that calling clamd or sudo clamd as per your original post is the incorrect way to start the daemon, as it should be started as root via the init script (/etc/init.d/clamav-daemon) which will result in the application dropping privileges to the clamav user. You should be doing clamd --config-file=/etc/clamav/clamd.conf