Hi, Sebastian Andrzej Siewior: > On 2018-07-22 20:10:08 [+0800], intrigeri wrote: >> Looking at the Journal, it looks very much like the clamav-freshclam >> service is started before the /usr/bin/freshclam AppArmor profile >> is loaded. >> >> I think this is potentially racy, which might be why the problem can't >> trivially be reproduced in sid.
> Is this something the clamav ppl need to improve or is this generic AppArmor / > debhelper thingy? AFAICT dh-apparmor is not used but a similar code snippet is hard-coded in debian/clamav-freshclam.postinst.in: https://salsa.debian.org/clamav-team/clamav/blob/unstable/debian/clamav-freshclam.postinst.in#L360 … so dh-apparmor cannot really be blamed :) Now, *if* dh-apparmor were used, similar code would be added in the #DEBHELPER# section (https://salsa.debian.org/clamav-team/clamav/blob/unstable/debian/clamav-freshclam.postinst.in#L388) so the profile would still be loaded after the service is started, i.e. too late. So I see two options: - Either switch to dh-apparmor and make the code substituted to the #DEBHELPER# placeholder run *before* the code that starts the service. That would be best unless there's a good reason why other debhelper-generated code should run after the other hard-coded part of that postinst script. - Or move the hard-coded AppArmor handling bits higher in the script so they run before the code that starts the service. Makes sense? Cheers, -- intrigeri
