Re: Clamd and systemd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/20/2012 05:38 AM, Zdenek Pytela wrote:
> Daniel J Walsh pise:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 09/19/2012 07:36 AM, Bill Shirley wrote:
>>> 
>>> On 9/19/2012 5:47 AM, Arthur Dent wrote:
>>>>> "What tells it that it is a "scan" service? That bit of the puzzle 
>>>>> seems to be missing..."
>>>>> 
>>>>> Whatever is the parameter after the @ and before the dot  becomes
>>>>> %i in the service file.  Look at the service file: [Unit]
>>>>> Description = clamd scanner (%i) daemon After = syslog.target
>>>>> nss-lookup.target network.target
>>>>> 
>>>>> [Service] Type = simple ExecStart = /usr/sbin/clamd -c 
>>>>> /etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp
>>>>> = true
>>>>> 
>>>>> so clamd@scan.service invokes clamd with the scan.conf file as it's
>>>>>  configuration file. This way you can have multiple clamd services
>>>>> each using a different config file.  Just create another config
>>>>> file in /etc/clamd.d/my_config.conf and: ln -s 
>>>>> /lib/systemd/system/clamd@.service 
>>>>> /etc/systemd/system/clamd@my_config.service
>>>>> 
>>>>> You should have the /etc/clamd.d/scan.conf I think:
>>>>> 
>>>>> [root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf 
>>>>> clamav-scanner-0.97.5-1700.fc17.noarch
>>>> Thank you Bill for a helpful and, more importantly, informative
>>>> reply. I think this will not only help me to solve my problem but,
>>>> even better, help me to understand where I was going wrong.
>>>> 
>>>> As before, I don't have access to the machine right now, so i will
>>>> try when I get home to work through this and get it right.
>>>> 
>>>> I will once again report back later...
>>>> 
>>>> Thanks again. Your help is much appreciated.
>>>> 
>>>> Mark
>>>> 
>>>> 
>>> 
>>> You mentioned scanning email.  I run clamav-milter and stop the virus
>>> at smtp time.  You may find this helpful:
>>> 
>>> [root@moses clamav]# rpm -qa | grep clam | sort 
>>> clamav-data-0.97.5-1700.fc17.noarch 
>>> clamav-filesystem-0.97.5-1700.fc17.noarch 
>>> clamav-lib-0.97.5-1700.fc17.x86_64
>>> clamav-milter-0.97.5-1700.fc17.x86_64 
>>> clamav-milter-systemd-0.97.5-1700.fc17.noarch 
>>> clamav-scanner-0.97.5-1700.fc17.noarch 
>>> clamav-scanner-systemd-0.97.5-1700.fc17.noarch 
>>> clamav-server-0.97.5-1700.fc17.x86_64 
>>> clamav-server-systemd-0.97.5-1700.fc17.noarch 
>>> clamav-update-0.97.5-1700.fc17.x86_64
>>> 
>>> For clamav-milter, I had to add clamilt to the postfix group (usermod
>>> -a -G postfix clamilt): [root@moses clamav]# egrep 'post|clam'
>>> /etc/group mail:x:12:postfix postfix:x:89:clamilt postdrop:x:90: 
>>> clamscan:x:987:clamilt clamilt:x:988:postfix clamupdate:x:989:
>>> 
>>> 
>>> Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure
>>> to comment out above: Example
>>> 
>>> ClamdSocket             unix:/var/run/clamd.scan/clamd.sock
>>> MilterSocket /var/run/clamav-milter/clamav-milter.socket
>>> ##MilterSocket inet:3381 # usermod -a -G postfix clamilt
>>> MilterSocketGroup       postfix MilterSocketMode        660
>>> 
>>> OnInfected              Reject AddHeader               Replace
>>> 
>>> #LogFile                /var/log/clamav-milter.log #LogFileMaxSize 1M
>>> #LogTime                yes LogSyslog               yes LogFacility 
>>> LOG_MAIL #LogVerbose             no LogClean                Basic 
>>> LogInfected             Full
>>> 
>>> Add to postfix's main.cf: # usermod -a -G clamilt postfix smtpd_milters
>>> = unix:/var/run/clamav-milter/clamav-milter.socket
>>> #milter_default_action = accept milter_default_action = tempfail
>>> 
>>> I can't remember if I had to create the directory, but here is that
>>> info: [root@moses clamav]# ldpz
>>> /var/run/clamav-milter/clamav-milter.socket drwxr-xr-x. root    root
>>> system_u:object_r:var_t:s0       /var lrwxrwxrwx. root    root
>>> system_u:object_r:var_run_t:s0 /var/run -> ../run drwx--x---. clamilt
>>> clamilt system_u:object_r:clamd_var_run_t:s0 /var/run/clamav-milter
>>> srw-rw----. clamilt postfix system_u:object_r:clamd_var_run_t:s0 
>>> /var/run/clamav-milter/clamav-milter.socket
>>> 
>>> 
>>> For clamav, to avoid selinux problems issue command: setsebool -P 
>>> clamd_use_jit on
>>> 
>>> Add to end of scan.conf: # my stuff # be sure to commend out above: 
>>> Example
>>> 
>>> #LogFile                /var/log/clamav/clamd.scan #LogFacility 
>>> LOG_MAIL LogFacility             LOG_DAEMON ExtendedDetectionInfo   yes
>>>  LocalSocket             /var/run/clamd.scan/clamd.sock
>>> #LocalSocketGroup virusgroup #LocalSocketMode        660 FixStaleSocket
>>> yes CrossFilesystems        no ExcludePath             ^/proc/
>>> ExcludePath ^/sys/ ExcludePath             ^/fuse/ ExcludePath
>>> ^/backup/ ExcludePath             ^/bacula/ SelfCheck
>>> 3600
>>> 
>>> 
>>> And finally freshclam, add to the end of freshclam.conf: # my stuff 
>>> LogFacility LOG_DAEMON DatabaseMirror db.US.clamav.net TestDatabases
>>> yes
>>> 
>>> 
>>> Note in all the clamav configuration file there is a line: Example that
>>> has to be commented out for the service to run.
>>> 
>>> Don't forget to systemctl enable these to services: [root@moses
>>> clamav]# systemctl is-active clamav-milter.service active [root@moses
>>> clamav]# systemctl is-active clamd@scan.service active
>>> 
>>> Hope this helps, Bill
>>> 
>>> 
>>> 
>> Is this the default setting for clamd now?  clamd_use_jit on  Should we
>> turn this on by default?
> On a fresh install there is
> 
> # Bytecode mode # # This option has been set to 'ForceInterpreter' in
> Fedora due to # security concerns by default.  You might need to enable
> the # 'clamd_use_jit' SELinux boolean after setting this option to the #
> more efficient 'ForceJIT' value. # # Default: ForceInterpreter 
> #ByteCodeMode ForceInterpreter
> 
> We didn't change this, but had to change clamd_use_jit --> on.
> 
Then I would open a bug with clamd.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBcbuYACgkQrlYvE4MpobPwDQCfToC2oaJq+AkeqdoD2J9rPNus
uqcAoKQU6AAhhpUGqe+6LhSXPklNYgiS
=I0DO
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux