Clamav + amavisd-new

Jan-Frode Myklebust janfrode at tanso.net
Thu Mar 10 23:28:18 UTC 2011 

On 2011-03-10, Kevin Fenzi <kevin at scrye.com> wrote:
>
> Do you have any thoughts/patches for getting amavisd-new working with
> the new clamav? 

Not sure, I quickly gave up when I hit an selinux denial and saw that this
denial wasn´t happening with the old packaging. Was hoping we could run 
our new mailservers on default selinux policy if possible.

First step is probably to add back in the clamd-wrapper (which is part
of the current EPEL6 clamav), so that amavisd-new can continue to use it´s
own scanner instance trough /usr/share/clamav/clamd-wrapper, 
/etc/clamd.d/amavisd.conf and /etc/rc.d/init.d/clamd.amavisd..  Removing
this clamd-wrapper is bound to break existing installations that has 
followed the recommendations from the old packaging about creating 
per-service clamd-instances (maybe not just for amavisd-new).

Also, security-wise the old packaging said to:

	  NEVER use 'clamav' as the user since he can modify the database.

while the new packaging runs as "clam" and has database-files owned by "clam":

	[janfrode at asav.lab:~]$ ps -ef|grep clam
	clam     20082     1  0 00:00 ?        00:00:00 clamd
	[janfrode at asav.lab:~]$ ls -al /var/lib/clamav/
	totalt 30560
	drwxr-xr-x.  2 clam clam     4096 2011-03-10 04:29 .
	drwxr-xr-x. 28 root root     4096 2011-03-03 14:38 ..
	-rw-r--r--.  1 clam clam   460288 2011-03-09 03:07 bytecode.cld
	-rw-r--r--.  1 clam clam  4588544 2011-03-10 04:29 daily.cld
	-rw-r--r--.  1 clam clam 26224310 2011-02-24 00:39 main.cvd
	-rw-------.  1  498  397      416 2011-03-05 12:20 mirrors.dat
	[janfrode at asav.lab:~]$ rpm -q clamd
	clamd-0.97-3.el6.x86_64

>
> Also, there is no amavisd-new pushed in epel6 yet, so we could push
> clamav now, and push the fixed amavisd-new as soon as it's ready, no?

There is a clamav with the previous packaging format in EPEL6. Are you 
sure changing it woun´t break existing installations ? Nobody expecting the
existing clamscan, clamupdate, clamilt users/group to exist?

I´m mostly worried that we´ll end up with confusing/different clamav and
amavisd-new installations on our RHEL5 and RHEL6 servers, plus pushing this
big change now will probably delay amavisd-new in EPEL6.. (and I need it now! :-)


  -jf

More information about the epel-devel-list mailing list