Clamd and systemd

Daniel J Walsh dwalsh at redhat.com
Wed Sep 19 19:21:47 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 07:36 AM, Bill Shirley wrote:
> 
> On 9/19/2012 5:47 AM, Arthur Dent wrote:
>>> "What tells it that it is a "scan" service? That bit of the puzzle
>>> seems to be missing..."
>>> 
>>> Whatever is the parameter after the @ and before the dot  becomes %i
>>> in the service file.  Look at the service file: [Unit] Description =
>>> clamd scanner (%i) daemon After = syslog.target nss-lookup.target
>>> network.target
>>> 
>>> [Service] Type = simple ExecStart = /usr/sbin/clamd -c
>>> /etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp =
>>> true
>>> 
>>> so clamd at scan.service invokes clamd with the scan.conf file as it's 
>>> configuration file. This way you can have multiple clamd services each
>>> using a different config file.  Just create another config file in 
>>> /etc/clamd.d/my_config.conf and: ln -s
>>> /lib/systemd/system/clamd at .service 
>>> /etc/systemd/system/clamd at my_config.service
>>> 
>>> You should have the /etc/clamd.d/scan.conf I think:
>>> 
>>> [root at moses shorewall]# rpm -qf /etc/clamd.d/scan.conf 
>>> clamav-scanner-0.97.5-1700.fc17.noarch
>> Thank you Bill for a helpful and, more importantly, informative reply. I 
>> think this will not only help me to solve my problem but, even better, 
>> help me to understand where I was going wrong.
>> 
>> As before, I don't have access to the machine right now, so i will try 
>> when I get home to work through this and get it right.
>> 
>> I will once again report back later...
>> 
>> Thanks again. Your help is much appreciated.
>> 
>> Mark
>> 
>> 
> 
> You mentioned scanning email.  I run clamav-milter and stop the virus at
> smtp time.  You may find this helpful:
> 
> [root at moses clamav]# rpm -qa | grep clam | sort 
> clamav-data-0.97.5-1700.fc17.noarch 
> clamav-filesystem-0.97.5-1700.fc17.noarch 
> clamav-lib-0.97.5-1700.fc17.x86_64 clamav-milter-0.97.5-1700.fc17.x86_64 
> clamav-milter-systemd-0.97.5-1700.fc17.noarch 
> clamav-scanner-0.97.5-1700.fc17.noarch 
> clamav-scanner-systemd-0.97.5-1700.fc17.noarch 
> clamav-server-0.97.5-1700.fc17.x86_64 
> clamav-server-systemd-0.97.5-1700.fc17.noarch 
> clamav-update-0.97.5-1700.fc17.x86_64
> 
> For clamav-milter, I had to add clamilt to the postfix group (usermod -a
> -G postfix clamilt): [root at moses clamav]# egrep 'post|clam' /etc/group 
> mail:x:12:postfix postfix:x:89:clamilt postdrop:x:90: 
> clamscan:x:987:clamilt clamilt:x:988:postfix clamupdate:x:989:
> 
> 
> Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure to
> comment out above: Example
> 
> ClamdSocket             unix:/var/run/clamd.scan/clamd.sock MilterSocket
> /var/run/clamav-milter/clamav-milter.socket ##MilterSocket
> inet:3381 # usermod -a -G postfix clamilt MilterSocketGroup       postfix 
> MilterSocketMode        660
> 
> OnInfected              Reject AddHeader               Replace
> 
> #LogFile                /var/log/clamav-milter.log #LogFileMaxSize
> 1M #LogTime                yes LogSyslog               yes LogFacility
> LOG_MAIL #LogVerbose             no LogClean                Basic 
> LogInfected             Full
> 
> Add to postfix's main.cf: # usermod -a -G clamilt postfix smtpd_milters =
> unix:/var/run/clamav-milter/clamav-milter.socket #milter_default_action =
> accept milter_default_action = tempfail
> 
> I can't remember if I had to create the directory, but here is that info: 
> [root at moses clamav]# ldpz /var/run/clamav-milter/clamav-milter.socket 
> drwxr-xr-x. root    root    system_u:object_r:var_t:s0       /var 
> lrwxrwxrwx. root    root    system_u:object_r:var_run_t:s0 /var/run ->
> ../run drwx--x---. clamilt clamilt system_u:object_r:clamd_var_run_t:s0 
> /var/run/clamav-milter srw-rw----. clamilt postfix
> system_u:object_r:clamd_var_run_t:s0 
> /var/run/clamav-milter/clamav-milter.socket
> 
> 
> For clamav, to avoid selinux problems issue command: setsebool -P
> clamd_use_jit on
> 
> Add to end of scan.conf: # my stuff # be sure to commend out above:
> Example
> 
> #LogFile                /var/log/clamav/clamd.scan #LogFacility
> LOG_MAIL LogFacility             LOG_DAEMON ExtendedDetectionInfo   yes 
> LocalSocket             /var/run/clamd.scan/clamd.sock #LocalSocketGroup
> virusgroup #LocalSocketMode        660 FixStaleSocket          yes 
> CrossFilesystems        no ExcludePath             ^/proc/ ExcludePath
> ^/sys/ ExcludePath             ^/fuse/ ExcludePath             ^/backup/ 
> ExcludePath             ^/bacula/ SelfCheck               3600
> 
> 
> And finally freshclam, add to the end of freshclam.conf: # my stuff 
> LogFacility LOG_DAEMON DatabaseMirror db.US.clamav.net TestDatabases yes
> 
> 
> Note in all the clamav configuration file there is a line: Example that has
> to be commented out for the service to run.
> 
> Don't forget to systemctl enable these to services: [root at moses clamav]#
> systemctl is-active clamav-milter.service active [root at moses clamav]#
> systemctl is-active clamd at scan.service active
> 
> Hope this helps, Bill
> 
> 
> 
Is this the default setting for clamd now?  clamd_use_jit on  Should we turn
this on by default?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaG0sACgkQrlYvE4MpobPBpgCeO3g4C646kE7btcoipQcHR2q5
1vsAoKoQMCzHCCqHS3EgD+sx0cs9QiJZ
=eM1e
-----END PGP SIGNATURE-----

More information about the users mailing list