Trying to revive some old bugs that seem forgotten for too long.

I think the discussion came to a point where:

1. The apparmor rule that would need to be added is clear

2. Adding it by default is considered not safe

3. The fix therefore can only be to ensure users that want to use it this way 
are aware
   - Paride mentioned adding things to docs
     The packages readme already mentions that in general (but not the specific 
     "If your system uses apparmor, please note that the shipped enforcing 
      works with the default installation, and changes in your configuration may
      require changes to the installed apparmor profile. ..."
   - I have not found any mention of ScanOnAccess in the man page or the HTML 

4. It is definitely desirable to add this apparmor rule in a way not revoked by 
package upgrades
   That can be done with the common pattern of local overrides.
   See /etc/apparmor.d/local/README
   For this case to allow it would be like:
     echo "capability sys_admin," >> /etc/apparmor.d/local/usr.sbin.clamd

As others outlined before "just allowing it by default" seems no option.
And maybe because no one felt as if "we could do much" the activity dropped.
But we should consider adding a hint how to easily do so (see #4 above) to 
documentation (IMHO in descending usefulness):

- Add comment about ScanOnAccess and apparmor in /etc/clamav/clamd.conf
- man page add section about apparmor (as people look there first)
- Readme.debian (as example along the already existing entry about apparmor)

Debian uses apparmor as well now, it might be worth to do the changes
there directly so that everyone benefits.

That task is small (bitesize) but also low prio - so that is how I'd
retriage the bug for now.

** Tags added: bitesize

** Changed in: clamav (Ubuntu)
   Importance: Undecided => Low

You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

  ClamAV AppArmor profiles do not allow OnAccess scanning

To manage notifications about this bug go to:

ubuntu-bugs mailing list

Reply via email to