Clamd and systemd
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 21 13:43:03 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/20/2012 05:38 AM, Zdenek Pytela wrote:
> Daniel J Walsh pise:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 09/19/2012 07:36 AM, Bill Shirley wrote:
>>>
>>> On 9/19/2012 5:47 AM, Arthur Dent wrote:
>>>>> "What tells it that it is a "scan" service? That bit of the puzzle
>>>>> seems to be missing..."
>>>>>
>>>>> Whatever is the parameter after the @ and before the dot becomes
>>>>> %i in the service file. Look at the service file: [Unit]
>>>>> Description = clamd scanner (%i) daemon After = syslog.target
>>>>> nss-lookup.target network.target
>>>>>
>>>>> [Service] Type = simple ExecStart = /usr/sbin/clamd -c
>>>>> /etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp
>>>>> = true
>>>>>
>>>>> so clamd at scan.service invokes clamd with the scan.conf file as it's
>>>>> configuration file. This way you can have multiple clamd services
>>>>> each using a different config file. Just create another config
>>>>> file in /etc/clamd.d/my_config.conf and: ln -s
>>>>> /lib/systemd/system/clamd at .service
>>>>> /etc/systemd/system/clamd at my_config.service
>>>>>
>>>>> You should have the /etc/clamd.d/scan.conf I think:
>>>>>
>>>>> [root at moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
>>>>> clamav-scanner-0.97.5-1700.fc17.noarch
>>>> Thank you Bill for a helpful and, more importantly, informative
>>>> reply. I think this will not only help me to solve my problem but,
>>>> even better, help me to understand where I was going wrong.
>>>>
>>>> As before, I don't have access to the machine right now, so i will
>>>> try when I get home to work through this and get it right.
>>>>
>>>> I will once again report back later...
>>>>
>>>> Thanks again. Your help is much appreciated.
>>>>
>>>> Mark
>>>>
>>>>
>>>
>>> You mentioned scanning email. I run clamav-milter and stop the virus
>>> at smtp time. You may find this helpful:
>>>
>>> [root at moses clamav]# rpm -qa | grep clam | sort
>>> clamav-data-0.97.5-1700.fc17.noarch
>>> clamav-filesystem-0.97.5-1700.fc17.noarch
>>> clamav-lib-0.97.5-1700.fc17.x86_64
>>> clamav-milter-0.97.5-1700.fc17.x86_64
>>> clamav-milter-systemd-0.97.5-1700.fc17.noarch
>>> clamav-scanner-0.97.5-1700.fc17.noarch
>>> clamav-scanner-systemd-0.97.5-1700.fc17.noarch
>>> clamav-server-0.97.5-1700.fc17.x86_64
>>> clamav-server-systemd-0.97.5-1700.fc17.noarch
>>> clamav-update-0.97.5-1700.fc17.x86_64
>>>
>>> For clamav-milter, I had to add clamilt to the postfix group (usermod
>>> -a -G postfix clamilt): [root at moses clamav]# egrep 'post|clam'
>>> /etc/group mail:x:12:postfix postfix:x:89:clamilt postdrop:x:90:
>>> clamscan:x:987:clamilt clamilt:x:988:postfix clamupdate:x:989:
>>>
>>>
>>> Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure
>>> to comment out above: Example
>>>
>>> ClamdSocket unix:/var/run/clamd.scan/clamd.sock
>>> MilterSocket /var/run/clamav-milter/clamav-milter.socket
>>> ##MilterSocket inet:3381 # usermod -a -G postfix clamilt
>>> MilterSocketGroup postfix MilterSocketMode 660
>>>
>>> OnInfected Reject AddHeader Replace
>>>
>>> #LogFile /var/log/clamav-milter.log #LogFileMaxSize 1M
>>> #LogTime yes LogSyslog yes LogFacility
>>> LOG_MAIL #LogVerbose no LogClean Basic
>>> LogInfected Full
>>>
>>> Add to postfix's main.cf: # usermod -a -G clamilt postfix smtpd_milters
>>> = unix:/var/run/clamav-milter/clamav-milter.socket
>>> #milter_default_action = accept milter_default_action = tempfail
>>>
>>> I can't remember if I had to create the directory, but here is that
>>> info: [root at moses clamav]# ldpz
>>> /var/run/clamav-milter/clamav-milter.socket drwxr-xr-x. root root
>>> system_u:object_r:var_t:s0 /var lrwxrwxrwx. root root
>>> system_u:object_r:var_run_t:s0 /var/run -> ../run drwx--x---. clamilt
>>> clamilt system_u:object_r:clamd_var_run_t:s0 /var/run/clamav-milter
>>> srw-rw----. clamilt postfix system_u:object_r:clamd_var_run_t:s0
>>> /var/run/clamav-milter/clamav-milter.socket
>>>
>>>
>>> For clamav, to avoid selinux problems issue command: setsebool -P
>>> clamd_use_jit on
>>>
>>> Add to end of scan.conf: # my stuff # be sure to commend out above:
>>> Example
>>>
>>> #LogFile /var/log/clamav/clamd.scan #LogFacility
>>> LOG_MAIL LogFacility LOG_DAEMON ExtendedDetectionInfo yes
>>> LocalSocket /var/run/clamd.scan/clamd.sock
>>> #LocalSocketGroup virusgroup #LocalSocketMode 660 FixStaleSocket
>>> yes CrossFilesystems no ExcludePath ^/proc/
>>> ExcludePath ^/sys/ ExcludePath ^/fuse/ ExcludePath
>>> ^/backup/ ExcludePath ^/bacula/ SelfCheck
>>> 3600
>>>
>>>
>>> And finally freshclam, add to the end of freshclam.conf: # my stuff
>>> LogFacility LOG_DAEMON DatabaseMirror db.US.clamav.net TestDatabases
>>> yes
>>>
>>>
>>> Note in all the clamav configuration file there is a line: Example that
>>> has to be commented out for the service to run.
>>>
>>> Don't forget to systemctl enable these to services: [root at moses
>>> clamav]# systemctl is-active clamav-milter.service active [root at moses
>>> clamav]# systemctl is-active clamd at scan.service active
>>>
>>> Hope this helps, Bill
>>>
>>>
>>>
>> Is this the default setting for clamd now? clamd_use_jit on Should we
>> turn this on by default?
> On a fresh install there is
>
> # Bytecode mode # # This option has been set to 'ForceInterpreter' in
> Fedora due to # security concerns by default. You might need to enable
> the # 'clamd_use_jit' SELinux boolean after setting this option to the #
> more efficient 'ForceJIT' value. # # Default: ForceInterpreter
> #ByteCodeMode ForceInterpreter
>
> We didn't change this, but had to change clamd_use_jit --> on.
>
Then I would open a bug with clamd.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBcbuYACgkQrlYvE4MpobPwDQCfToC2oaJq+AkeqdoD2J9rPNus
uqcAoKQU6AAhhpUGqe+6LhSXPklNYgiS
=I0DO
-----END PGP SIGNATURE-----
More information about the users
mailing list