Trying to revive some old bugs that seem forgotten for too long.
I think the discussion came to a point where:
1. The apparmor rule that would need to be added is clear
2. Adding it by default is considered not safe
3. The fix therefore can only be to ensure users that want to use it this way
are aware
- Paride mentioned adding things to docs
The packages readme already mentions that in general (but not the specific
case)
"If your system uses apparmor, please note that the shipped enforcing
profile
works with the default installation, and changes in your configuration may
require changes to the installed apparmor profile. ..."
- I have not found any mention of ScanOnAccess in the man page or the HTML
docs
4. It is definitely desirable to add this apparmor rule in a way not revoked by
package upgrades
That can be done with the common pattern of local overrides.
See /etc/apparmor.d/local/README
For this case to allow it would be like:
echo "capability sys_admin," >> /etc/apparmor.d/local/usr.sbin.clamd
As others outlined before "just allowing it by default" seems no option.
And maybe because no one felt as if "we could do much" the activity dropped.
But we should consider adding a hint how to easily do so (see #4 above) to
documentation (IMHO in descending usefulness):
- Add comment about ScanOnAccess and apparmor in /etc/clamav/clamd.conf
- man page add section about apparmor (as people look there first)
- Readme.debian (as example along the already existing entry about apparmor)
Debian uses apparmor as well now, it might be worth to do the changes
there directly so that everyone benefits.
That task is small (bitesize) but also low prio - so that is how I'd
retriage the bug for now.
** Tags added: bitesize
** Changed in: clamav (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1842695
Title:
ClamAV AppArmor profiles do not allow OnAccess scanning
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1842695/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
