Comment 3 for bug 1842695

Let me slightly revise what legovini wrote (and appologies to legovini who was just passing on my less than adequate explanation).

It is true that giving cap sys_admin is effectively giving a process root. That doesn't mean we don't do it, but we do it very carefully, and only after review of the use cases. It is also true that there is no good solution to separate out the root functionality that cap sys_admin grants because the kernel conflates several different permissions under cap sys_admin.

The apparmor confinement will still apply even after granting cap sys_admin. But it is somewhat weakened. Just how much will depend on other parts of the profile. And having the profile will be better than not having it as even weakened it can split appart some of the broad permissions granted by cap sys_admin.

There is no point in having broken packages due to security, it just upsets users and leads to users turning off security which is the worst possible result.

So the question is how useful is clamav when not using OnAccess mode?

If we are going to allow OnAccess,
Is it by default, or an optional configuration?
And what is the best way to allow cap sys_admin?

If necessary the apparmor profile can be updated to allow cap sys_admin, however it is certainly more desirable (from a security perspective) to make it optional behind a tunnable or have it commented out by default.