Package: clamav-freshclam
Version: 0.103.2+dfsg-2
The virus database update tool for ClamAV freshclam cannot exec
commands or scripts defined by OnErrorExecute or OnUpdateExecute
because of Apparmor profile:
Here is a strace output:
[pid 32700] execve("/bin/sh", ["sh", "-c", "/bin/run-parts --lsbinit
/etc/clamav/onerrorexecute.d/notify"], 0x7ffe060daaf8 /* 23 vars */) =
-1 EACCES (Permission non accordée)
and an auditd log:
type=SYSCALL msg=audit(1619593784.960:75): arch=c000003e syscall=59
success=no exit=-13 a0=7ffbee4f2519 a1=7ffe060da5f0 a2=7ffe060daaf8
a3=8 items=0 ppid=32699 pid=32700 auid=0 uid=109 gid=113 euid=109
suid=109 fsuid=109 egid=113 sgid=113 fsgid=113 tty=pts3 ses=37095
comm="freshclam" exe="/usr/bin/freshclam" subj==/usr/bin/freshclam
(enforce) key=(null)^]ARCH=x86_64 SYSCALL=execve AUID="root"
UID="clamav" GID="clamav" EUID="clamav" SUID="clamav" FSUID="clamav"
EGID="clamav" SGID="clamav" FSGID="clamav"
It should at least allow execution of scripts located in
/etc/clamav/onerrorexecute.d and /etc/clamav/onupdateexecute.d
Best regards,
Pascal
