Clamav + amavisd-new
kevin at scrye.com
Sat Mar 12 19:25:29 UTC 2011
On Fri, 11 Mar 2011 00:28:18 +0100
Jan-Frode Myklebust <janfrode at tanso.net> wrote:
> On 2011-03-10, Kevin Fenzi <kevin at scrye.com> wrote:
> > Do you have any thoughts/patches for getting amavisd-new working
> > with the new clamav?
> Not sure, I quickly gave up when I hit an selinux denial and saw that
> this denial wasn´t happening with the old packaging. Was hoping we
> could run our new mailservers on default selinux policy if possible.
Sure, that would be a bug worth fixing I agree.
> First step is probably to add back in the clamd-wrapper (which is part
> of the current EPEL6 clamav), so that amavisd-new can continue to use
> it´s own scanner instance trough /usr/share/clamav/clamd-wrapper,
> /etc/clamd.d/amavisd.conf and /etc/rc.d/init.d/clamd.amavisd..
> Removing this clamd-wrapper is bound to break existing installations
> that has followed the recommendations from the old packaging about
> creating per-service clamd-instances (maybe not just for amavisd-new).
Yes, thats something the old package said. In practice I don't know how
much security it really provides. ;(
Anyhow, yeah, if we could add the wrapper thing that amavisd-new needs
that might be a quick solution.
> Also, security-wise the old packaging said to:
> NEVER use 'clamav' as the user since he can modify the
> while the new packaging runs as "clam" and has database-files owned
> by "clam":
What runs as 'clam'? clamd?
yes, thats true. It does mean the clam user could modify the db files,
but the additional security here I don't know is worth it.
If you wish to seperate things like that, I would suggest running
clamscan instead as whatever user.
> > Also, there is no amavisd-new pushed in epel6 yet, so we could push
> > clamav now, and push the fixed amavisd-new as soon as it's ready,
> > no?
> There is a clamav with the previous packaging format in EPEL6. Are
> you sure changing it woun´t break existing installations ? Nobody
> expecting the existing clamscan, clamupdate, clamilt users/group to
I tested it here and it worked fine for upgrades, with one exception:
the /etc/freshclam.conf.rpmnew file needed to be moved in place before
freshclam would work.
> I´m mostly worried that we´ll end up with confusing/different clamav
> and amavisd-new installations on our RHEL5 and RHEL6 servers, plus
> pushing this big change now will probably delay amavisd-new in
> EPEL6.. (and I need it now! :-)
Yeah, it's all no fun for sure. ;(
Where I would like to get:
* clamav packaged the new way on 4/5/6
* amavisd-new packaged to use that on 4/5/6
How we get there is up to the maintainers... I know several people were
looking at amavisd-new. Perhaps we could get everyone together at an
irc meeting and hash out what needs to happen?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: not available
More information about the epel-devel-list