Re: Clamd and systemd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 04:41 PM, Bill Shirley wrote:
> 
> On 9/19/2012 3:21 PM, Daniel J Walsh wrote: On 09/19/2012 07:36 AM, Bill
> Shirley wrote:
>>>> On 9/19/2012 5:47 AM, Arthur Dent wrote:
>>>>>> "What tells it that it is a "scan" service? That bit of the
>>>>>> puzzle seems to be missing..."
>>>>>> 
>>>>>> Whatever is the parameter after the @ and before the dot  becomes
>>>>>> %i in the service file.  Look at the service file: [Unit]
>>>>>> Description = clamd scanner (%i) daemon After = syslog.target
>>>>>> nss-lookup.target network.target
>>>>>> 
>>>>>> [Service] Type = simple ExecStart = /usr/sbin/clamd -c 
>>>>>> /etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp
>>>>>> = true
>>>>>> 
>>>>>> so clamd@scan.service invokes clamd with the scan.conf file as
>>>>>> it's configuration file. This way you can have multiple clamd
>>>>>> services each using a different config file.  Just create another
>>>>>> config file in /etc/clamd.d/my_config.conf and: ln -s 
>>>>>> /lib/systemd/system/clamd@.service 
>>>>>> /etc/systemd/system/clamd@my_config.service
>>>>>> 
>>>>>> You should have the /etc/clamd.d/scan.conf I think:
>>>>>> 
>>>>>> [root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf 
>>>>>> clamav-scanner-0.97.5-1700.fc17.noarch
>>>>> Thank you Bill for a helpful and, more importantly, informative
>>>>> reply. I think this will not only help me to solve my problem but,
>>>>> even better, help me to understand where I was going wrong.
>>>>> 
>>>>> As before, I don't have access to the machine right now, so i will
>>>>> try when I get home to work through this and get it right.
>>>>> 
>>>>> I will once again report back later...
>>>>> 
>>>>> Thanks again. Your help is much appreciated.
>>>>> 
>>>>> Mark
>>>>> 
>>>>> 
>>>> You mentioned scanning email.  I run clamav-milter and stop the virus
>>>> at smtp time.  You may find this helpful:
>>>> 
>>>> [root@moses clamav]# rpm -qa | grep clam | sort 
>>>> clamav-data-0.97.5-1700.fc17.noarch 
>>>> clamav-filesystem-0.97.5-1700.fc17.noarch 
>>>> clamav-lib-0.97.5-1700.fc17.x86_64
>>>> clamav-milter-0.97.5-1700.fc17.x86_64 
>>>> clamav-milter-systemd-0.97.5-1700.fc17.noarch 
>>>> clamav-scanner-0.97.5-1700.fc17.noarch 
>>>> clamav-scanner-systemd-0.97.5-1700.fc17.noarch 
>>>> clamav-server-0.97.5-1700.fc17.x86_64 
>>>> clamav-server-systemd-0.97.5-1700.fc17.noarch 
>>>> clamav-update-0.97.5-1700.fc17.x86_64
>>>> 
>>>> For clamav-milter, I had to add clamilt to the postfix group (usermod
>>>> -a -G postfix clamilt): [root@moses clamav]# egrep 'post|clam'
>>>> /etc/group mail:x:12:postfix postfix:x:89:clamilt postdrop:x:90: 
>>>> clamscan:x:987:clamilt clamilt:x:988:postfix clamupdate:x:989:
>>>> 
>>>> 
>>>> Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure
>>>> to comment out above: Example
>>>> 
>>>> ClamdSocket             unix:/var/run/clamd.scan/clamd.sock
>>>> MilterSocket /var/run/clamav-milter/clamav-milter.socket
>>>> ##MilterSocket inet:3381 # usermod -a -G postfix clamilt
>>>> MilterSocketGroup       postfix MilterSocketMode        660
>>>> 
>>>> OnInfected              Reject AddHeader               Replace
>>>> 
>>>> #LogFile                /var/log/clamav-milter.log #LogFileMaxSize 1M
>>>> #LogTime                yes LogSyslog               yes LogFacility 
>>>> LOG_MAIL #LogVerbose             no LogClean                Basic 
>>>> LogInfected             Full
>>>> 
>>>> Add to postfix's main.cf: # usermod -a -G clamilt postfix
>>>> smtpd_milters = unix:/var/run/clamav-milter/clamav-milter.socket
>>>> #milter_default_action = accept milter_default_action = tempfail
>>>> 
>>>> I can't remember if I had to create the directory, but here is that
>>>> info: [root@moses clamav]# ldpz
>>>> /var/run/clamav-milter/clamav-milter.socket drwxr-xr-x. root    root
>>>> system_u:object_r:var_t:s0       /var lrwxrwxrwx. root    root
>>>> system_u:object_r:var_run_t:s0 /var/run -> ../run drwx--x---. clamilt
>>>> clamilt system_u:object_r:clamd_var_run_t:s0 /var/run/clamav-milter
>>>> srw-rw----. clamilt postfix system_u:object_r:clamd_var_run_t:s0 
>>>> /var/run/clamav-milter/clamav-milter.socket
>>>> 
>>>> 
>>>> For clamav, to avoid selinux problems issue command: setsebool -P 
>>>> clamd_use_jit on
>>>> 
>>>> Add to end of scan.conf: # my stuff # be sure to commend out above: 
>>>> Example
>>>> 
>>>> #LogFile                /var/log/clamav/clamd.scan #LogFacility 
>>>> LOG_MAIL LogFacility             LOG_DAEMON ExtendedDetectionInfo
>>>> yes LocalSocket             /var/run/clamd.scan/clamd.sock
>>>> #LocalSocketGroup virusgroup #LocalSocketMode        660
>>>> FixStaleSocket          yes CrossFilesystems        no ExcludePath
>>>> ^/proc/ ExcludePath ^/sys/ ExcludePath             ^/fuse/
>>>> ExcludePath             ^/backup/ ExcludePath             ^/bacula/
>>>> SelfCheck               3600
>>>> 
>>>> 
>>>> And finally freshclam, add to the end of freshclam.conf: # my stuff 
>>>> LogFacility LOG_DAEMON DatabaseMirror db.US.clamav.net TestDatabases
>>>> yes
>>>> 
>>>> 
>>>> Note in all the clamav configuration file there is a line: Example
>>>> that has to be commented out for the service to run.
>>>> 
>>>> Don't forget to systemctl enable these to services: [root@moses
>>>> clamav]# systemctl is-active clamav-milter.service active [root@moses
>>>> clamav]# systemctl is-active clamd@scan.service active
>>>> 
>>>> Hope this helps, Bill
>>>> 
>>>> 
>>>> 
> Is this the default setting for clamd now?  clamd_use_jit on  Should we
> turn this on by default? I can't speak for everyone else, but with my
> setup, I was getting selinux errors with clamd.  When I ran audit2allow it
> said to set this boolean to eliminate the errors.
> 
> Bill
> 
> 
Well had you changed any default settings in clamd to turn on JIT or does it
come with JIT turned on by default?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaMGAACgkQrlYvE4MpobO1hQCgu6O9WCIZ2byEgkkFX09ophHd
0bwAoLJkGJxgx1IWrqpumUEs4M7FHJih
=pzaT
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux