Clamav + amavisd-new
Jan-Frode Myklebust
janfrode at tanso.net
Thu Mar 10 23:28:18 UTC 2011
On 2011-03-10, Kevin Fenzi <kevin at scrye.com> wrote:
>
> Do you have any thoughts/patches for getting amavisd-new working with
> the new clamav?
Not sure, I quickly gave up when I hit an selinux denial and saw that this
denial wasn´t happening with the old packaging. Was hoping we could run
our new mailservers on default selinux policy if possible.
First step is probably to add back in the clamd-wrapper (which is part
of the current EPEL6 clamav), so that amavisd-new can continue to use it´s
own scanner instance trough /usr/share/clamav/clamd-wrapper,
/etc/clamd.d/amavisd.conf and /etc/rc.d/init.d/clamd.amavisd.. Removing
this clamd-wrapper is bound to break existing installations that has
followed the recommendations from the old packaging about creating
per-service clamd-instances (maybe not just for amavisd-new).
Also, security-wise the old packaging said to:
NEVER use 'clamav' as the user since he can modify the database.
while the new packaging runs as "clam" and has database-files owned by "clam":
[janfrode at asav.lab:~]$ ps -ef|grep clam
clam 20082 1 0 00:00 ? 00:00:00 clamd
[janfrode at asav.lab:~]$ ls -al /var/lib/clamav/
totalt 30560
drwxr-xr-x. 2 clam clam 4096 2011-03-10 04:29 .
drwxr-xr-x. 28 root root 4096 2011-03-03 14:38 ..
-rw-r--r--. 1 clam clam 460288 2011-03-09 03:07 bytecode.cld
-rw-r--r--. 1 clam clam 4588544 2011-03-10 04:29 daily.cld
-rw-r--r--. 1 clam clam 26224310 2011-02-24 00:39 main.cvd
-rw-------. 1 498 397 416 2011-03-05 12:20 mirrors.dat
[janfrode at asav.lab:~]$ rpm -q clamd
clamd-0.97-3.el6.x86_64
>
> Also, there is no amavisd-new pushed in epel6 yet, so we could push
> clamav now, and push the fixed amavisd-new as soon as it's ready, no?
There is a clamav with the previous packaging format in EPEL6. Are you
sure changing it woun´t break existing installations ? Nobody expecting the
existing clamscan, clamupdate, clamilt users/group to exist?
I´m mostly worried that we´ll end up with confusing/different clamav and
amavisd-new installations on our RHEL5 and RHEL6 servers, plus pushing this
big change now will probably delay amavisd-new in EPEL6.. (and I need it now! :-)
-jf
More information about the epel-devel-list
mailing list