Clamd and systemd
Daniel J Walsh
dwalsh at redhat.com
Wed Sep 19 20:51:45 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/19/2012 04:41 PM, Bill Shirley wrote:
>
> On 9/19/2012 3:21 PM, Daniel J Walsh wrote: On 09/19/2012 07:36 AM, Bill
> Shirley wrote:
>>>> On 9/19/2012 5:47 AM, Arthur Dent wrote:
>>>>>> "What tells it that it is a "scan" service? That bit of the
>>>>>> puzzle seems to be missing..."
>>>>>>
>>>>>> Whatever is the parameter after the @ and before the dot becomes
>>>>>> %i in the service file. Look at the service file: [Unit]
>>>>>> Description = clamd scanner (%i) daemon After = syslog.target
>>>>>> nss-lookup.target network.target
>>>>>>
>>>>>> [Service] Type = simple ExecStart = /usr/sbin/clamd -c
>>>>>> /etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp
>>>>>> = true
>>>>>>
>>>>>> so clamd at scan.service invokes clamd with the scan.conf file as
>>>>>> it's configuration file. This way you can have multiple clamd
>>>>>> services each using a different config file. Just create another
>>>>>> config file in /etc/clamd.d/my_config.conf and: ln -s
>>>>>> /lib/systemd/system/clamd at .service
>>>>>> /etc/systemd/system/clamd at my_config.service
>>>>>>
>>>>>> You should have the /etc/clamd.d/scan.conf I think:
>>>>>>
>>>>>> [root at moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
>>>>>> clamav-scanner-0.97.5-1700.fc17.noarch
>>>>> Thank you Bill for a helpful and, more importantly, informative
>>>>> reply. I think this will not only help me to solve my problem but,
>>>>> even better, help me to understand where I was going wrong.
>>>>>
>>>>> As before, I don't have access to the machine right now, so i will
>>>>> try when I get home to work through this and get it right.
>>>>>
>>>>> I will once again report back later...
>>>>>
>>>>> Thanks again. Your help is much appreciated.
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>> You mentioned scanning email. I run clamav-milter and stop the virus
>>>> at smtp time. You may find this helpful:
>>>>
>>>> [root at moses clamav]# rpm -qa | grep clam | sort
>>>> clamav-data-0.97.5-1700.fc17.noarch
>>>> clamav-filesystem-0.97.5-1700.fc17.noarch
>>>> clamav-lib-0.97.5-1700.fc17.x86_64
>>>> clamav-milter-0.97.5-1700.fc17.x86_64
>>>> clamav-milter-systemd-0.97.5-1700.fc17.noarch
>>>> clamav-scanner-0.97.5-1700.fc17.noarch
>>>> clamav-scanner-systemd-0.97.5-1700.fc17.noarch
>>>> clamav-server-0.97.5-1700.fc17.x86_64
>>>> clamav-server-systemd-0.97.5-1700.fc17.noarch
>>>> clamav-update-0.97.5-1700.fc17.x86_64
>>>>
>>>> For clamav-milter, I had to add clamilt to the postfix group (usermod
>>>> -a -G postfix clamilt): [root at moses clamav]# egrep 'post|clam'
>>>> /etc/group mail:x:12:postfix postfix:x:89:clamilt postdrop:x:90:
>>>> clamscan:x:987:clamilt clamilt:x:988:postfix clamupdate:x:989:
>>>>
>>>>
>>>> Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure
>>>> to comment out above: Example
>>>>
>>>> ClamdSocket unix:/var/run/clamd.scan/clamd.sock
>>>> MilterSocket /var/run/clamav-milter/clamav-milter.socket
>>>> ##MilterSocket inet:3381 # usermod -a -G postfix clamilt
>>>> MilterSocketGroup postfix MilterSocketMode 660
>>>>
>>>> OnInfected Reject AddHeader Replace
>>>>
>>>> #LogFile /var/log/clamav-milter.log #LogFileMaxSize 1M
>>>> #LogTime yes LogSyslog yes LogFacility
>>>> LOG_MAIL #LogVerbose no LogClean Basic
>>>> LogInfected Full
>>>>
>>>> Add to postfix's main.cf: # usermod -a -G clamilt postfix
>>>> smtpd_milters = unix:/var/run/clamav-milter/clamav-milter.socket
>>>> #milter_default_action = accept milter_default_action = tempfail
>>>>
>>>> I can't remember if I had to create the directory, but here is that
>>>> info: [root at moses clamav]# ldpz
>>>> /var/run/clamav-milter/clamav-milter.socket drwxr-xr-x. root root
>>>> system_u:object_r:var_t:s0 /var lrwxrwxrwx. root root
>>>> system_u:object_r:var_run_t:s0 /var/run -> ../run drwx--x---. clamilt
>>>> clamilt system_u:object_r:clamd_var_run_t:s0 /var/run/clamav-milter
>>>> srw-rw----. clamilt postfix system_u:object_r:clamd_var_run_t:s0
>>>> /var/run/clamav-milter/clamav-milter.socket
>>>>
>>>>
>>>> For clamav, to avoid selinux problems issue command: setsebool -P
>>>> clamd_use_jit on
>>>>
>>>> Add to end of scan.conf: # my stuff # be sure to commend out above:
>>>> Example
>>>>
>>>> #LogFile /var/log/clamav/clamd.scan #LogFacility
>>>> LOG_MAIL LogFacility LOG_DAEMON ExtendedDetectionInfo
>>>> yes LocalSocket /var/run/clamd.scan/clamd.sock
>>>> #LocalSocketGroup virusgroup #LocalSocketMode 660
>>>> FixStaleSocket yes CrossFilesystems no ExcludePath
>>>> ^/proc/ ExcludePath ^/sys/ ExcludePath ^/fuse/
>>>> ExcludePath ^/backup/ ExcludePath ^/bacula/
>>>> SelfCheck 3600
>>>>
>>>>
>>>> And finally freshclam, add to the end of freshclam.conf: # my stuff
>>>> LogFacility LOG_DAEMON DatabaseMirror db.US.clamav.net TestDatabases
>>>> yes
>>>>
>>>>
>>>> Note in all the clamav configuration file there is a line: Example
>>>> that has to be commented out for the service to run.
>>>>
>>>> Don't forget to systemctl enable these to services: [root at moses
>>>> clamav]# systemctl is-active clamav-milter.service active [root at moses
>>>> clamav]# systemctl is-active clamd at scan.service active
>>>>
>>>> Hope this helps, Bill
>>>>
>>>>
>>>>
> Is this the default setting for clamd now? clamd_use_jit on Should we
> turn this on by default? I can't speak for everyone else, but with my
> setup, I was getting selinux errors with clamd. When I ran audit2allow it
> said to set this boolean to eliminate the errors.
>
> Bill
>
>
Well had you changed any default settings in clamd to turn on JIT or does it
come with JIT turned on by default?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBaMGAACgkQrlYvE4MpobO1hQCgu6O9WCIZ2byEgkkFX09ophHd
0bwAoLJkGJxgx1IWrqpumUEs4M7FHJih
=pzaT
-----END PGP SIGNATURE-----
More information about the users
mailing list