apparmor profile usr.sbin.clamd does not allow ScanOnAccess via fanotify

Please add
    capability setgid,
to the clamd profile and re-enable it ("aa-enforce clamd").

If it still doesn't work, set it to complain mode ("aa-complain clamd") so that it permits everything and logs what would be denied. Then use clamd for a while and provide the clamd-related entries from /var/log/audit/audit.log.

You can also update the profile yourself using aa-logprof, and set the profile back to enforce mode with "aa-enforce clamd".

Status changed to 'Confirmed' because the bug affects multiple users.

I have the same problem, but the above does not help me.
aa-complain clamd needs to be done at every startup, otherwise clamd would not start.
No /var/log/audit/audit.log
Eicar file can be copied despite clamav on-access running (acc clamav.log)
Details see https://answers.launchpad.net/ubuntu/+source/clamav/+question/263109

some further info:
I now have installed auditd to have the log in /var/log/audit/audit.log.
I added to usr.bin.clamd:
  capability setgid,
  capability setuid,
and used aa-logprof to add some more items:
  capability chown,
  capability dac_override,
  capability fsetid,
  capability sys_admin,
But, after reload apparmor, aa-enforce clamd, and restart clamd
I still have "ERROR: initgroups() failed" at clamd start.
It still needs aa-complain clamd to successfully start clamd

no any reaction?
Does that mean on-access scanning does not work with clamav (non-detection of Eicar file)?
Because of lacking compatibility with apparmor?

I was describing two issues: One is that root user was needed for ScanOnAccess. Second was that the apparmor profile does not fit.

Basically, there should be an easy way to use ScanOnAccess with correct apparmor profile.

Fanotify seems to be a basic feature in conjunction with a virus scanner (which can simply run in user space without a kernel module, still getting notified about changes in files).

With the two changes I described, ScanOnAccess is working for me with root privileges and apparmor profile disabled. Therefore, it also detects Eicar testfiles.

I'd suggest to make ScanOnAccess more accessible to an average user.

Hartwig, are there still AppArmor DENIED lines in your /var/log/syslog or /var/log/audit/audit.log files even after adding all those extra capabilities? Granted, a profiled application with all those capabilities is likely powerful enough to do great damage to the system anyway...

Thanks

clamd starts with:
1. aa-complain clamd
2. invoke-rc.d clamav-daemon restart

No clamd entries in syslog.
audit.log after starting clamd:
type=USER_AUTH msg=audit(1428468600.638:193): pid=8314 uid=1000 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="hartwig" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/18 res=success'
type=USER_ACCT msg=audit(1428468600.638:194): pid=8314 uid=1000 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="hartwig" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/18 res=success'
type=USER_START msg=audit(1428468600.658:195): pid=8314 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/18 res=success'
type=AVC msg=audit(1428468604.378:196): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/clamd" pid=8319 comm="apparmor_parser"
type=SYSCALL msg=audit(1428468604.378:196): arch=40000003 syscall=4 success=yes exit=26185 a0=3 a1=9c6677c a2=6649 a3=bfbf36c4 items=0 ppid=8315 pid=8319 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts18 ses=4294967295 comm="apparmor_parser" exe="/sbin/apparmor_parser" key=(null)
type=USER_END msg=audit(1428468604.450:197): pid=8314 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/18 res=success'

But - Eicar file can be copied, no error msg, no log entry

As another try, I tried to disable the apparmor profile by
  cd /etc/apparmor.d/disable
  ln -s ./../usr.sbin.clamd
as described by Thomas above. Unexpectedly, that did not get rid of the message "ERROR: initgroups() failed".
I found I had a file "usr.sbin(Kopie).clamd" in that folder; this file was a backup of the original, and got used by apparmor (went into the cache folder). After removing this backup copy (and reload apparmor) clamd could start.

Next try: use the original usr.sbin.clamd and add "capability setgid," as recommended by Christian above.
After reload apparmor and restart clamd I got "ERROR: Failed to change socket ownership to group clamav Closing the main socket."
But at system restart clamd started without error.
So, it was the backup file in /etc/apparmor.d which caused the trouble.
Maybe, I will gradually find out how to get on-access scan working.

Hartwig, great find with the backup copied file! That would definitely complicate all debugging efforts. Please do report back now that you can make some forward progress.

Now, that on-access scan seems to be working, I tried some cases:
No detections when I copied some Eicar files around in subfolders of /home/hartwig. However, I got a detection when I placed an Eicar file directly into that folder (mentioned in /var/log/clamav/clamav.log). It looks like that only the folder mentioned in the OnAccessIncludePath parameter is scanned, but no subfolders. Any way to include subfolders?

However, this behaviour does not seem to be connected to apparmor, so it is off-topic for this bug. I put my observations into the original clamav question https://answers.launchpad.net/ubuntu/+source/clamav/+question/263109.

We ran into the same issue, but wanted to avoid installing apparmor-utils.

In the /etc/apparmor.d/usr.sbin.clam profile, it is possible to set the clamd profile to complain mode directly (we used Ansible) without having to install apparmor-utils or use aa-complain.

Before:
/usr/sbin/clamd {

After:
/usr/sbin/clamd flags=(complain) {