Clamav + amavisd-new

Kevin Fenzi kevin at scrye.com
Sat Mar 12 19:25:29 UTC 2011 

On Fri, 11 Mar 2011 00:28:18 +0100
Jan-Frode Myklebust <janfrode at tanso.net> wrote:

> On 2011-03-10, Kevin Fenzi <kevin at scrye.com> wrote:
> >
> > Do you have any thoughts/patches for getting amavisd-new working
> > with the new clamav? 
> 
> Not sure, I quickly gave up when I hit an selinux denial and saw that
> this denial wasn´t happening with the old packaging. Was hoping we
> could run our new mailservers on default selinux policy if possible.

Sure, that would be a bug worth fixing I agree. 

> First step is probably to add back in the clamd-wrapper (which is part
> of the current EPEL6 clamav), so that amavisd-new can continue to use
> it´s own scanner instance trough /usr/share/clamav/clamd-wrapper, 
> /etc/clamd.d/amavisd.conf and /etc/rc.d/init.d/clamd.amavisd..
> Removing this clamd-wrapper is bound to break existing installations
> that has followed the recommendations from the old packaging about
> creating per-service clamd-instances (maybe not just for amavisd-new).

Yes, thats something the old package said. In practice I don't know how
much security it really provides. ;( 

Anyhow, yeah, if we could add the wrapper thing that amavisd-new needs
that might be a quick solution. 

> Also, security-wise the old packaging said to:
> 
> 	  NEVER use 'clamav' as the user since he can modify the
> database.
> 
> while the new packaging runs as "clam" and has database-files owned
> by "clam":

What runs as 'clam'? clamd?

yes, thats true. It does mean the clam user could modify the db files,
but the additional security here I don't know is worth it.

If you wish to seperate things like that, I would suggest running
clamscan instead as whatever user. 

> > Also, there is no amavisd-new pushed in epel6 yet, so we could push
> > clamav now, and push the fixed amavisd-new as soon as it's ready,
> > no?
> 
> There is a clamav with the previous packaging format in EPEL6. Are
> you sure changing it woun´t break existing installations ? Nobody
> expecting the existing clamscan, clamupdate, clamilt users/group to
> exist?

I tested it here and it worked fine for upgrades, with one exception:
the /etc/freshclam.conf.rpmnew file needed to be moved in place before
freshclam would work. 

> I´m mostly worried that we´ll end up with confusing/different clamav
> and amavisd-new installations on our RHEL5 and RHEL6 servers, plus
> pushing this big change now will probably delay amavisd-new in
> EPEL6.. (and I need it now! :-)

Yeah, it's all no fun for sure. ;( 

Where I would like to get: 

* clamav packaged the new way on 4/5/6
* amavisd-new packaged to use that on 4/5/6

How we get there is up to the maintainers... I know several people were
looking at amavisd-new. Perhaps we could get everyone together at an
irc meeting and hash out what needs to happen?

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/epel-devel-list/attachments/20110312/54d6ea68/attachment.sig>

More information about the epel-devel-list mailing list