On Fri, 11 Mar 2011 00:28:18 +0100 Jan-Frode Myklebust <[email protected]> wrote:
> On 2011-03-10, Kevin Fenzi <[email protected]> wrote: > > > > Do you have any thoughts/patches for getting amavisd-new working > > with the new clamav? > > Not sure, I quickly gave up when I hit an selinux denial and saw that > this denial wasn´t happening with the old packaging. Was hoping we > could run our new mailservers on default selinux policy if possible. Sure, that would be a bug worth fixing I agree. > First step is probably to add back in the clamd-wrapper (which is part > of the current EPEL6 clamav), so that amavisd-new can continue to use > it´s own scanner instance trough /usr/share/clamav/clamd-wrapper, > /etc/clamd.d/amavisd.conf and /etc/rc.d/init.d/clamd.amavisd.. > Removing this clamd-wrapper is bound to break existing installations > that has followed the recommendations from the old packaging about > creating per-service clamd-instances (maybe not just for amavisd-new). Yes, thats something the old package said. In practice I don't know how much security it really provides. ;( Anyhow, yeah, if we could add the wrapper thing that amavisd-new needs that might be a quick solution. > Also, security-wise the old packaging said to: > > NEVER use 'clamav' as the user since he can modify the > database. > > while the new packaging runs as "clam" and has database-files owned > by "clam": What runs as 'clam'? clamd? yes, thats true. It does mean the clam user could modify the db files, but the additional security here I don't know is worth it. If you wish to seperate things like that, I would suggest running clamscan instead as whatever user. > > Also, there is no amavisd-new pushed in epel6 yet, so we could push > > clamav now, and push the fixed amavisd-new as soon as it's ready, > > no? > > There is a clamav with the previous packaging format in EPEL6. Are > you sure changing it woun´t break existing installations ? Nobody > expecting the existing clamscan, clamupdate, clamilt users/group to > exist? I tested it here and it worked fine for upgrades, with one exception: the /etc/freshclam.conf.rpmnew file needed to be moved in place before freshclam would work. > I´m mostly worried that we´ll end up with confusing/different clamav > and amavisd-new installations on our RHEL5 and RHEL6 servers, plus > pushing this big change now will probably delay amavisd-new in > EPEL6.. (and I need it now! :-) Yeah, it's all no fun for sure. ;( Where I would like to get: * clamav packaged the new way on 4/5/6 * amavisd-new packaged to use that on 4/5/6 How we get there is up to the maintainers... I know several people were looking at amavisd-new. Perhaps we could get everyone together at an irc meeting and hash out what needs to happen? kevin
signature.asc
Description: PGP signature
_______________________________________________ epel-devel-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/epel-devel-list
