When using onaccess scanning together with selinux, it seems these 2 are not sufficient:

setsebool -P antivirus_can_scan_system 1

setsebool -P clamd_use_jit 1

Onaccess scanning will still fail to initialize (at least when launched via systemd). Currently I added this:

semanage permissive -a antivirus_t

But I presume that's in fact a little too much. There's no real doc found at clamav concerning selinux either, so could someone shed a light on this?