Clamd and systemd

Bill Shirley bshirley at memphis.apirx.biz
Wed Sep 19 20:41:40 UTC 2012


On 9/19/2012 3:21 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/19/2012 07:36 AM, Bill Shirley wrote:
>> On 9/19/2012 5:47 AM, Arthur Dent wrote:
>>>> "What tells it that it is a "scan" service? That bit of the puzzle
>>>> seems to be missing..."
>>>>
>>>> Whatever is the parameter after the @ and before the dot  becomes %i
>>>> in the service file.  Look at the service file: [Unit] Description =
>>>> clamd scanner (%i) daemon After = syslog.target nss-lookup.target
>>>> network.target
>>>>
>>>> [Service] Type = simple ExecStart = /usr/sbin/clamd -c
>>>> /etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp =
>>>> true
>>>>
>>>> so clamd at scan.service invokes clamd with the scan.conf file as it's
>>>> configuration file. This way you can have multiple clamd services each
>>>> using a different config file.  Just create another config file in
>>>> /etc/clamd.d/my_config.conf and: ln -s
>>>> /lib/systemd/system/clamd at .service
>>>> /etc/systemd/system/clamd at my_config.service
>>>>
>>>> You should have the /etc/clamd.d/scan.conf I think:
>>>>
>>>> [root at moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
>>>> clamav-scanner-0.97.5-1700.fc17.noarch
>>> Thank you Bill for a helpful and, more importantly, informative reply. I
>>> think this will not only help me to solve my problem but, even better,
>>> help me to understand where I was going wrong.
>>>
>>> As before, I don't have access to the machine right now, so i will try
>>> when I get home to work through this and get it right.
>>>
>>> I will once again report back later...
>>>
>>> Thanks again. Your help is much appreciated.
>>>
>>> Mark
>>>
>>>
>> You mentioned scanning email.  I run clamav-milter and stop the virus at
>> smtp time.  You may find this helpful:
>>
>> [root at moses clamav]# rpm -qa | grep clam | sort
>> clamav-data-0.97.5-1700.fc17.noarch
>> clamav-filesystem-0.97.5-1700.fc17.noarch
>> clamav-lib-0.97.5-1700.fc17.x86_64 clamav-milter-0.97.5-1700.fc17.x86_64
>> clamav-milter-systemd-0.97.5-1700.fc17.noarch
>> clamav-scanner-0.97.5-1700.fc17.noarch
>> clamav-scanner-systemd-0.97.5-1700.fc17.noarch
>> clamav-server-0.97.5-1700.fc17.x86_64
>> clamav-server-systemd-0.97.5-1700.fc17.noarch
>> clamav-update-0.97.5-1700.fc17.x86_64
>>
>> For clamav-milter, I had to add clamilt to the postfix group (usermod -a
>> -G postfix clamilt): [root at moses clamav]# egrep 'post|clam' /etc/group
>> mail:x:12:postfix postfix:x:89:clamilt postdrop:x:90:
>> clamscan:x:987:clamilt clamilt:x:988:postfix clamupdate:x:989:
>>
>>
>> Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure to
>> comment out above: Example
>>
>> ClamdSocket             unix:/var/run/clamd.scan/clamd.sock MilterSocket
>> /var/run/clamav-milter/clamav-milter.socket ##MilterSocket
>> inet:3381 # usermod -a -G postfix clamilt MilterSocketGroup       postfix
>> MilterSocketMode        660
>>
>> OnInfected              Reject AddHeader               Replace
>>
>> #LogFile                /var/log/clamav-milter.log #LogFileMaxSize
>> 1M #LogTime                yes LogSyslog               yes LogFacility
>> LOG_MAIL #LogVerbose             no LogClean                Basic
>> LogInfected             Full
>>
>> Add to postfix's main.cf: # usermod -a -G clamilt postfix smtpd_milters =
>> unix:/var/run/clamav-milter/clamav-milter.socket #milter_default_action =
>> accept milter_default_action = tempfail
>>
>> I can't remember if I had to create the directory, but here is that info:
>> [root at moses clamav]# ldpz /var/run/clamav-milter/clamav-milter.socket
>> drwxr-xr-x. root    root    system_u:object_r:var_t:s0       /var
>> lrwxrwxrwx. root    root    system_u:object_r:var_run_t:s0 /var/run ->
>> ../run drwx--x---. clamilt clamilt system_u:object_r:clamd_var_run_t:s0
>> /var/run/clamav-milter srw-rw----. clamilt postfix
>> system_u:object_r:clamd_var_run_t:s0
>> /var/run/clamav-milter/clamav-milter.socket
>>
>>
>> For clamav, to avoid selinux problems issue command: setsebool -P
>> clamd_use_jit on
>>
>> Add to end of scan.conf: # my stuff # be sure to commend out above:
>> Example
>>
>> #LogFile                /var/log/clamav/clamd.scan #LogFacility
>> LOG_MAIL LogFacility             LOG_DAEMON ExtendedDetectionInfo   yes
>> LocalSocket             /var/run/clamd.scan/clamd.sock #LocalSocketGroup
>> virusgroup #LocalSocketMode        660 FixStaleSocket          yes
>> CrossFilesystems        no ExcludePath             ^/proc/ ExcludePath
>> ^/sys/ ExcludePath             ^/fuse/ ExcludePath             ^/backup/
>> ExcludePath             ^/bacula/ SelfCheck               3600
>>
>>
>> And finally freshclam, add to the end of freshclam.conf: # my stuff
>> LogFacility LOG_DAEMON DatabaseMirror db.US.clamav.net TestDatabases yes
>>
>>
>> Note in all the clamav configuration file there is a line: Example that has
>> to be commented out for the service to run.
>>
>> Don't forget to systemctl enable these to services: [root at moses clamav]#
>> systemctl is-active clamav-milter.service active [root at moses clamav]#
>> systemctl is-active clamd at scan.service active
>>
>> Hope this helps, Bill
>>
>>
>>
> Is this the default setting for clamd now?  clamd_use_jit on  Should we turn
> this on by default?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBaG0sACgkQrlYvE4MpobPBpgCeO3g4C646kE7btcoipQcHR2q5
> 1vsAoKoQMCzHCCqHS3EgD+sx0cs9QiJZ
> =eM1e
> -----END PGP SIGNATURE-----
I can't speak for everyone else, but with my setup, I was getting 
selinux errors with clamd.  When I ran audit2allow it said to set this 
boolean to eliminate the errors.

Bill




More information about the users mailing list