AppArmor and clamav-freshclam in container


I have an lxd host under ubuntu 20.04 that runs an lxc container under Debian 9.
I installed clamav-freshclam in the container, freshclam can’t resolve hostname:

Tue Jan 12 14:08:09 2021 -> ERROR: remote_cvdhead: Download failed (6) Tue Jan 12 14:08:09 2021 -> ERROR:  Message: Couldn't resolve host name
Tue Jan 12 14:08:09 2021 -> WARNING: Failed to get daily database version information from server:
Tue Jan 12 14:08:09 2021 -> ERROR: check_for_new_database_version: Failed to find daily database using server

In the host syslog, we can see that AppArmor refused network access to freshclam binary:

Jan 12 14:08:09 sd kernel: [355010.297775] audit: type=1400 audit(1610456889.229:2146): apparmor="DENIED" operation="create" namespace="root//lxd-instance_<var-snap-lxd-common-lxd>" profile="/usr/bin/freshclam" pid=731692 comm="freshclam" family="inet" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create`"`

Does anyone know how to allow network access to freshclam binary ?


The profile="/usr/bin/freshclam" suggests another apparmor profile is blocking this.

Do you agree @stgraber?

Yep, this is apparmor in the container preventing it.

I guess you could disable that apparmor profile in /etc/apparmor.d or extend it to allow what you need here.

Thank for your answers!

Indeed, disabling the profile inside the container works.

But, this seems weird that the default freshclam’s debian profile disallow DNS queries, especially that “abstractions/nameservice” is included.

Isn’t interactions between host’s profiles and container’s profiles ?

The error shows that it’s the freshclam profile that blocked it.
It could be an issue in the apparmor parser though, it wouldn’t be the first time that a container is getting a stricter policy than the host due to how apparmor functions…

In most cases, if you can figure out what needs to be added to the profile, the packagers are usually quite happy to update it.

It’s clear for me now. I’ll try to provide a profile patch for this issue.
Thanks for all your answers