Comment 1 for bug 1842695

Thanks for your report and for providing the relevant logs. This can be reproduced fairly easily by installing the auditd and clamav packages (unprivileged LXD containers can't run auditd, I used a VM). The OnAccess scanning mode can be enabled by setting

  LocalSocketGroup root
  User root
  ScanOnAccess true

in /etc/clamav/clamd.conf and by running `clamd --foreground` as root. The auditd log will show a message like

  apparmor="DENIED" operation="capable" profile="/usr/sbin/clamd"
  pid=54858 comm="clamd" capability=21 capname="sys_admin"

and clamd won't start in OnAccess mode. I confirm that disabling the clamd AppArmor profile makes it work. As the bug report states, OnAccess doesn't work with the AppArmor profile we ship.

OnAccess scanning needs to call fanotify_init(2), which in turn needs the sys_admin capability. This capability is very wide-ranging, see capabilities(7). Before allowing it the security implications should be evaluated.

Some notes:

1. I don't think flashclam is involved in this specific issue, but the reason for the AppArmor denials shown in the bug description (footnote 2) should probably be investigated too.

2. The only missing capability that prevents clamd from starting in OnAccess mode seems to be the 'sys_admin' capability. In my testing I've got no errors about 'dac_read_search', while the denied "open /etc/ssl/openssl.cnf" was there but apparently didn't cause any harm.

3. Running the daemon as root is clearly not a good idea. This setup would be better handled by giving cap_sys_admin to /usr/sbin/clamd or to the clamav user. I didn't try this setup, but it should be feasible.