postfix, procmail and SELinux - No Go

Thu Jun 29 07:29:48 UTC 2006

On Wed, 2006-06-28 at 22:15 -0500, Marc Schwartz wrote:
> On Wed, 2006-06-28 at 23:13 +0100, Paul Howarth wrote:
> > On Wed, 2006-06-28 at 16:38 -0500, Marc Schwartz (via MN) wrote:
> > > On Wed, 2006-06-28 at 22:23 +0100, Paul Howarth wrote:
> > > > On Wed, 2006-06-28 at 15:56 -0500, Marc Schwartz (via MN) wrote:
> > > 
> > > <snip>
> > > 
> > > > > 
> > > > > There are no .forward files on my system at all, unless that is a temp
> > > > > file, which does not make sense location-wise.
> > > > > 
> > > > > A Google search came up empty for that file, so I can only presume that
> > > > > there are certain configuration scenarios where the pipelining of
> > > > > e-mails would require that file.
> > > > > 
> > > > > Since I am using clamassassin, I also searched through that script and
> > > > > noted nothing relevant here.
> > > > > 
> > > > > Not sure what else to make of it.
> > > > 
> > > > That might be dontaudit-able. Is /var/lib/clamav any user's home
> > > > directory?
> > > 
> > > The /var/lib/clamav tree appears to be owned by 'clamav', both user and
> > > group:
> > > 
> > > $ ls -l /var/lib
> > > total 264
> > > ...
> > > drwxr-xr-x  2 clamav    clamav   4096 Jun 28 11:00 clamav
> > > ...
> > > 
> > >  ls -l /var/lib/clamav
> > > total 8832
> > > -rw-r--r-- 1 clamav clamav    4050 Jun 28 11:01 clamav-4d6166b710f63075
> > > -rw-r--r-- 1 clamav clamav 3640966 Jun  9 16:49 clamav-651c96be267fc93e
> > > -rw-r--r-- 1 clamav clamav  380351 Jun 28 08:00 daily.cvd
> > > -rw-r--r-- 1 clamav clamav 4978654 Jun  9 18:00 main.cvd
> > > 
> > > 
> > > $ cat /etc/passwd | grep clamav
> > > clamav:x:100:101:Clamav database update user:/var/lib/clamav:/sbin/nologin
> > > 
> > > 
> > > $ cat /etc/group | grep clamav
> > > clamav:x:101:
> > 
> > The search in /var/lib/clamav is probably a result of something running
> > as that user, perhaps procmail. Does the clamav user get any mail?
> 
> Paul,
> 
> Good call.  Yes indeed.
> 
> It would appear that clamav (the user) gets mail when there are problems
> with the hourly database updates. For example, if there are DNS problems
> or other issues with server access.  I do see these coming from the root
> account, which then get forwarded to my user account via the postfix
> mapping. I had not paid attention, until now, regarding the multiple
> e-mail addresses in the To: field.
> 
> After doing some searching, it turns out that this is configured
> in /etc/crond./clamav-update.
> 
> In that file, mail is targeted (by default) to go to root, postmaster,
> webmaster and clamav. Now that I have looked at the content
> of /var/spool/mail/clamav, I do note that the mail is indeed sent to the
> aforementioned users.
> 
> Of course, postmaster and webmaster do not exist on my system as users.
> 
> Also, in the file is the following:
> 
> ## It is ok to execute it as root; freshclam drops privileges and becomes
> ## user 'clamav' as soon as possible
> 0  */3 * * * root /usr/share/clamav/freshclam-sleep
> 
> >From other sources, it would appear that the freshclam programs, even if
> started as root, will setuid to clamav. This is configured
> in /etc/freshclam.conf.  The default is:
> 
> # By default when started freshclam drops privileges and switches to the
> # "clamav" user. This directive allows you to change the database owner.
> # Default: clamav (may depend on installation options)
> #DatabaseOwner clamav
> 
> 
> I could adjust the e-mail targets or other settings if you need me to.

I think the email targets are OK; you should just alias clamav,
webmaster, and postmaster (every mail system should have a postmaster)
to root, which in turn is aliased to you.

Paul.