As much as I hate to disable selinux, I did that earlier in the thread. Surprisingly it is not the culprit, even after a restorecon -r.
Newer info has static as the proper systemd call for clamd. I've found that in using your .service my whole cloud instance would HANG a few seconds later, and stay hung. This should never never happen in Linux. I finally gave up trying to use the unix:socket and enabled the tcp:socket, as recommended by an earlier poster. Fortunately that completely works with -milter. Hate doing it this way, but I've lost enough time on this stupid problem. Also I've gone back to CentOS' native .service files for clamd and clamav-milter. All is working well AFAICT. unix:socket is just snakebit, and haunted... > -------- Original Message -------- > Subject: Re: [clamav-users] clamav-milter Can't Find Clamd > Local Time: November 8, 2017 3:38 PM > UTC Time: November 8, 2017 11:38 PM > From: h.rei...@thelounge.net > To: clamav-users@lists.clamav.net > > Am 09.11.2017 um 00:13 schrieb Colony.three: > >> Yes my first posts were not close to the problem, as there was an evolution >> in my thinking through the thread. It was only in the last couple posts that >> I'd narrowed down the cause. >> Well that's a pretty impressive setup. I've gone through line-by-like and >> made my system very similar. Now I am getting logging, but in the log over >> and over: >> ERROR: LOCAL: Socket file /run/clamd/clamd.sock could not be bound: No such >> file or directory >> Same problem, even though my .service file is -forking- now and other >> settings are like yours. >> >> that below is a production setup running from 2014 until now on Fedora >> with several dist-upgrades - do you have SELinux enabled? >> >> if so try to disable it and if it works then find someone with SELinux >> knowledge, i don't touch it after i found strange log entries in my >> samba and finally the reason was SELinux killed the iptables service >> >> Type=forking for clamd (Fedora has Type=simple as default) because the >> depending services are starting clean - with Type=simple systemd has no >> knowledge if the service is initalized, clamd don't respond properly >> while loading the signatures and the rest of the mailsystem get started >> too soon >> >> -------- Original Message -------- >> >>> Subject: Re: [clamav-users] clamav-milter Can't Find Clamd >>> Local Time: November 7, 2017 4:26 PM >>> UTC Time: November 8, 2017 12:26 AM >>> From: h.rei...@thelounge.net >>> To: clamav-users@lists.clamav.net >>> Am 08.11.2017 um 00:06 schrieb Colony.three: >>> >>>> Am 07.11.2017 um 22:46 schrieb Colony.three: >>>> >>>>>> So much for that theory. There are about a million of these in the >>>>>> logfile. It's not making its own socket for unknown reasons which may be >>>>>> New To Science. >>>>>> well, that looks like clamd is restarted again and again because it's >>>>>> failing, most likely /run/clamd.scan/ don't exist or has the wrong >>>>>> permissions >>>> >>>> Correct, /run/clamd.scan/ does -not- exist. Why? Because the clamd@ >>>> service destroys it on restart. (along with its socket) I could merrily >>>> re-create the directory and socket all day long, but on restart it would >>>> only be wiped out again. Of course the permissions are correct, as per >>>> above; it couldn't have been destroyed by the service otherwise. >>>> >>>>>> "systemctl status" as well as the syslogs should tell you that the >>>>>> service is failing if you just look at it >>>>>> are you aware that /run is a tmpfs and hence anything below does not >>>>>> survive a reboot? >>>> >>>> Why yes, I am. As I say, clamd destroys its socket directory on stop, but >>>> then does not re-create it on start, like it's supposed to. >>>> This is the problem which I have been trying to explain >>>> you explained it very bad when you initial post conatins all sort of >>>> config snippets, even milter related ones instead focus on the problem >>>> clamd itself don't start properly - simply becaus ein that case anything >>>> else don't matter until clad is up and running fine and to make it >>>> harder you don#t post your complete systemd-unit, at least not at the >>>> thread start >>>> http://www.catb.org/esr/faqs/smart-questions.html >>>> well, i disabled all the services and made my own units years ago as i >>>> do for any production stuff below /etc/systemd/system/ and be it only to >>>> ensure Type=simple, automatic restart and not start any process as root >>>> when it's not needed to begin with >>> >>> --------------------------------------------------------------- >>> >>> [root@localhost:~]$ cat /etc/systemd/system/clamd.service >>> [Unit] >>> Description=ClamAV Scanner Daemon >>> >>> [Service] >>> Type=forking >>> Environment="TMPDIR=/tmp" >>> Environment="LANG=en_GB.UTF-8" >>> ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf >>> ExecReload=/usr/bin/kill -SIGUSR2 $MAINPID >>> Restart=always >>> RestartSec=1 >>> Nice=5 >>> User=clamscan >>> Group=clamilt >>> PrivateTmp=yes >>> PrivateDevices=yes >>> PrivateNetwork=no >>> NoNewPrivileges=yes >>> CapabilityBoundingSet=CAP_KILL >>> RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 >>> SystemCallArchitectures=x86-64 >>> ReadOnlyDirectories=/ >>> ReadWriteDirectories=/run/clamd.scan >>> ReadWriteDirectories=/run/clamd >>> ReadWriteDirectories=/var/log >>> ReadWriteDirectories=/tmp >>> >>> [root@localhost:~]$ cat /etc/clamd.d/scan.conf >>> User clamscan >>> AllowSupplementaryGroups yes >>> PidFile /run/clamd.scan/clamd.pid >>> TemporaryDirectory /tmp >>> DatabaseDirectory /var/lib/clamav >>> OfficialDatabaseOnly no >>> LocalSocket /run/clamd/clamd.sock >>> LocalSocketMode 0666 >>> MaxConnectionQueueLength 100 >>> StreamMaxLength 35M >>> StreamMinPort 31000 >>> StreamMaxPort 32000 >>> MaxThreads 10 >>> MaxQueue 50 >>> ReadTimeout 120 >>> CommandReadTimeout 5 >>> SendBufTimeout 200 >>> IdleTimeout 30 >>> ExcludePath ^/proc/ >>> ExcludePath ^/sys/ >>> MaxDirectoryRecursion 20 >>> FollowDirectorySymlinks no >>> FollowFileSymlinks no >>> CrossFilesystems yes >>> SelfCheck 86400 >>> ExitOnOOM yes >>> Foreground no >>> Debug no >>> LeaveTemporaryFiles no >>> AllowAllMatchScan no >>> DetectPUA no >>> AlgorithmicDetection yes >>> DisableCache no >>> ScanPE yes >>> DisableCertCheck yes >>> ScanELF yes >>> DetectBrokenExecutables yes >>> ScanOLE2 yes >>> OLE2BlockMacros no >>> ScanPDF yes >>> ScanSWF yes >>> ScanMail yes >>> ScanPartialMessages no >>> PhishingSignatures yes >>> PhishingScanURLs no >>> PhishingAlwaysBlockSSLMismatch no >>> PhishingAlwaysBlockCloak no >>> PartitionIntersection no >>> HeuristicScanPrecedence yes >>> StructuredDataDetection no >>> ScanHTML yes >>> ScanArchive yes >>> ArchiveBlockEncrypted no >>> MaxScanSize 50M >>> MaxFileSize 50M >>> MaxRecursion 10 >>> MaxFiles 10000 >>> MaxEmbeddedPE 10M >>> MaxHTMLNormalize 10M >>> MaxHTMLNoTags 2M >>> MaxScriptNormalize 5M >>> MaxZipTypeRcg 5M >>> MaxPartitions 50 >>> MaxIconsPE 100 >>> ScanOnAccess no >>> Bytecode yes >>> BytecodeSecurity TrustSigned >>> BytecodeTimeout 2000 >>> StatsEnabled no >>> StatsPEDisabled yes >>> LogFile /var/log/clamscan.log >>> LogFileMaxSize 32M >>> LogTime yes >>> LogClean no >>> ExtendedDetectionInfo yes >>> LogFileUnlock yes >>> >>> [root@localhost:~]$ cat /etc/systemd/system/clamav-milter.service >>> [Unit] >>> Description=ClamAV Postfix-Milter >>> Wants=clamd.service >>> After=clamd.service >>> Before=postfix.service >>> >>> [Service] >>> Type=simple >>> Environment="TMPDIR=/tmp" >>> ExecStart=/usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf >>> User=clamilt >>> Group=clamilt >>> Environment="LANG=en_GB.UTF-8" >>> Restart=always >>> RestartSec=1 >>> Nice=5 >>> PrivateTmp=yes >>> PrivateDevices=yes >>> PrivateNetwork=yes >>> NoNewPrivileges=yes >>> CapabilityBoundingSet=CAP_KILL >>> RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 >>> SystemCallArchitectures=x86-64 >>> ReadOnlyDirectories=/ >>> ReadWriteDirectories=-/run/clamav-milter >>> ReadWriteDirectories=-/run/clamd >>> ReadWriteDirectories=-/tmp >>> ReadWriteDirectories=-/var/log >>> >>> [root@localhost:~]$ cat /etc/mail/clamav-milter.conf >>> Postfix Milter-Konfiguration >>> Pre-Queue Virenscanner >>> Postfix muss in die "clamilt"-Usergruppe >>> usermod -a -G clamilt postfix >>> usermod -a -G sa-milt postfix >>> >>> User clamilt >>> AllowSupplementaryGroups yes >>> MilterSocket /run/clamav-milter/clamav-milter.socket >>> MilterSocketMode 0660 >>> ClamdSocket unix:/run/clamd/clamd.sock >>> FixStaleSocket yes >>> ReadTimeout 120 >>> Foreground yes >>> TemporaryDirectory /tmp >>> LocalNet 127.0.0.1 >>> MaxFileSize 35M >>> OnClean Accept >>> OnFail Defer >>> OnInfected Reject >>> RejectMsg Virus found or dangerous attachment: "%v" >>> AddHeader Replace >>> LogFile /var/log/clamav-milter.log >>> LogFileUnlock yes >>> LogFileMaxSize 128M >>> LogTime yes >>> LogSyslog yes >>> LogFacility LOG_MAIL >>> LogVerbose no >>> LogRotate yes >>> LogInfected Off >>> LogClean Off >>> SupportMultipleRecipients yes >>> Whitelist /etc/mail/clamav-milter-whitelist.conf >>> >>> [root@localhost:~]$ cat /etc/tmpfiles.d/clamd.conf >>> d /run/clamd 0775 clamscan clamilt >>> >>> [root@localhost:~]$ cat /usr/lib/tmpfiles.d/clamd.scan.conf >>> d /var/run/clamd.scan 0710 clamscan clamscan >>> >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> http://www.clamav.net/contact.html#ml >> >> --------------------------------------------------------------- > > --------------------------------------------------------------- > > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
