intrigeri, I added you on Cc since you were a help the last time apparmor came around.
On 2018-11-06 10:45:15 [+0800], Paul Wise wrote: > Package: clamav-daemon > Version: 0.100.2+dfsg-1 > Severity: normal > File: /etc/apparmor.d/usr.sbin.clamd > Usertags: apparmor > > When I restart clamav-daemon I get two apparmor denials in syslog: > > AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/clamd" pid=13277 > comm="clamd" capability=12 capname="net_admin" > AVC apparmor="DENIED" operation="open" profile="/usr/sbin/clamd" > name="/etc/ssl/openssl.cnf" pid=13277 comm="clamd" requested_mask="r" > denied_mask="r" fsuid=111 ouid=0 I have no idea what the first one is one about. If this is related to #903834 then I think I know what I have to do. The second one should be required by every application using libssl. Is there a general rule where it could be allowed for every application to just read the openssl.cnf file or is the clamd profile too restrictive and not allowing it by default? Sebastian
