Re: Clamav + amavisd-new

Thu, 10 Mar 2011 15:29:55 -0800 

On 2011-03-10, Kevin Fenzi <[email protected]> wrote:
>
> Do you have any thoughts/patches for getting amavisd-new working with
> the new clamav? 

Not sure, I quickly gave up when I hit an selinux denial and saw that this
denial wasn´t happening with the old packaging. Was hoping we could run 
our new mailservers on default selinux policy if possible.

First step is probably to add back in the clamd-wrapper (which is part
of the current EPEL6 clamav), so that amavisd-new can continue to use it´s
own scanner instance trough /usr/share/clamav/clamd-wrapper, 
/etc/clamd.d/amavisd.conf and /etc/rc.d/init.d/clamd.amavisd..  Removing
this clamd-wrapper is bound to break existing installations that has 
followed the recommendations from the old packaging about creating 
per-service clamd-instances (maybe not just for amavisd-new).

Also, security-wise the old packaging said to:

          NEVER use 'clamav' as the user since he can modify the database.

while the new packaging runs as "clam" and has database-files owned by "clam":

        [[email protected]:~]$ ps -ef|grep clam
        clam     20082     1  0 00:00 ?        00:00:00 clamd
        [[email protected]:~]$ ls -al /var/lib/clamav/
        totalt 30560
        drwxr-xr-x.  2 clam clam     4096 2011-03-10 04:29 .
        drwxr-xr-x. 28 root root     4096 2011-03-03 14:38 ..
        -rw-r--r--.  1 clam clam   460288 2011-03-09 03:07 bytecode.cld
        -rw-r--r--.  1 clam clam  4588544 2011-03-10 04:29 daily.cld
        -rw-r--r--.  1 clam clam 26224310 2011-02-24 00:39 main.cvd
        -rw-------.  1  498  397      416 2011-03-05 12:20 mirrors.dat
        [[email protected]:~]$ rpm -q clamd
        clamd-0.97-3.el6.x86_64

>
> Also, there is no amavisd-new pushed in epel6 yet, so we could push
> clamav now, and push the fixed amavisd-new as soon as it's ready, no?

There is a clamav with the previous packaging format in EPEL6. Are you 
sure changing it woun´t break existing installations ? Nobody expecting the
existing clamscan, clamupdate, clamilt users/group to exist?

I´m mostly worried that we´ll end up with confusing/different clamav and
amavisd-new installations on our RHEL5 and RHEL6 servers, plus pushing this
big change now will probably delay amavisd-new in EPEL6.. (and I need it now! 
:-)


  -jf

_______________________________________________
epel-devel-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/epel-devel-list

Reply via email to