clamav-freshclam update dns problem

Why are you doing this? As installed freshclam checks for updates every
hour without you needing to do anything.

That is true but looking at /var/log/clamav/freshclam.log show that the daemon itself can't access the database site. That means that even with freshclam running, the database gets outdated and clamscan complains about an outdated database when invoked. I even tried entering an IP address into /etc/clamav/freshclam.conf but freshclam still didn't work. Is the freshclam version from Intrepid working for anybody?

Yes. Works here just fine on multiple boxes.

Please provide the log file information from /var/log/clamav/freshclam.0
that shows the failure you are concerned about.

in the log is a lot of this, no more:

ClamAV update process started at Sun Nov 2 02:00:07 2008
WARNING: Can't query current.cvd.clamav.net
WARNING: Invalid DNS reply. Falling back to HTTP mode.
Reading CVD header (main.cvd): WARNING: Can't get
information about database.clamav.net: Name or service not
known
WARNING: Can't read main.cvd header from
database.clamav.net (IP: )
Trying again in 5 secs...

-------------

here is something what I tried out:

root@xyz:/var/log/clamav# host -t txt database.clamav.net
database.clamav.net is an alias for db.local.clamav.net.
db.local.clamav.net is an alias for db.centraleu.clamav.net.
root@xyz:/var/log/clamav# host -t txt db.local.clamav.net
db.local.clamav.net is an alias for db.centraleu.clamav.net.
root@xyz:/var/log/clamav# host -t txt db.centraleu.clamav.net
db.centraleu.clamav.net has no TXT record
root@xyz:/var/log/clamav# dig db.centraleu.clamav.net

; <<>> DiG 9.5.0-P2 <<>> db.centraleu.clamav.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59261
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;db.centraleu.clamav.net. IN A

;; ANSWER SECTION:
db.centraleu.clamav.net. 31 IN A 130.59.10.36
db.centraleu.clamav.net. 31 IN A 212.71.0.71

;; Query time: 13 msec
;; SERVER: 195.186.1.111#53(195.186.1.111)
;; WHEN: Sun Nov 2 17:03:04 2008
;; MSG SIZE rcvd: 73

On 02.Nov 2008 15:32, Scott Kitterman wrote:
> Please provide the log file information from /var/log/clamav/freshclam.0
> that shows the failure you are concerned about.
>
> --
> clamav-freshclam update dns problem
> https://bugs.launchpad.net/bugs/292580
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “clamav” source package in Ubuntu: New
>
> Bug description:
> Binary package hint: clamav-freshclam
>
> on Kubuntu 8.10 (newest from archive) it's not possible to update the clamav db with "sudo freshclam".
>
> it allways report, dns resolving don't work. But, with nslookup, dig and host it's possible to resolve the domain-names (like described in the FAQ of clamav.org). I don't have any idea to resolve this... maybe a permission-problem, but it's executed as root. Also the daemon has the same problem of clamav, not only the manual update.
>
> Any idea how to do more exactly debugging?
> thanks.
>
> exact output:
> ClamAV update process started at Sun Nov 2 13:02:14 2008
> WARNING: Can't query current.cvd.clamav.net
> WARNING: Invalid DNS reply. Falling back to HTTP mode.
> Reading CVD header (main.cvd): WARNING: Can't get information about database.clamav.net: Name or service not known
> WARNING: Can't read main.cvd header from database.clamav.net (IP: )
> Trying again in 5 secs...
>

because it doesn't matter if I start the command manually or the daemon
will refresh, the error is the same... (I have disabled the daemon,
because there are not allways updates needed.)

On 02.Nov 2008 14:33, Scott Kitterman wrote:
> Why are you doing this? As installed freshclam checks for updates every
> hour without you needing to do anything.
>
> --
> clamav-freshclam update dns problem
> https://bugs.launchpad.net/bugs/292580
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “clamav” source package in Ubuntu: New
>
> Bug description:
> Binary package hint: clamav-freshclam
>
> on Kubuntu 8.10 (newest from archive) it's not possible to update the clamav db with "sudo freshclam".
>
> it allways report, dns resolving don't work. But, with nslookup, dig and host it's possible to resolve the domain-names (like described in the FAQ of clamav.org). I don't have any idea to resolve this... maybe a permission-problem, but it's executed as root. Also the daemon has the same problem of clamav, not only the manual update.
>
> Any idea how to do more exactly debugging?
> thanks.
>
> exact output:
> ClamAV update process started at Sun Nov 2 13:02:14 2008
> WARNING: Can't query current.cvd.clamav.net
> WARNING: Invalid DNS reply. Falling back to HTTP mode.
> Reading CVD header (main.cvd): WARNING: Can't get information about database.clamav.net: Name or service not known
> WARNING: Can't read main.cvd header from database.clamav.net (IP: )
> Trying again in 5 secs...
>

One thing that's new in Intrepid for clamav is an AppArmor profile for increased security. It may be that freshclam needs access to some resource on your system that AppArmor is blocking. You can switch the profile to complain mode and see if that helps:

sudo aa-complain usr.bin.feshclam

If it works after doing that, then it's an profile issue. We'll need the relevant log entries to figure out exactly what is needed. They look something like:

Oct 25 11:52:33 scott-laptop kernel: [ 5308.432588] type=1502 audit(1224949953.717:3435): operation="socket_accept" family="inet" sock_type="stream" protocol=6 pid=12985 profile="/usr/bin/freshclam"

Ah, exactly, here this I can see in syslog, before doing aa-complain...

Nov 2 18:55:59 xyz kernel: [30172.149684] type=1503
audit(1225648559.221:215): operation="inode_permission"
requested_mask="::r" denied_mask="::r" fsuid=112
name="/etc/resolvconf/run/resolv.conf" pid=9156
profile="/usr/bin/freshclam"

On 02.Nov 2008 17:45, Scott Kitterman wrote:
> One thing that's new in Intrepid for clamav is an AppArmor profile for
> increased security. It may be that freshclam needs access to some
> resource on your system that AppArmor is blocking. You can switch the
> profile to complain mode and see if that helps:
>
> sudo aa-complain usr.bin.feshclam
>
> If it works after doing that, then it's an profile issue. We'll need
> the relevant log entries to figure out exactly what is needed. They
> look something like:
>
> Oct 25 11:52:33 scott-laptop kernel: [ 5308.432588] type=1502
> audit(1224949953.717:3435): operation="socket_accept" family="inet"
> sock_type="stream" protocol=6 pid=12985 profile="/usr/bin/freshclam"
>
> --
> clamav-freshclam update dns problem
> https://bugs.launchpad.net/bugs/292580
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “clamav” source package in Ubuntu: New
>
> Bug description:
> Binary package hint: clamav-freshclam
>
> on Kubuntu 8.10 (newest from archive) it's not possible to update the clamav db with "sudo freshclam".
>
> it allways report, dns resolving don't work. But, with nslookup, dig and host it's possible to resolve the domain-names (like described in the FAQ of clamav.org). I don't have any idea to resolve this... maybe a permission-problem, but it's executed as root. Also the daemon has the same problem of clamav, not only the manual update.
>
> Any idea how to do more exactly debugging?
> thanks.
>
> exact output:
> ClamAV update process started at Sun Nov 2 13:02:14 2008
> WARNING: Can't query current.cvd.clamav.net
> WARNING: Invalid DNS reply. Falling back to HTTP mode.
> Reading CVD header (main.cvd): WARNING: Can't get information about database.clamav.net: Name or service not known
> WARNING: Can't read main.cvd header from database.clamav.net (IP: )
> Trying again in 5 secs...
>

Thanks for the advice. It was indeed a profile issue. After switching to complain mode, I got messages like

[16653.510538] type=1503 audit(1225647340.558:116): operation="inode_permission" requested_mask="::r" denied_mask="::r" fsuid=114 name="/etc/resolvconf/run/resolv.conf" pid=23644 profile="/usr/bin/freshclam"

I figured that freshclam couldn't do DNS resolution because it was denied access to /etc/resolvconf/run/resolv.conf. Access to this file is only needed on systems that have the resolvconf package installed (a dependency of network-manager-vpnc).

Adding the line
  /etc/resolvconf/run/resolv.conf r,
to /etc/apparmor.d/usr.bin.freshclam and switching back to enforce mode solved the problem for me.

I guess we should update the apparmor profile to include this possible configuration.

Hi,

I am unable to reproduce this bug in my current installation of Ubuntu 8.10 Intrepid.

apt-cache madison clamav-freshclam reports 0.94.dfsg.1~rc1-0ubuntu2 as the version currently available.

The /etc/apparmor.d/usr.bin.freshclam in this version includes
  #include <abstractions/nameservice>

which is the preferred method for enabling a profile for name resolution, as name resolution entails other files besides /etc/resolv.conf. (/etc/hosts, nsswitch.conf etc)

Could you please report on what version of clamav-freshclam you have installed, and or if #include <abstractions/nameservice> is included in /etc/apparmor.d/usr.bin.freshclam

Thanks!

I also have 0.94.dfsg.1~rc1-0ubuntu2 of clamav-freshclam installed. abstractions/nameservice is included in my /etc/apparmor.d/usr.bin.freshclam. The problem is that the abstractions file only allows access to /var/run/resolvconf/resolv.conf but my version of resolvconf (1.42ubuntu2) uses the file /etc/resolvconf/run/resolv.conf instead. Changing this in the abstractions file should fix the problem. Was there a change in the location of resolvconf's files recently?

Hi Phillip,

Thanks for the reply. I had a quick look at the source for resolvconf and it does use /etc/resolvconf/run instead of /var if it can, else it falls back to /var.

I will enquire about and open a bug about amending abstractions/nameservice to include both paths.

Hi.

Thanks for reporting this. This was actually fixed for a cups bug: https://bugs.edge.launchpad.net/ubuntu/+source/apparmor/+bug/286080 and should hopefully be released soon.

Fix committed to revision 926 of bzr branch.

As a current workaround,

/etc/resolvconf/run/resolv.conf r,

can be added to /etc/apparmor.d/abstractions/nameservice

Reassigning to Apparmor team.