I've just realized that lchown is only a system call, so it must be used from within /usr/bin/freshclam.
On Thu, Oct 29, 2020 at 9:33 AM jean-christophe manciot <actionmysti...@gmail.com> wrote: > > I have tried to add to /etc/apparmor.d/local/usr.bin.freshclam: > capability dac_override, > > and restarted apparmor then clamav-freshclam, the issue is still there: > # echo 'q' | sudo systemctl --no-pager --full status clamav-freshclam > ● clamav-freshclam.service - ClamAV virus database updater > Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; > enabled; vendor preset: enabled) > Active: failed (Result: exit-code) since Thu 2020-10-29 09:06:06 > CET; 42s ago > Docs: man:freshclam(1) > man:freshclam.conf(5) > https://www.clamav.net/documents > Process: 966650 ExecStart=/usr/bin/freshclam -d --foreground=true > (code=exited, status=9) > Main PID: 966650 (code=exited, status=9) > > Oct 29 09:06:06 hostname systemd[1]: Started ClamAV virus database updater. > Oct 29 09:06:06 hostname freshclam[966650]: ERROR: lchown to user > 'clamav' failed on > Oct 29 09:06:06 hostname freshclam[966650]: log file > '/var/log/clamav/freshclam.log'. > Oct 29 09:06:06 hostname freshclam[966650]: Error was 'Operation not > permitted' > Oct 29 09:06:06 hostname freshclam[966650]: Thu Oct 29 09:06:06 2020 > -> ^lchown to user 'clamav' failed on log file > '/var/log/clamav/freshclam.log'. Error was 'Operation not permitted' > Oct 29 09:06:06 hostname freshclam[966650]: Thu Oct 29 09:06:06 2020 > -> !Failed to switch to clamav user. > Oct 29 09:06:06 hostname systemd[1]: clamav-freshclam.service: Main > process exited, code=exited, status=9/n/a > Oct 29 09:06:06 hostname systemd[1]: clamav-freshclam.service: Failed > with result 'exit-code'. > > The error message regarding 'lchown' is strange: I have checked > /etc/init.d/clamav-freshclam, and also config and postinst included in > the DEBIAN folder of the package, none includes such a call. > However, postinst does include 'chown "$dbowner":adm > $FRESHCLAMLOGFILE' (with dbowner=clamav and > FRESHCLAMLOGFILE=/var/log/clamav/freshclam.log), so lchown does not > seem necessary wherever it is located. > > On Thu, Oct 29, 2020 at 12:07 AM Sebastian Andrzej Siewior > <sebast...@breakpoint.cc> wrote: > > > > On 2020-10-27 07:22:22 [+0000], Michael Borgelt wrote: > > > I have tried different permissions for the file and the directory without > > > success. The obove permissions are after a clean reinstall off clamav > > > package. > > > > The problem appears to be the apparmor or freshclam's profile for it. So > > disabling apparmor should make freshclam work again. > > Probably adding > > | capability dac_override, > > > > to the profile will help, too. I will test it later today… > > > > Sebastian > > > > -- > Jean-Christophe -- Jean-Christophe
