On Thu, 2006-06-29 at 08:29 +0100, Paul Howarth wrote: > On Wed, 2006-06-28 at 22:15 -0500, Marc Schwartz wrote: > > On Wed, 2006-06-28 at 23:13 +0100, Paul Howarth wrote: > > > > > > > > > > That might be dontaudit-able. Is /var/lib/clamav any user's home > > > > > directory? > > > > > > > > The /var/lib/clamav tree appears to be owned by 'clamav', both user and > > > > group: > > > > > > > > $ ls -l /var/lib > > > > total 264 > > > > ... > > > > drwxr-xr-x 2 clamav clamav 4096 Jun 28 11:00 clamav > > > > ... > > > > > > > > ls -l /var/lib/clamav > > > > total 8832 > > > > -rw-r--r-- 1 clamav clamav 4050 Jun 28 11:01 clamav-4d6166b710f63075 > > > > -rw-r--r-- 1 clamav clamav 3640966 Jun 9 16:49 clamav-651c96be267fc93e > > > > -rw-r--r-- 1 clamav clamav 380351 Jun 28 08:00 daily.cvd > > > > -rw-r--r-- 1 clamav clamav 4978654 Jun 9 18:00 main.cvd > > > > > > > > > > > > $ cat /etc/passwd | grep clamav > > > > clamav:x:100:101:Clamav database update user:/var/lib/clamav:/sbin/nologin > > > > > > > > > > > > $ cat /etc/group | grep clamav > > > > clamav:x:101: > > > > > > The search in /var/lib/clamav is probably a result of something running > > > as that user, perhaps procmail. Does the clamav user get any mail? > > > > Paul, > > > > Good call. Yes indeed. > > > > It would appear that clamav (the user) gets mail when there are problems > > with the hourly database updates. For example, if there are DNS problems > > or other issues with server access. I do see these coming from the root > > account, which then get forwarded to my user account via the postfix > > mapping. I had not paid attention, until now, regarding the multiple > > e-mail addresses in the To: field. > > > > After doing some searching, it turns out that this is configured > > in /etc/crond./clamav-update. > > > > In that file, mail is targeted (by default) to go to root, postmaster, > > webmaster and clamav. Now that I have looked at the content > > of /var/spool/mail/clamav, I do note that the mail is indeed sent to the > > aforementioned users. > > > > Of course, postmaster and webmaster do not exist on my system as users. > > > > Also, in the file is the following: > > > > ## It is ok to execute it as root; freshclam drops privileges and becomes > > ## user 'clamav' as soon as possible > > 0 */3 * * * root /usr/share/clamav/freshclam-sleep > > > > >From other sources, it would appear that the freshclam programs, even if > > started as root, will setuid to clamav. This is configured > > in /etc/freshclam.conf. The default is: > > > > # By default when started freshclam drops privileges and switches to the > > # "clamav" user. This directive allows you to change the database owner. > > # Default: clamav (may depend on installation options) > > #DatabaseOwner clamav > > > > > > I could adjust the e-mail targets or other settings if you need me to. > > I think the email targets are OK; you should just alias clamav, > webmaster, and postmaster (every mail system should have a postmaster) > to root, which in turn is aliased to you. Paul, I aliased clamav to root. postmaster and webmaster were already aliased to root. I am also now in Enforcing mode. We should probably give this a good 24 hours to run through the various cycles of e-mails and cron jobs. If anything comes up in the mean time, I'll post back. Just for reference, current policies loaded: amavis 1.0.4 clamav 1.0.1 dcc 1.0.0 myclamav 0.1.5 mydcc 0.1.8 mypostfix 0.1.0 mypyzor 0.2.3 myspamassassin 0.1.1 procmail 0.5.4 pyzor 1.0.1 razor 1.0.0 Thanks for all the help. Marc -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list