postfix, procmail and SELinux - No Go
Marc Schwartz
MSchwartz at mn.rr.com
Thu Jun 29 03:15:24 UTC 2006
On Wed, 2006-06-28 at 23:13 +0100, Paul Howarth wrote:
> On Wed, 2006-06-28 at 16:38 -0500, Marc Schwartz (via MN) wrote:
> > On Wed, 2006-06-28 at 22:23 +0100, Paul Howarth wrote:
> > > On Wed, 2006-06-28 at 15:56 -0500, Marc Schwartz (via MN) wrote:
> >
> > <snip>
> >
> > > >
> > > > There are no .forward files on my system at all, unless that is a temp
> > > > file, which does not make sense location-wise.
> > > >
> > > > A Google search came up empty for that file, so I can only presume that
> > > > there are certain configuration scenarios where the pipelining of
> > > > e-mails would require that file.
> > > >
> > > > Since I am using clamassassin, I also searched through that script and
> > > > noted nothing relevant here.
> > > >
> > > > Not sure what else to make of it.
> > >
> > > That might be dontaudit-able. Is /var/lib/clamav any user's home
> > > directory?
> >
> > The /var/lib/clamav tree appears to be owned by 'clamav', both user and
> > group:
> >
> > $ ls -l /var/lib
> > total 264
> > ...
> > drwxr-xr-x 2 clamav clamav 4096 Jun 28 11:00 clamav
> > ...
> >
> > ls -l /var/lib/clamav
> > total 8832
> > -rw-r--r-- 1 clamav clamav 4050 Jun 28 11:01 clamav-4d6166b710f63075
> > -rw-r--r-- 1 clamav clamav 3640966 Jun 9 16:49 clamav-651c96be267fc93e
> > -rw-r--r-- 1 clamav clamav 380351 Jun 28 08:00 daily.cvd
> > -rw-r--r-- 1 clamav clamav 4978654 Jun 9 18:00 main.cvd
> >
> >
> > $ cat /etc/passwd | grep clamav
> > clamav:x:100:101:Clamav database update user:/var/lib/clamav:/sbin/nologin
> >
> >
> > $ cat /etc/group | grep clamav
> > clamav:x:101:
>
> The search in /var/lib/clamav is probably a result of something running
> as that user, perhaps procmail. Does the clamav user get any mail?
Paul,
Good call. Yes indeed.
It would appear that clamav (the user) gets mail when there are problems
with the hourly database updates. For example, if there are DNS problems
or other issues with server access. I do see these coming from the root
account, which then get forwarded to my user account via the postfix
mapping. I had not paid attention, until now, regarding the multiple
e-mail addresses in the To: field.
After doing some searching, it turns out that this is configured
in /etc/crond./clamav-update.
In that file, mail is targeted (by default) to go to root, postmaster,
webmaster and clamav. Now that I have looked at the content
of /var/spool/mail/clamav, I do note that the mail is indeed sent to the
aforementioned users.
Of course, postmaster and webmaster do not exist on my system as users.
Also, in the file is the following:
## It is ok to execute it as root; freshclam drops privileges and becomes
## user 'clamav' as soon as possible
0 */3 * * * root /usr/share/clamav/freshclam-sleep
>From other sources, it would appear that the freshclam programs, even if
started as root, will setuid to clamav. This is configured
in /etc/freshclam.conf. The default is:
# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
#DatabaseOwner clamav
I could adjust the e-mail targets or other settings if you need me to.
Let me know.
Thanks,
Marc
More information about the fedora-selinux-list
mailing list