Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clamd Permissions Fix for Debian AppArmor #74

Open
wants to merge 8 commits into
base: develop
Choose a base branch
from
Open

Clamd Permissions Fix for Debian AppArmor #74

wants to merge 8 commits into from

Conversation

krimsonkla
Copy link

@krimsonkla krimsonkla commented Nov 17, 2023
edited by jsf9k
Loading

🗣 Description

Resolve AppArmor configuration issue which prevents clamd and freshclam from running.

💭 Motivation and context

On Debian GNU/Linux 11 (bullseye), Clamd and Freshclam are not configured correctly by default with latest versions.

Apparmor Version: 2.13.6
ClamAV Version: 0.103.10

Error: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!).

Defect Notes: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1842695

🧪 Testing

Change was incorporated into internal Playbook

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All relevant repo and/or project documentation has been updated
    to reflect the changes in this PR.
  • Tests have been added and/or modified to cover the changes in this PR.
  • All new and existing tests pass.

On Debian GNU/Linux 11 (bullseye), Clamd and Freshclam are not config…
ea66f9d 
…ured correctly by default when the latest version is installed.

Apparmor Version: 2.13.6
ClamAV Version: 0.103.10

Error: Can't open /var/log/clamav/freshclam.log in append mode (check permissions!).

https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1842695
@jsf9k jsf9k self-assigned this Nov 17, 2023
@jsf9k jsf9k added the bug This issue or pull request addresses broken functionality label Nov 17, 2023
jsf9k
jsf9k requested changes Nov 17, 2023
View reviewed changes
Copy link
Member

@jsf9k jsf9k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here are some small things to get started with.

tasks/main.yml Outdated Show resolved Hide resolved
tasks/main.yml Outdated Show resolved Hide resolved
tasks/main.yml Outdated Show resolved Hide resolved
tasks/main.yml Outdated Show resolved Hide resolved
tasks/main.yml Show resolved Hide resolved
jsf9k
jsf9k requested changes Nov 17, 2023
View reviewed changes
Copy link
Member

@jsf9k jsf9k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here are some more important questions and change requests.

defaults/main.yml Outdated Show resolved Hide resolved
tasks/main.yml Outdated
Comment on lines 19 to 20
- name: Configure AppArmor for Clamd
when: "ansible_apparmor.status == 'enabled' and apparmor_complain"
Copy link
Member

@jsf9k jsf9k Nov 17, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these changes only apply to Debian, or more specifically Debian 11? We should probably also check that the apparmor.service SystemD service is running before attempting to apply these changes, since that service is not enabled by default on Debian.

defaults/main.yml Outdated
Comment on lines 3 to 5
apparmor_clamd_configuration_path: /etc/apparmor.d/usr.sbin.clamd
apparmor_freshclam_configuration_path: /etc/apparmor.d/usr.bin.freshclam
apparmor_complain: true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

apparmor_complain, at least, needs to be specified as a role variable in README.md.

@jsf9k
Copy link
Member

jsf9k commented Nov 17, 2023

@krimsonkla - In order to test these changes you'll probably need to create a separate Molecule scenario where apparmor.service is started. As an example, #53 is a previous PR where a new Molecule scenario was added.

krimsonkla and others added 6 commits November 17, 2023 11:32
@krimsonkla @jsf9k
Change apparmor complain default value.
7ecbc1f 
Co-authored-by: Shane Frasier <maverick@maverickdolphin.com>
@krimsonkla @jsf9k
Remove unnecessary quotes:
d5aad91 
Co-authored-by: Shane Frasier <maverick@maverickdolphin.com>
@krimsonkla @jsf9k
Remove unnecessary quotes:
0df0468 
Co-authored-by: Shane Frasier <maverick@maverickdolphin.com>
@krimsonkla @jsf9k
Remove unnecessary quotes
bc2a89c 
Co-authored-by: Shane Frasier <maverick@maverickdolphin.com>
@krimsonkla @jsf9k
Remove extra blank line
424c0e5 
Co-authored-by: Shane Frasier <maverick@maverickdolphin.com>
Remove extra quotes
1242ced
@krimsonkla
Copy link
Author

@jsf9k I'll try to find some time to work out the molecule testing. Having never used molecule, I started down that path last evening but struggled to get molecule to work in my nix-shell.

@jsf9k
Copy link
Member

jsf9k commented Nov 17, 2023

@krimsonkla - If you're not accepting someone's changes, please let the reporter resolve the comments. They are the person in the best position to determine whether their concerns have been addressed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsf9k jsf9k jsf9k requested changes

@dav3r dav3r Awaiting requested review from dav3r dav3r is a code owner

@felddy felddy Awaiting requested review from felddy felddy is a code owner

@jasonodoom jasonodoom Awaiting requested review from jasonodoom

@mcdonnnj mcdonnnj Awaiting requested review from mcdonnnj mcdonnnj is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@jsf9k jsf9k

Labels
bug This issue or pull request addresses broken functionality
Projects
CyHy System
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@krimsonkla @jsf9k