On Wed, 2006-06-28 at 23:13 +0100, Paul Howarth wrote: > On Wed, 2006-06-28 at 16:38 -0500, Marc Schwartz (via MN) wrote: > > On Wed, 2006-06-28 at 22:23 +0100, Paul Howarth wrote: > > > On Wed, 2006-06-28 at 15:56 -0500, Marc Schwartz (via MN) wrote: > > > > <snip> > > > > > > > > > > There are no .forward files on my system at all, unless that is a temp > > > > file, which does not make sense location-wise. > > > > > > > > A Google search came up empty for that file, so I can only presume that > > > > there are certain configuration scenarios where the pipelining of > > > > e-mails would require that file. > > > > > > > > Since I am using clamassassin, I also searched through that script and > > > > noted nothing relevant here. > > > > > > > > Not sure what else to make of it. > > > > > > That might be dontaudit-able. Is /var/lib/clamav any user's home > > > directory? > > > > The /var/lib/clamav tree appears to be owned by 'clamav', both user and > > group: > > > > $ ls -l /var/lib > > total 264 > > ... > > drwxr-xr-x 2 clamav clamav 4096 Jun 28 11:00 clamav > > ... > > > > ls -l /var/lib/clamav > > total 8832 > > -rw-r--r-- 1 clamav clamav 4050 Jun 28 11:01 clamav-4d6166b710f63075 > > -rw-r--r-- 1 clamav clamav 3640966 Jun 9 16:49 clamav-651c96be267fc93e > > -rw-r--r-- 1 clamav clamav 380351 Jun 28 08:00 daily.cvd > > -rw-r--r-- 1 clamav clamav 4978654 Jun 9 18:00 main.cvd > > > > > > $ cat /etc/passwd | grep clamav > > clamav:x:100:101:Clamav database update user:/var/lib/clamav:/sbin/nologin > > > > > > $ cat /etc/group | grep clamav > > clamav:x:101: > > The search in /var/lib/clamav is probably a result of something running > as that user, perhaps procmail. Does the clamav user get any mail? Paul, Good call. Yes indeed. It would appear that clamav (the user) gets mail when there are problems with the hourly database updates. For example, if there are DNS problems or other issues with server access. I do see these coming from the root account, which then get forwarded to my user account via the postfix mapping. I had not paid attention, until now, regarding the multiple e-mail addresses in the To: field. After doing some searching, it turns out that this is configured in /etc/crond./clamav-update. In that file, mail is targeted (by default) to go to root, postmaster, webmaster and clamav. Now that I have looked at the content of /var/spool/mail/clamav, I do note that the mail is indeed sent to the aforementioned users. Of course, postmaster and webmaster do not exist on my system as users. Also, in the file is the following: ## It is ok to execute it as root; freshclam drops privileges and becomes ## user 'clamav' as soon as possible 0 */3 * * * root /usr/share/clamav/freshclam-sleep >From other sources, it would appear that the freshclam programs, even if started as root, will setuid to clamav. This is configured in /etc/freshclam.conf. The default is: # By default when started freshclam drops privileges and switches to the # "clamav" user. This directive allows you to change the database owner. # Default: clamav (may depend on installation options) #DatabaseOwner clamav I could adjust the e-mail targets or other settings if you need me to. Let me know. Thanks, Marc -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
