-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/20/2012 05:38 AM, Zdenek Pytela wrote: > Daniel J Walsh pise: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 09/19/2012 07:36 AM, Bill Shirley wrote: >>> >>> On 9/19/2012 5:47 AM, Arthur Dent wrote: >>>>> "What tells it that it is a "scan" service? That bit of the puzzle >>>>> seems to be missing..." >>>>> >>>>> Whatever is the parameter after the @ and before the dot becomes >>>>> %i in the service file. Look at the service file: [Unit] >>>>> Description = clamd scanner (%i) daemon After = syslog.target >>>>> nss-lookup.target network.target >>>>> >>>>> [Service] Type = simple ExecStart = /usr/sbin/clamd -c >>>>> /etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp >>>>> = true >>>>> >>>>> so clamd@scan.service invokes clamd with the scan.conf file as it's >>>>> configuration file. This way you can have multiple clamd services >>>>> each using a different config file. Just create another config >>>>> file in /etc/clamd.d/my_config.conf and: ln -s >>>>> /lib/systemd/system/clamd@.service >>>>> /etc/systemd/system/clamd@my_config.service >>>>> >>>>> You should have the /etc/clamd.d/scan.conf I think: >>>>> >>>>> [root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf >>>>> clamav-scanner-0.97.5-1700.fc17.noarch >>>> Thank you Bill for a helpful and, more importantly, informative >>>> reply. I think this will not only help me to solve my problem but, >>>> even better, help me to understand where I was going wrong. >>>> >>>> As before, I don't have access to the machine right now, so i will >>>> try when I get home to work through this and get it right. >>>> >>>> I will once again report back later... >>>> >>>> Thanks again. Your help is much appreciated. >>>> >>>> Mark >>>> >>>> >>> >>> You mentioned scanning email. I run clamav-milter and stop the virus >>> at smtp time. You may find this helpful: >>> >>> [root@moses clamav]# rpm -qa | grep clam | sort >>> clamav-data-0.97.5-1700.fc17.noarch >>> clamav-filesystem-0.97.5-1700.fc17.noarch >>> clamav-lib-0.97.5-1700.fc17.x86_64 >>> clamav-milter-0.97.5-1700.fc17.x86_64 >>> clamav-milter-systemd-0.97.5-1700.fc17.noarch >>> clamav-scanner-0.97.5-1700.fc17.noarch >>> clamav-scanner-systemd-0.97.5-1700.fc17.noarch >>> clamav-server-0.97.5-1700.fc17.x86_64 >>> clamav-server-systemd-0.97.5-1700.fc17.noarch >>> clamav-update-0.97.5-1700.fc17.x86_64 >>> >>> For clamav-milter, I had to add clamilt to the postfix group (usermod >>> -a -G postfix clamilt): [root@moses clamav]# egrep 'post|clam' >>> /etc/group mail:x:12:postfix postfix:x:89:clamilt postdrop:x:90: >>> clamscan:x:987:clamilt clamilt:x:988:postfix clamupdate:x:989: >>> >>> >>> Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure >>> to comment out above: Example >>> >>> ClamdSocket unix:/var/run/clamd.scan/clamd.sock >>> MilterSocket /var/run/clamav-milter/clamav-milter.socket >>> ##MilterSocket inet:3381 # usermod -a -G postfix clamilt >>> MilterSocketGroup postfix MilterSocketMode 660 >>> >>> OnInfected Reject AddHeader Replace >>> >>> #LogFile /var/log/clamav-milter.log #LogFileMaxSize 1M >>> #LogTime yes LogSyslog yes LogFacility >>> LOG_MAIL #LogVerbose no LogClean Basic >>> LogInfected Full >>> >>> Add to postfix's main.cf: # usermod -a -G clamilt postfix smtpd_milters >>> = unix:/var/run/clamav-milter/clamav-milter.socket >>> #milter_default_action = accept milter_default_action = tempfail >>> >>> I can't remember if I had to create the directory, but here is that >>> info: [root@moses clamav]# ldpz >>> /var/run/clamav-milter/clamav-milter.socket drwxr-xr-x. root root >>> system_u:object_r:var_t:s0 /var lrwxrwxrwx. root root >>> system_u:object_r:var_run_t:s0 /var/run -> ../run drwx--x---. clamilt >>> clamilt system_u:object_r:clamd_var_run_t:s0 /var/run/clamav-milter >>> srw-rw----. clamilt postfix system_u:object_r:clamd_var_run_t:s0 >>> /var/run/clamav-milter/clamav-milter.socket >>> >>> >>> For clamav, to avoid selinux problems issue command: setsebool -P >>> clamd_use_jit on >>> >>> Add to end of scan.conf: # my stuff # be sure to commend out above: >>> Example >>> >>> #LogFile /var/log/clamav/clamd.scan #LogFacility >>> LOG_MAIL LogFacility LOG_DAEMON ExtendedDetectionInfo yes >>> LocalSocket /var/run/clamd.scan/clamd.sock >>> #LocalSocketGroup virusgroup #LocalSocketMode 660 FixStaleSocket >>> yes CrossFilesystems no ExcludePath ^/proc/ >>> ExcludePath ^/sys/ ExcludePath ^/fuse/ ExcludePath >>> ^/backup/ ExcludePath ^/bacula/ SelfCheck >>> 3600 >>> >>> >>> And finally freshclam, add to the end of freshclam.conf: # my stuff >>> LogFacility LOG_DAEMON DatabaseMirror db.US.clamav.net TestDatabases >>> yes >>> >>> >>> Note in all the clamav configuration file there is a line: Example that >>> has to be commented out for the service to run. >>> >>> Don't forget to systemctl enable these to services: [root@moses >>> clamav]# systemctl is-active clamav-milter.service active [root@moses >>> clamav]# systemctl is-active clamd@scan.service active >>> >>> Hope this helps, Bill >>> >>> >>> >> Is this the default setting for clamd now? clamd_use_jit on Should we >> turn this on by default? > On a fresh install there is > > # Bytecode mode # # This option has been set to 'ForceInterpreter' in > Fedora due to # security concerns by default. You might need to enable > the # 'clamd_use_jit' SELinux boolean after setting this option to the # > more efficient 'ForceJIT' value. # # Default: ForceInterpreter > #ByteCodeMode ForceInterpreter > > We didn't change this, but had to change clamd_use_jit --> on. > Then I would open a bug with clamd. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBcbuYACgkQrlYvE4MpobPwDQCfToC2oaJq+AkeqdoD2J9rPNus uqcAoKQU6AAhhpUGqe+6LhSXPklNYgiS =I0DO -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
