installation: disable clamav-clamonacc.service by default for PMG

> On-Access [...] leverages a kernel api called fanotify to block
> processes from attempting to access malicious files. This
> prevention occurs in kernel-space, and thus offers stronger
> protection than a purely user-space solution.

This is not really useful for the PMG use case and requires user
configuration as otherwise it refuses to start. In fact, is the sole
unit marked as failed after a fresh installation:

> ERROR: Clamonacc: at least one of OnAccessExcludeUID,
> OnAccessExcludeUname, or OnAccessExcludeRootUID must be specified
> it is recommended you exclude the clamd instance UID or uname to
> prevent infinite event scanning loops.

So disable it by default, if a user really wants this, whyever that
would be, the can just configure it and enable it again via
systemctl.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/Proxmox/Install.pm b/Proxmox/Install.pm
index e7a93bfdacf31e29fe7cdd8be86343e5a9455379..1c4811d69c1d85895e540bbc7554abb805948c25 100644 (file)
--- a/Proxmox/Install.pm
+++ b/Proxmox/Install.pm
@@ -1115,6 +1115,11 @@ _EOD
            }
            syscmd("chroot $targetdir /bin/chown clamav:clamav -R /var/lib/clamav") == 0 ||
                die "unable to set owner for clamav database files\n";
+
+           # on-access scanner (blocks file access if it thinks file is bad) needs to be explicit
+           # configured by the user, otherwise it fails, and it doesn't make sense for most users.
+           unlink "$targetdir/etc/systemd/system/multi-user.target.wants/clamav-clamonacc.service"
+               or warn "failed to disable clamav-clamonacc.service - $!";
        }
 
        if ($iso_env->{product} eq 'pve') {