** Description changed: + [Impact] + + When freshclam is enforced by apparmor in Bionic, and clamav packages + are updated, the freshclam daemon will fail to restart. + + Adding this fix will allow the freshclam daemon to restart automatically + without error after an update. + + This is fixed by backporting a fix made in Debian version 0.101.1+dfsg-1 + that modifies the post-installation process to deploy the freshclam + apparmor profile before restarting the daemon. + + [Test Plan] + + # lxc launch images:ubuntu/bionic test-failure + # lxc exec test-failure bash + + # apt update + # apt dist-upgrade + # apt install -y apparmor apparmor-utils wget software-properties-common + + - Install clamav packages of version 1 before current in bionic + + # wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-freshclam_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-milter_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-testfiles_0.102.4+dfsg-0ubuntu0.18.04.1_all.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamdscan_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/libclamav-dev_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/libclamav9_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-daemon_0.102.4+dfsg-0ubuntu0.18.04.1_amd64.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-docs_0.102.4+dfsg-0ubuntu0.18.04.1_all.deb https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/19629559/+files/clamav-base_0.102.4+dfsg-0ubuntu0.18.04.1_all.deb + # apt install -y ./* + + - enforce apparmor profile for freshclam + + # aa-enforce /usr/bin/freshclam + + # apt update + # apt upgrade + + - Check status of freshclam and notice that it was unable to restart + + # systemctl status clamav-freshclam + + ● clamav-freshclam.service - ClamAV virus database updater + Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled) + Drop-In: /run/systemd/system/clamav-freshclam.service.d + └─zzz-lxc-service.conf + Active: failed (Result: exit-code) since Mon 2021-11-15 20:48:40 UTC; 34s ago + Docs: man:freshclam(1) + man:freshclam.conf(5) + https://www.clamav.net/documents + Main PID: 8785 (code=exited, status=2) + + Nov 15 20:48:40 test-failure systemd[1]: Started ClamAV virus database updater. + Nov 15 20:48:40 test-failure freshclam[8785]: WARNING: Ignoring deprecated option SafeBrowsing at /etc/clamav/freshclam.conf:22 + Nov 15 20:48:40 test-failure freshclam[8785]: ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log). + Nov 15 20:48:40 test-failure freshclam[8785]: ERROR: initialize: libfreshclam init failed. + Nov 15 20:48:40 test-failure freshclam[8785]: ERROR: Initialization error! + Nov 15 20:48:40 test-failure freshclam[8785]: ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!). + Nov 15 20:48:40 test-failure systemd[1]: clamav-freshclam.service: Main process exited, code=exited, status=2/INVALIDARGUMENT + Nov 15 20:48:40 test-failure systemd[1]: clamav-freshclam.service: Failed with result 'exit-code'. + + [Where problems could occur] + + This change contains only part of the commit it is derived from, + excluding other items like the 0.101.1 import and openssl apparmor + profile modifications. + + Since this portion has not yet been released on its own, new problems + could arise from the exclusion of the unrelated changes. + + Testers should watch for misbehaviors in the apparmor profile with this + change. Error messages are often logged to the journal and can be seen + by running "journalctl -fk" + + [Original Description] + An unattended upgrade upgraded clamav last night, after which clamav- freshclam failed to start: - # systemctl status clamav-freshclam - ● clamav-freshclam.service - ClamAV virus database updater - Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled) - Active: failed (Result: exit-code) since Tue 2021-04-20 06:59:59 EEST; 6h ago - Docs: man:freshclam(1) - man:freshclam.conf(5) - https://www.clamav.net/documents - Main PID: 18433 (code=exited, status=2) - - Apr 20 06:59:59 fridge systemd[1]: Started ClamAV virus database updater. - Apr 20 06:59:59 fridge freshclam[18433]: WARNING: Ignoring deprecated option SafeBrowsing at /etc/clamav/freshclam.conf:22 - Apr 20 06:59:59 fridge freshclam[18433]: ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log). - Apr 20 06:59:59 fridge freshclam[18433]: ERROR: initialize: libfreshclam init failed. - Apr 20 06:59:59 fridge freshclam[18433]: ERROR: Initialization error! - Apr 20 06:59:59 fridge freshclam[18433]: ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!). - Apr 20 06:59:59 fridge systemd[1]: clamav-freshclam.service: Main process exited, code=exited, status=2/INVALIDARGUMENT + # systemctl status clamav-freshclam + ● clamav-freshclam.service - ClamAV virus database updater + Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled) + Active: failed (Result: exit-code) since Tue 2021-04-20 06:59:59 EEST; 6h ago + Docs: man:freshclam(1) + man:freshclam.conf(5) + https://www.clamav.net/documents + Main PID: 18433 (code=exited, status=2) + + Apr 20 06:59:59 fridge systemd[1]: Started ClamAV virus database updater. + Apr 20 06:59:59 fridge freshclam[18433]: WARNING: Ignoring deprecated option SafeBrowsing at /etc/clamav/freshclam.conf:22 + Apr 20 06:59:59 fridge freshclam[18433]: ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log). + Apr 20 06:59:59 fridge freshclam[18433]: ERROR: initialize: libfreshclam init failed. + Apr 20 06:59:59 fridge freshclam[18433]: ERROR: Initialization error! + Apr 20 06:59:59 fridge freshclam[18433]: ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!). + Apr 20 06:59:59 fridge systemd[1]: clamav-freshclam.service: Main process exited, code=exited, status=2/INVALIDARGUMENT Apr 20 06:59:59 fridge systemd[1]: clamav-freshclam.service: Failed with result 'exit-code'. - - The permissions of /var/log/clamav/freshclam.log are 0640 clamav:adm; the parent directory is mode 0755 clamav:clamav. + The permissions of /var/log/clamav/freshclam.log are 0640 clamav:adm; + the parent directory is mode 0755 clamav:clamav. Restarting the clamav-freshclam service makes the error go away. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: clamav-freshclam 0.103.2+dfsg-0ubuntu0.18.04.1 ProcVersionSignature: Ubuntu 4.15.0-142.146-generic 4.15.18 Uname: Linux 4.15.0-142-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.23 Architecture: amd64 Date: Tue Apr 20 13:39:47 2021 ProcEnviron: LC_CTYPE=lt_LT.UTF-8 TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: clamav UpgradeStatus: Upgraded to bionic on 2019-09-11 (586 days ago)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1925182 Title: ERROR: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1925182/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
