Comment 5 for bug 1842695

Trying to revive some old bugs that seem forgotten for too long.

I think the discussion came to a point where:

1. The apparmor rule that would need to be added is clear

2. Adding it by default is considered not safe

3. The fix therefore can only be to ensure users that want to use it this way are aware
   - Paride mentioned adding things to docs
     The packages readme already mentions that in general (but not the specific case)
     "If your system uses apparmor, please note that the shipped enforcing profile
      works with the default installation, and changes in your configuration may
      require changes to the installed apparmor profile. ..."
   - I have not found any mention of ScanOnAccess in the man page or the HTML docs

4. It is definitely desirable to add this apparmor rule in a way not revoked by package upgrades
   That can be done with the common pattern of local overrides.
   See /etc/apparmor.d/local/README
   For this case to allow it would be like:
     echo "capability sys_admin," >> /etc/apparmor.d/local/usr.sbin.clamd

As others outlined before "just allowing it by default" seems no option.
And maybe because no one felt as if "we could do much" the activity dropped.
But we should consider adding a hint how to easily do so (see #4 above) to documentation (IMHO in descending usefulness):

- Add comment about ScanOnAccess and apparmor in /etc/clamav/clamd.conf
- man page add section about apparmor (as people look there first)
- Readme.debian (as example along the already existing entry about apparmor)

Debian uses apparmor as well now, it might be worth to do the changes there directly so that everyone benefits.

That task is small (bitesize) but also low prio - so that is how I'd retriage the bug for now.