Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clamd Permissions Fix for Debian AppArmor #74

Open
wants to merge 8 commits into
base: develop
Choose a base branch
from

Conversation

krimsonkla
Copy link

@krimsonkla krimsonkla commented Nov 17, 2023

🗣 Description

Resolve AppArmor configuration issue which prevents clamd and freshclam from running.

💭 Motivation and context

On Debian GNU/Linux 11 (bullseye), Clamd and Freshclam are not configured correctly by default with latest versions.

Apparmor Version: 2.13.6
ClamAV Version: 0.103.10

Error: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!).

Defect Notes: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1842695

🧪 Testing

Change was incorporated into internal Playbook

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All relevant repo and/or project documentation has been updated
    to reflect the changes in this PR.
  • Tests have been added and/or modified to cover the changes in this PR.
  • All new and existing tests pass.

…ured correctly by default when the latest version is installed.

Apparmor Version: 2.13.6
ClamAV Version: 0.103.10

Error: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!).

https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1842695
@jsf9k jsf9k self-assigned this Nov 17, 2023
@jsf9k jsf9k added the bug This issue or pull request addresses broken functionality label Nov 17, 2023
Copy link
Member

@jsf9k jsf9k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here are some small things to get started with.

tasks/main.yml Outdated Show resolved Hide resolved
tasks/main.yml Outdated Show resolved Hide resolved
tasks/main.yml Outdated Show resolved Hide resolved
tasks/main.yml Outdated Show resolved Hide resolved
tasks/main.yml Show resolved Hide resolved
Copy link
Member

@jsf9k jsf9k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here are some more important questions and change requests.

defaults/main.yml Outdated Show resolved Hide resolved
tasks/main.yml Outdated
Comment on lines 19 to 20
- name: Configure AppArmor for Clamd
when: "ansible_apparmor.status == 'enabled' and apparmor_complain"
Copy link
Member

@jsf9k jsf9k Nov 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these changes only apply to Debian, or more specifically Debian 11? We should probably also check that the apparmor.service SystemD service is running before attempting to apply these changes, since that service is not enabled by default on Debian.

Comment on lines 3 to 5
apparmor_clamd_configuration_path: /etc/apparmor.d/usr.sbin.clamd
apparmor_freshclam_configuration_path: /etc/apparmor.d/usr.bin.freshclam
apparmor_complain: true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

apparmor_complain, at least, needs to be specified as a role variable in README.md.

@jsf9k
Copy link
Member

jsf9k commented Nov 17, 2023

@krimsonkla - In order to test these changes you'll probably need to create a separate Molecule scenario where apparmor.service is started. As an example, #53 is a previous PR where a new Molecule scenario was added.

@krimsonkla
Copy link
Author

@jsf9k I'll try to find some time to work out the molecule testing. Having never used molecule, I started down that path last evening but struggled to get molecule to work in my nix-shell.

@jsf9k
Copy link
Member

jsf9k commented Nov 17, 2023

@krimsonkla - If you're not accepting someone's changes, please let the reporter resolve the comments. They are the person in the best position to determine whether their concerns have been addressed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue or pull request addresses broken functionality
Projects
Status: No status
Development

Successfully merging this pull request may close these issues.

2 participants