postfix, procmail and SELinux - No Go
Marc Schwartz
MSchwartz at mn.rr.com
Thu Jun 29 13:27:13 UTC 2006
On Thu, 2006-06-29 at 08:29 +0100, Paul Howarth wrote:
> On Wed, 2006-06-28 at 22:15 -0500, Marc Schwartz wrote:
> > On Wed, 2006-06-28 at 23:13 +0100, Paul Howarth wrote:
> > > > >
> > > > > That might be dontaudit-able. Is /var/lib/clamav any user's home
> > > > > directory?
> > > >
> > > > The /var/lib/clamav tree appears to be owned by 'clamav', both user and
> > > > group:
> > > >
> > > > $ ls -l /var/lib
> > > > total 264
> > > > ...
> > > > drwxr-xr-x 2 clamav clamav 4096 Jun 28 11:00 clamav
> > > > ...
> > > >
> > > > ls -l /var/lib/clamav
> > > > total 8832
> > > > -rw-r--r-- 1 clamav clamav 4050 Jun 28 11:01 clamav-4d6166b710f63075
> > > > -rw-r--r-- 1 clamav clamav 3640966 Jun 9 16:49 clamav-651c96be267fc93e
> > > > -rw-r--r-- 1 clamav clamav 380351 Jun 28 08:00 daily.cvd
> > > > -rw-r--r-- 1 clamav clamav 4978654 Jun 9 18:00 main.cvd
> > > >
> > > >
> > > > $ cat /etc/passwd | grep clamav
> > > > clamav:x:100:101:Clamav database update user:/var/lib/clamav:/sbin/nologin
> > > >
> > > >
> > > > $ cat /etc/group | grep clamav
> > > > clamav:x:101:
> > >
> > > The search in /var/lib/clamav is probably a result of something running
> > > as that user, perhaps procmail. Does the clamav user get any mail?
> >
> > Paul,
> >
> > Good call. Yes indeed.
> >
> > It would appear that clamav (the user) gets mail when there are problems
> > with the hourly database updates. For example, if there are DNS problems
> > or other issues with server access. I do see these coming from the root
> > account, which then get forwarded to my user account via the postfix
> > mapping. I had not paid attention, until now, regarding the multiple
> > e-mail addresses in the To: field.
> >
> > After doing some searching, it turns out that this is configured
> > in /etc/crond./clamav-update.
> >
> > In that file, mail is targeted (by default) to go to root, postmaster,
> > webmaster and clamav. Now that I have looked at the content
> > of /var/spool/mail/clamav, I do note that the mail is indeed sent to the
> > aforementioned users.
> >
> > Of course, postmaster and webmaster do not exist on my system as users.
> >
> > Also, in the file is the following:
> >
> > ## It is ok to execute it as root; freshclam drops privileges and becomes
> > ## user 'clamav' as soon as possible
> > 0 */3 * * * root /usr/share/clamav/freshclam-sleep
> >
> > >From other sources, it would appear that the freshclam programs, even if
> > started as root, will setuid to clamav. This is configured
> > in /etc/freshclam.conf. The default is:
> >
> > # By default when started freshclam drops privileges and switches to the
> > # "clamav" user. This directive allows you to change the database owner.
> > # Default: clamav (may depend on installation options)
> > #DatabaseOwner clamav
> >
> >
> > I could adjust the e-mail targets or other settings if you need me to.
>
> I think the email targets are OK; you should just alias clamav,
> webmaster, and postmaster (every mail system should have a postmaster)
> to root, which in turn is aliased to you.
Paul,
I aliased clamav to root. postmaster and webmaster were already aliased
to root.
I am also now in Enforcing mode.
We should probably give this a good 24 hours to run through the various
cycles of e-mails and cron jobs.
If anything comes up in the mean time, I'll post back.
Just for reference, current policies loaded:
amavis 1.0.4
clamav 1.0.1
dcc 1.0.0
myclamav 0.1.5
mydcc 0.1.8
mypostfix 0.1.0
mypyzor 0.2.3
myspamassassin 0.1.1
procmail 0.5.4
pyzor 1.0.1
razor 1.0.0
Thanks for all the help.
Marc
More information about the fedora-selinux-list
mailing list