inline and at tail ...
On 7/3/2011 6:22 PM, Cameron Simpson wrote:
> On 03Jul2011 17:35, Paul Allen Newell<pnewell@xxxxxxxxxx> wrote:
>
>
> My habit for a virus scanner would be sbin; these days bin is for general
> purpose commands which sbin is for administrative commands (eg setenforce)
> and daemons (eg sshd).
>
> [...]
Reading FHS 2.3 seems to consider bin "local binaries" and sbin "local
system binaries". Going up to /usr/bin and /usr/sbin seems to be
"primary" vs "non-essential" respectively. Given that it is embedded in
rc.local, it doesn't seem non-essential as errors will occur if it not
there. That being said, it sure looks academic so long as it is in
/usr/local/{bin,sbin}.
> [...]
>
> | I have been reading up about rules and audit2allow.
> | [...]
> |
>
> I expect it varies depending on what clamscan thinks is needs to scan
> each time.
>
> Do you run prelink? It hacks binaries about on a regular basis and may
> be causing clamscan to be more active.
If I am running prelink, I don't know it. Your "varies" comment makes
sense and I am not paying too much attention to it right now
> | [...]
> |
> | My first question is whether there is a way to go "allow clamscan_t *
> | {read open search getattr}" so that clamscan will have permission to
> | examine anything on the system (which is what I would want with a virus
> | scan, right?).
>
> That's what I would look for. I am not an selinux guru and can't help
> you with the syntax there, but I would think you're on the right track
> with that rule.
Making sure I am correct that it will understand "clamscan_t" and the
wild card are not showing up in the docs from selinuxpolicy.org and I
ain't seeing anything in related links when googling. I'll give it
another round before posting a new thread explicitly on that with the
hopes that some selinux gurus see. You certainly know enough to have
gotten me to the point of "something working" ... many thanks !!!
> [...]
>
> | The second question is why wouldn't selinux be defaulted to allow clamav
> | given that's what Fedora seems to be suggesting/using?
>
> Maybe it is, if it runs from /etc/init.d or something. Is clamav a
> fedora supplied package? If so, why is it run from rc.local instead of
> via a conventional presupplied chkconfig-controlled start/stop script?
>
It isn't part of the default "fresh" install, so I have to yum install
it after. I remember seeing a Fedora draft doc talking about security
and clamav, implying that it made sense to incorporate clamav into
Fedora, but I can't find it now. The best I can spot is a reference to
it in https://fedoraproject.org/wiki/SecurityBasics that says its in
Fedora Extras. My goal is to get email up and running (rather than
relying on Windows) and I wanted to try to sort out best defense
available that meshed with Fedora.
The choice of rc.local is mine as I want it to happen at least once per
time I use this F14 computer and don't want to have to su to root and
manually run each time.
I've seen mention of chkconfig but know nothing about it ... and haven't
been able to see any reason why rc.local isn't a reasonable choice for
doing freshclam and clamscan
Once again, your help is very appreciated. I think I am actually
up-and-running and just need to figure out how to do it cleaner.
Paul
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
