On Wed, 2006-06-28 at 22:15 -0500, Marc Schwartz wrote: > On Wed, 2006-06-28 at 23:13 +0100, Paul Howarth wrote: > > On Wed, 2006-06-28 at 16:38 -0500, Marc Schwartz (via MN) wrote: > > > On Wed, 2006-06-28 at 22:23 +0100, Paul Howarth wrote: > > > > On Wed, 2006-06-28 at 15:56 -0500, Marc Schwartz (via MN) wrote: > > > > > > <snip> > > > > > > > > > > > > > There are no .forward files on my system at all, unless that is a temp > > > > > file, which does not make sense location-wise. > > > > > > > > > > A Google search came up empty for that file, so I can only presume that > > > > > there are certain configuration scenarios where the pipelining of > > > > > e-mails would require that file. > > > > > > > > > > Since I am using clamassassin, I also searched through that script and > > > > > noted nothing relevant here. > > > > > > > > > > Not sure what else to make of it. > > > > > > > > That might be dontaudit-able. Is /var/lib/clamav any user's home > > > > directory? > > > > > > The /var/lib/clamav tree appears to be owned by 'clamav', both user and > > > group: > > > > > > $ ls -l /var/lib > > > total 264 > > > ... > > > drwxr-xr-x 2 clamav clamav 4096 Jun 28 11:00 clamav > > > ... > > > > > > ls -l /var/lib/clamav > > > total 8832 > > > -rw-r--r-- 1 clamav clamav 4050 Jun 28 11:01 clamav-4d6166b710f63075 > > > -rw-r--r-- 1 clamav clamav 3640966 Jun 9 16:49 clamav-651c96be267fc93e > > > -rw-r--r-- 1 clamav clamav 380351 Jun 28 08:00 daily.cvd > > > -rw-r--r-- 1 clamav clamav 4978654 Jun 9 18:00 main.cvd > > > > > > > > > $ cat /etc/passwd | grep clamav > > > clamav:x:100:101:Clamav database update user:/var/lib/clamav:/sbin/nologin > > > > > > > > > $ cat /etc/group | grep clamav > > > clamav:x:101: > > > > The search in /var/lib/clamav is probably a result of something running > > as that user, perhaps procmail. Does the clamav user get any mail? > > Paul, > > Good call. Yes indeed. > > It would appear that clamav (the user) gets mail when there are problems > with the hourly database updates. For example, if there are DNS problems > or other issues with server access. I do see these coming from the root > account, which then get forwarded to my user account via the postfix > mapping. I had not paid attention, until now, regarding the multiple > e-mail addresses in the To: field. > > After doing some searching, it turns out that this is configured > in /etc/crond./clamav-update. > > In that file, mail is targeted (by default) to go to root, postmaster, > webmaster and clamav. Now that I have looked at the content > of /var/spool/mail/clamav, I do note that the mail is indeed sent to the > aforementioned users. > > Of course, postmaster and webmaster do not exist on my system as users. > > Also, in the file is the following: > > ## It is ok to execute it as root; freshclam drops privileges and becomes > ## user 'clamav' as soon as possible > 0 */3 * * * root /usr/share/clamav/freshclam-sleep > > >From other sources, it would appear that the freshclam programs, even if > started as root, will setuid to clamav. This is configured > in /etc/freshclam.conf. The default is: > > # By default when started freshclam drops privileges and switches to the > # "clamav" user. This directive allows you to change the database owner. > # Default: clamav (may depend on installation options) > #DatabaseOwner clamav > > > I could adjust the e-mail targets or other settings if you need me to. I think the email targets are OK; you should just alias clamav, webmaster, and postmaster (every mail system should have a postmaster) to root, which in turn is aliased to you. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
