Re: [CentOS] permission problems with avamis and Centos 6.3
On 01/28/2013 02:46 PM, Daniel J Walsh wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 01/28/2013 02:39 PM, Robert Moskowitz wrote: >> On 01/28/2013 01:15 PM, Daniel J Walsh wrote: >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >>> >>> On 01/28/2013 11:29 AM, Robert Moskowitz wrote: On 01/24/2013 02:48 PM, Daniel J Walsh wrote: > -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > > On 01/24/2013 01:15 PM, Robert Moskowitz wrote: >> Thank you for your suggestion, but it did not fix the permissions >> problem. >> >> On 01/24/2013 10:13 AM, Rob wrote: >>> usermod -a -G amavis clam >> How is this different from: >> >> gpasswd -a clam amavis >> >> And I am still getting the permissions error. >> >>> service clamd restart >>> >>> be happy >>> >>> On 24.01.2013, at 04:16, Robert Moskowitz >>> wrote: >>> I am trying to follow: http://wiki.centos.org/HowTos/Amavisd Which seems to really be written for Centos 5, with just some selinux references for Centos 6. There are real problems here for Centos 6 with the userids section. It gives the following command and result: cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam Anti Virus Checker:/var/clamav:/sbin/nologin amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh But my Centos 6.3 has: clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin amavis:x:493:489::/var/spool/amavisd:/sbin/nologin Note the difference in userid clam instead of clamav. So this causes problems with the group recommendation: In addition, the clamav user should automatically have been added to the amavis group: # groups clamav clamav : clamav amavis If not, you can manually add clamav to the amavis group: gpasswd -a clamav amavis so I did: gpasswd -a clam amavis So far, it seems just changing what userid is now used by clamav... But in testing for spam I see the following in /var/log/maillog Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: > lstat() failed: Permission denied. ERROR\n" I checked this directory tree and all along the tree the permissions are to amavis:amavis So where is my permission problem? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos >>> ___ CentOS mailing >>> list CentOS@centos.org >>> http://lists.centos.org/mailman/listinfo/centos >>> >> ___ CentOS mailing >> list CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > Can you attach the AVC messages from audit log. > > ausearch -m avc -ts recent Back home and booted up test system (thus no questions about clamav state): time->Mon Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.446:25): arch=4003 syscall=5 success=yes exit=3 a0=92de9d8 a1=98800 a2=92de9d8 a3=92ba620 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC msg=audit(1359389906.446:25): avc: denied { read } for pid=3045 comm="clamscan" name="parts" dev=dm-0 ino=2624185 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir time->Mon Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.490:26): arch=4003 syscall=39 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 a3=92e64f8 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC msg=audit(1359389906.490:26): avc: denied { create } for pid=3045 comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC msg=audit(1359389906.490:26): avc: denied { add_name } for pid=3045 comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" scontext=system_u:sys
Re: [CentOS] permission problems with avamis and Centos 6.3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/28/2013 02:39 PM, Robert Moskowitz wrote: > > On 01/28/2013 01:15 PM, Daniel J Walsh wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> On 01/28/2013 11:29 AM, Robert Moskowitz wrote: >>> On 01/24/2013 02:48 PM, Daniel J Walsh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2013 01:15 PM, Robert Moskowitz wrote: > Thank you for your suggestion, but it did not fix the permissions > problem. > > On 01/24/2013 10:13 AM, Rob wrote: >> usermod -a -G amavis clam > How is this different from: > > gpasswd -a clam amavis > > And I am still getting the permissions error. > >> service clamd restart >> >> be happy >> >> On 24.01.2013, at 04:16, Robert Moskowitz >> wrote: >> >>> I am trying to follow: >>> >>> http://wiki.centos.org/HowTos/Amavisd >>> >>> Which seems to really be written for Centos 5, with just some >>> selinux references for Centos 6. There are real problems here >>> for Centos 6 with the userids section. >>> >>> It gives the following command and result: >>> >>> cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam >>> Anti Virus Checker:/var/clamav:/sbin/nologin >>> amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh >>> >>> But my Centos 6.3 has: >>> >>> clam:x:494:490:Clam Anti Virus >>> Checker:/var/lib/clamav:/sbin/nologin >>> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin >>> >>> Note the difference in userid clam instead of clamav. So this >>> causes problems with the group recommendation: >>> >>> In addition, the clamav user should automatically have been >>> added to the amavis group: >>> >>> # groups clamav clamav : clamav amavis >>> >>> If not, you can manually add clamav to the amavis group: >>> >>> gpasswd -a clamav amavis >>> >>> >>> so I did: >>> >>> gpasswd -a clam amavis >>> >>> >>> So far, it seems just changing what userid is now used by >>> clamav... >>> >>> But in testing for spam I see the following in >>> /var/log/maillog >>> >>> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av >>> (ClamAV-clamd) FAILED - unexpected , >>> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: >>> >>> lstat() failed: Permission denied. ERROR\n" >>> >>> I checked this directory tree and all along the tree the >>> permissions are to amavis:amavis >>> >>> So where is my permission problem? >>> >>> >>> ___ CentOS mailing >>> list CentOS@centos.org >>> http://lists.centos.org/mailman/listinfo/centos >> ___ CentOS mailing >> list CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > ___ CentOS mailing > list CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > Can you attach the AVC messages from audit log. ausearch -m avc -ts recent >>> Back home and booted up test system (thus no questions about clamav >>> state): >>> >>> time->Mon Jan 28 11:18:26 2013 type=SYSCALL >>> msg=audit(1359389906.446:25): arch=4003 syscall=5 success=yes >>> exit=3 a0=92de9d8 a1=98800 a2=92de9d8 a3=92ba620 items=0 ppid=2211 >>> pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 >>> egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" >>> exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 >>> key=(null) type=AVC msg=audit(1359389906.446:25): avc: denied { read >>> } for pid=3045 comm="clamscan" name="parts" dev=dm-0 ino=2624185 >>> scontext=system_u:system_r:clamscan_t:s0 >>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir time->Mon >>> Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.490:26): >>> arch=4003 syscall=39 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 >>> a3=92e64f8 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 >>> euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) >>> ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" >>> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC >>> msg=audit(1359389906.490:26): avc: denied { create } for pid=3045 >>> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" >>> scontext=system_u:system_r:clamscan_t:s0 >>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC >>> msg=audit(1359389906.490:26): avc: denied { add_name } for pid=3045 >>> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" >>> scontext=system_u:system_r:clamscan_t:s0 >>> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC >>> msg=audit(
Re: [CentOS] permission problems with avamis and Centos 6.3
On 01/28/2013 01:15 PM, Daniel J Walsh wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 01/28/2013 11:29 AM, Robert Moskowitz wrote: >> On 01/24/2013 02:48 PM, Daniel J Walsh wrote: >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >>> >>> On 01/24/2013 01:15 PM, Robert Moskowitz wrote: Thank you for your suggestion, but it did not fix the permissions problem. On 01/24/2013 10:13 AM, Rob wrote: > usermod -a -G amavis clam How is this different from: gpasswd -a clam amavis And I am still getting the permissions error. > service clamd restart > > be happy > > On 24.01.2013, at 04:16, Robert Moskowitz > wrote: > >> I am trying to follow: >> >> http://wiki.centos.org/HowTos/Amavisd >> >> Which seems to really be written for Centos 5, with just some >> selinux references for Centos 6. There are real problems here for >> Centos 6 with the userids section. >> >> It gives the following command and result: >> >> cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam Anti >> Virus Checker:/var/clamav:/sbin/nologin amavis:x:102:103:Amavis >> email scan user:/var/amavis:/bin/sh >> >> But my Centos 6.3 has: >> >> clam:x:494:490:Clam Anti Virus >> Checker:/var/lib/clamav:/sbin/nologin >> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin >> >> Note the difference in userid clam instead of clamav. So this >> causes problems with the group recommendation: >> >> In addition, the clamav user should automatically have been added >> to the amavis group: >> >> # groups clamav clamav : clamav amavis >> >> If not, you can manually add clamav to the amavis group: >> >> gpasswd -a clamav amavis >> >> >> so I did: >> >> gpasswd -a clam amavis >> >> >> So far, it seems just changing what userid is now used by >> clamav... >> >> But in testing for spam I see the following in /var/log/maillog >> >> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av >> (ClamAV-clamd) FAILED - unexpected , >> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: >> lstat() failed: Permission denied. ERROR\n" >> >> I checked this directory tree and all along the tree the >> permissions are to amavis:amavis >> >> So where is my permission problem? >> >> >> ___ CentOS mailing >> list CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list > CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos >>> Can you attach the AVC messages from audit log. >>> >>> ausearch -m avc -ts recent >> Back home and booted up test system (thus no questions about clamav >> state): >> >> time->Mon Jan 28 11:18:26 2013 type=SYSCALL >> msg=audit(1359389906.446:25): arch=4003 syscall=5 success=yes exit=3 >> a0=92de9d8 a1=98800 a2=92de9d8 a3=92ba620 items=0 ppid=2211 pid=3045 >> auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 >> sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" >> exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) >> type=AVC msg=audit(1359389906.446:25): avc: denied { read } for pid=3045 >> comm="clamscan" name="parts" dev=dm-0 ino=2624185 >> scontext=system_u:system_r:clamscan_t:s0 >> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir time->Mon Jan >> 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.490:26): arch=4003 >> syscall=39 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 a3=92e64f8 >> items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 >> suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 >> comm="clamscan" exe="/usr/bin/clamscan" >> subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC >> msg=audit(1359389906.490:26): avc: denied { create } for pid=3045 >> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" >> scontext=system_u:system_r:clamscan_t:s0 >> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC >> msg=audit(1359389906.490:26): avc: denied { add_name } for pid=3045 >> comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" >> scontext=system_u:system_r:clamscan_t:s0 >> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC >> msg=audit(1359389906.490:26): avc: denied { write } for pid=3045 >> comm="clamscan" name="tmp" dev=dm-0 ino=2624119 >> scontext=system_u:system_r:clamscan_t:s0 >> tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir time->Mon Jan >> 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.528:27): arch=4003 >
Re: [CentOS] permission problems with avamis and Centos 6.3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/28/2013 11:29 AM, Robert Moskowitz wrote: > > On 01/24/2013 02:48 PM, Daniel J Walsh wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> On 01/24/2013 01:15 PM, Robert Moskowitz wrote: >>> Thank you for your suggestion, but it did not fix the permissions >>> problem. >>> >>> On 01/24/2013 10:13 AM, Rob wrote: usermod -a -G amavis clam >>> How is this different from: >>> >>> gpasswd -a clam amavis >>> >>> And I am still getting the permissions error. >>> service clamd restart be happy On 24.01.2013, at 04:16, Robert Moskowitz wrote: > I am trying to follow: > > http://wiki.centos.org/HowTos/Amavisd > > Which seems to really be written for Centos 5, with just some > selinux references for Centos 6. There are real problems here for > Centos 6 with the userids section. > > It gives the following command and result: > > cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam Anti > Virus Checker:/var/clamav:/sbin/nologin amavis:x:102:103:Amavis > email scan user:/var/amavis:/bin/sh > > But my Centos 6.3 has: > > clam:x:494:490:Clam Anti Virus > Checker:/var/lib/clamav:/sbin/nologin > amavis:x:493:489::/var/spool/amavisd:/sbin/nologin > > Note the difference in userid clam instead of clamav. So this > causes problems with the group recommendation: > > In addition, the clamav user should automatically have been added > to the amavis group: > > # groups clamav clamav : clamav amavis > > If not, you can manually add clamav to the amavis group: > > gpasswd -a clamav amavis > > > so I did: > > gpasswd -a clam amavis > > > So far, it seems just changing what userid is now used by > clamav... > > But in testing for spam I see the following in /var/log/maillog > > Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av > (ClamAV-clamd) FAILED - unexpected , > output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: > lstat() failed: Permission denied. ERROR\n" > > I checked this directory tree and all along the tree the > permissions are to amavis:amavis > > So where is my permission problem? > > > ___ CentOS mailing > list CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos >>> ___ CentOS mailing list >>> CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos >>> >> Can you attach the AVC messages from audit log. >> >> ausearch -m avc -ts recent > > Back home and booted up test system (thus no questions about clamav > state): > > time->Mon Jan 28 11:18:26 2013 type=SYSCALL > msg=audit(1359389906.446:25): arch=4003 syscall=5 success=yes exit=3 > a0=92de9d8 a1=98800 a2=92de9d8 a3=92ba620 items=0 ppid=2211 pid=3045 > auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 > sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" > exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) > type=AVC msg=audit(1359389906.446:25): avc: denied { read } for pid=3045 > comm="clamscan" name="parts" dev=dm-0 ino=2624185 > scontext=system_u:system_r:clamscan_t:s0 > tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir time->Mon Jan > 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.490:26): arch=4003 > syscall=39 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 a3=92e64f8 > items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 > suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 > comm="clamscan" exe="/usr/bin/clamscan" > subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC > msg=audit(1359389906.490:26): avc: denied { create } for pid=3045 > comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" > scontext=system_u:system_r:clamscan_t:s0 > tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC > msg=audit(1359389906.490:26): avc: denied { add_name } for pid=3045 > comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" > scontext=system_u:system_r:clamscan_t:s0 > tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC > msg=audit(1359389906.490:26): avc: denied { write } for pid=3045 > comm="clamscan" name="tmp" dev=dm-0 ino=2624119 > scontext=system_u:system_r:clamscan_t:s0 > tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir time->Mon Jan > 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.528:27): arch=4003 > syscall=5 success=yes exit=5 a0=92f1810 a1=2c2 a2=1c0 a3=bfdb5d2c items=0 > ppid=2211 pid=3045 auid=4294967295
Re: [CentOS] permission problems with avamis and Centos 6.3
On 01/24/2013 02:22 PM, Rob wrote: > > On 24.01.2013, at 19:15, Robert Moskowitz wrote: > >> Thank you for your suggestion, but it did not fix the permissions problem. >> >> On 01/24/2013 10:13 AM, Rob wrote: >>> usermod -a -G amavis clam >> How is this different from: >> >> gpasswd -a clam amavis >> >> And I am still getting the permissions error. >> >>> service clamd restart >>> >>> be happy >>> >>> On 24.01.2013, at 04:16, Robert Moskowitz wrote: >>> I am trying to follow: http://wiki.centos.org/HowTos/Amavisd Which seems to really be written for Centos 5, with just some selinux references for Centos 6. There are real problems here for Centos 6 with the userids section. It gives the following command and result: cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam Anti Virus Checker:/var/clamav:/sbin/nologin amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh But my Centos 6.3 has: clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin amavis:x:493:489::/var/spool/amavisd:/sbin/nologin Note the difference in userid clam instead of clamav. So this causes problems with the group recommendation: In addition, the clamav user should automatically have been added to the amavis group: # groups clamav clamav : clamav amavis If not, you can manually add clamav to the amavis group: gpasswd -a clamav amavis so I did: gpasswd -a clam amavis So far, it seems just changing what userid is now used by clamav... But in testing for spam I see the following in /var/log/maillog Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: lstat() failed: Permission denied. ERROR\n" I checked this directory tree and all along the tree the permissions are to amavis:amavis So where is my permission problem? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> http://lists.centos.org/mailman/listinfo/centos > What are the permission for /var/spool/amavisd. amavis:amavis > > Did you try: > service clam stop > service clam start > Instead of: > restart? (it is not the same) Does boot count? ;) Yes this was from a clean boot. And I just powered up the system again today and it repeated the permissions problem. > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] permission problems with avamis and Centos 6.3
On 01/24/2013 02:48 PM, Daniel J Walsh wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 01/24/2013 01:15 PM, Robert Moskowitz wrote: >> Thank you for your suggestion, but it did not fix the permissions problem. >> >> On 01/24/2013 10:13 AM, Rob wrote: >>> usermod -a -G amavis clam >> How is this different from: >> >> gpasswd -a clam amavis >> >> And I am still getting the permissions error. >> >>> service clamd restart >>> >>> be happy >>> >>> On 24.01.2013, at 04:16, Robert Moskowitz wrote: >>> I am trying to follow: http://wiki.centos.org/HowTos/Amavisd Which seems to really be written for Centos 5, with just some selinux references for Centos 6. There are real problems here for Centos 6 with the userids section. It gives the following command and result: cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam Anti Virus Checker:/var/clamav:/sbin/nologin amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh But my Centos 6.3 has: clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin amavis:x:493:489::/var/spool/amavisd:/sbin/nologin Note the difference in userid clam instead of clamav. So this causes problems with the group recommendation: In addition, the clamav user should automatically have been added to the amavis group: # groups clamav clamav : clamav amavis If not, you can manually add clamav to the amavis group: gpasswd -a clamav amavis so I did: gpasswd -a clam amavis So far, it seems just changing what userid is now used by clamav... But in testing for spam I see the following in /var/log/maillog Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: lstat() failed: Permission denied. ERROR\n" I checked this directory tree and all along the tree the permissions are to amavis:amavis So where is my permission problem? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos >>> ___ CentOS mailing list >>> CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos >>> >> ___ CentOS mailing list >> CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos >> > Can you attach the AVC messages from audit log. > > ausearch -m avc -ts recent Back home and booted up test system (thus no questions about clamav state): time->Mon Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.446:25): arch=4003 syscall=5 success=yes exit=3 a0=92de9d8 a1=98800 a2=92de9d8 a3=92ba620 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC msg=audit(1359389906.446:25): avc: denied { read } for pid=3045 comm="clamscan" name="parts" dev=dm-0 ino=2624185 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir time->Mon Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.490:26): arch=4003 syscall=39 success=yes exit=0 a0=92e64f8 a1=1c0 a2=a36cd8 a3=92e64f8 items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC msg=audit(1359389906.490:26): avc: denied { create } for pid=3045 comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC msg=audit(1359389906.490:26): avc: denied { add_name } for pid=3045 comm="clamscan" name="clamav-add5fee27e737080ac3907505396eca9" scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir type=AVC msg=audit(1359389906.490:26): avc: denied { write } for pid=3045 comm="clamscan" name="tmp" dev=dm-0 ino=2624119 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_spool_t:s0 tclass=dir time->Mon Jan 28 11:18:26 2013 type=SYSCALL msg=audit(1359389906.528:27): arch=4003 syscall=5 success=yes exit=5 a0=92f1810 a1=2c2 a2=1c0 a3=bfdb5d2c items=0 ppid=2211 pid=3045 auid=4294967295 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="clamscan" exe="/usr/bin/clamscan" subj=system_u:system_r:clamscan_t:s0 key=(null) type=AVC msg=audit(1359389906.528:27): avc: denied { write } for pid=3045 comm="clamscan" name="clamav-308541af5e7a
Re: [CentOS] permission problems with avamis and Centos 6.3
On hold until monday. It was decided we (family) would pack up and go to Chicago for the weekend. Will work on this when I get back. Thanks for the pointer. On 01/24/2013 02:48 PM, Daniel J Walsh wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 01/24/2013 01:15 PM, Robert Moskowitz wrote: >> Thank you for your suggestion, but it did not fix the permissions problem. >> >> On 01/24/2013 10:13 AM, Rob wrote: >>> usermod -a -G amavis clam >> How is this different from: >> >> gpasswd -a clam amavis >> >> And I am still getting the permissions error. >> >>> service clamd restart >>> >>> be happy >>> >>> On 24.01.2013, at 04:16, Robert Moskowitz wrote: >>> I am trying to follow: http://wiki.centos.org/HowTos/Amavisd Which seems to really be written for Centos 5, with just some selinux references for Centos 6. There are real problems here for Centos 6 with the userids section. It gives the following command and result: cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam Anti Virus Checker:/var/clamav:/sbin/nologin amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh But my Centos 6.3 has: clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin amavis:x:493:489::/var/spool/amavisd:/sbin/nologin Note the difference in userid clam instead of clamav. So this causes problems with the group recommendation: In addition, the clamav user should automatically have been added to the amavis group: # groups clamav clamav : clamav amavis If not, you can manually add clamav to the amavis group: gpasswd -a clamav amavis so I did: gpasswd -a clam amavis So far, it seems just changing what userid is now used by clamav... But in testing for spam I see the following in /var/log/maillog Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av (ClamAV-clamd) FAILED - unexpected , output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: lstat() failed: Permission denied. ERROR\n" I checked this directory tree and all along the tree the permissions are to amavis:amavis So where is my permission problem? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos >>> ___ CentOS mailing list >>> CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos >>> >> ___ CentOS mailing list >> CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos >> > Can you attach the AVC messages from audit log. > > ausearch -m avc -ts recent > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.13 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlEBkB4ACgkQrlYvE4MpobPzzwCeLiolKq7hzthQKuWaLtLHmQIO > zVYAoOnEBvhNGxlPjIoptc7S5ueP2ev4 > =YNrJ > -END PGP SIGNATURE- > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] permission problems with avamis and Centos 6.3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2013 01:15 PM, Robert Moskowitz wrote: > Thank you for your suggestion, but it did not fix the permissions problem. > > On 01/24/2013 10:13 AM, Rob wrote: >> usermod -a -G amavis clam > > How is this different from: > > gpasswd -a clam amavis > > And I am still getting the permissions error. > >> service clamd restart >> >> be happy >> >> On 24.01.2013, at 04:16, Robert Moskowitz wrote: >> >>> I am trying to follow: >>> >>> http://wiki.centos.org/HowTos/Amavisd >>> >>> Which seems to really be written for Centos 5, with just some selinux >>> references for Centos 6. There are real problems here for Centos 6 >>> with the userids section. >>> >>> It gives the following command and result: >>> >>> cat /etc/passwd | grep "amavis\|clamav" clamav:x:101:102:Clam Anti >>> Virus Checker:/var/clamav:/sbin/nologin amavis:x:102:103:Amavis email >>> scan user:/var/amavis:/bin/sh >>> >>> But my Centos 6.3 has: >>> >>> clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin >>> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin >>> >>> Note the difference in userid clam instead of clamav. So this causes >>> problems with the group recommendation: >>> >>> In addition, the clamav user should automatically have been added to >>> the amavis group: >>> >>> # groups clamav clamav : clamav amavis >>> >>> If not, you can manually add clamav to the amavis group: >>> >>> gpasswd -a clamav amavis >>> >>> >>> so I did: >>> >>> gpasswd -a clam amavis >>> >>> >>> So far, it seems just changing what userid is now used by clamav... >>> >>> But in testing for spam I see the following in /var/log/maillog >>> >>> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av >>> (ClamAV-clamd) FAILED - unexpected , >>> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: >>> lstat() failed: Permission denied. ERROR\n" >>> >>> I checked this directory tree and all along the tree the permissions >>> are to amavis:amavis >>> >>> So where is my permission problem? >>> >>> >>> ___ CentOS mailing list >>> CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos >> ___ CentOS mailing list >> CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos >> > > ___ CentOS mailing list > CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos > Can you attach the AVC messages from audit log. ausearch -m avc -ts recent -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlEBkB4ACgkQrlYvE4MpobPzzwCeLiolKq7hzthQKuWaLtLHmQIO zVYAoOnEBvhNGxlPjIoptc7S5ueP2ev4 =YNrJ -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] permission problems with avamis and Centos 6.3
On 24.01.2013, at 19:15, Robert Moskowitz wrote: > Thank you for your suggestion, but it did not fix the permissions problem. > > On 01/24/2013 10:13 AM, Rob wrote: >> usermod -a -G amavis clam > > How is this different from: > > gpasswd -a clam amavis > > And I am still getting the permissions error. > >> service clamd restart >> >> be happy >> >> On 24.01.2013, at 04:16, Robert Moskowitz wrote: >> >>> I am trying to follow: >>> >>> http://wiki.centos.org/HowTos/Amavisd >>> >>> Which seems to really be written for Centos 5, with just some selinux >>> references for Centos 6. There are real problems here for Centos 6 with >>> the userids section. >>> >>> It gives the following command and result: >>> >>> cat /etc/passwd | grep "amavis\|clamav" >>> clamav:x:101:102:Clam Anti Virus Checker:/var/clamav:/sbin/nologin >>> amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh >>> >>> But my Centos 6.3 has: >>> >>> clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin >>> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin >>> >>> Note the difference in userid clam instead of clamav. So this causes >>> problems with the group recommendation: >>> >>> In addition, the clamav user should automatically have been added to the >>> amavis group: >>> >>> # groups clamav >>> clamav : clamav amavis >>> >>> If not, you can manually add clamav to the amavis group: >>> >>> gpasswd -a clamav amavis >>> >>> >>> so I did: >>> >>> gpasswd -a clam amavis >>> >>> >>> So far, it seems just changing what userid is now used by clamav... >>> >>> But in testing for spam I see the following in /var/log/maillog >>> >>> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av (ClamAV-clamd) >>> FAILED - unexpected , >>> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: >>> lstat() failed: Permission denied. ERROR\n" >>> >>> I checked this directory tree and all along the tree the permissions are >>> to amavis:amavis >>> >>> So where is my permission problem? >>> >>> >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> http://lists.centos.org/mailman/listinfo/centos >> ___ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos > What are the permission for /var/spool/amavisd. Did you try: service clam stop service clam start Instead of: restart? (it is not the same) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] permission problems with avamis and Centos 6.3
Thank you for your suggestion, but it did not fix the permissions problem. On 01/24/2013 10:13 AM, Rob wrote: > usermod -a -G amavis clam How is this different from: gpasswd -a clam amavis And I am still getting the permissions error. > service clamd restart > > be happy > > On 24.01.2013, at 04:16, Robert Moskowitz wrote: > >> I am trying to follow: >> >> http://wiki.centos.org/HowTos/Amavisd >> >> Which seems to really be written for Centos 5, with just some selinux >> references for Centos 6. There are real problems here for Centos 6 with >> the userids section. >> >> It gives the following command and result: >> >> cat /etc/passwd | grep "amavis\|clamav" >> clamav:x:101:102:Clam Anti Virus Checker:/var/clamav:/sbin/nologin >> amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh >> >> But my Centos 6.3 has: >> >> clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin >> amavis:x:493:489::/var/spool/amavisd:/sbin/nologin >> >> Note the difference in userid clam instead of clamav. So this causes >> problems with the group recommendation: >> >> In addition, the clamav user should automatically have been added to the >> amavis group: >> >> # groups clamav >> clamav : clamav amavis >> >> If not, you can manually add clamav to the amavis group: >> >> gpasswd -a clamav amavis >> >> >> so I did: >> >> gpasswd -a clam amavis >> >> >> So far, it seems just changing what userid is now used by clamav... >> >> But in testing for spam I see the following in /var/log/maillog >> >> Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av (ClamAV-clamd) >> FAILED - unexpected , >> output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: >> lstat() failed: Permission denied. ERROR\n" >> >> I checked this directory tree and all along the tree the permissions are >> to amavis:amavis >> >> So where is my permission problem? >> >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] permission problems with avamis and Centos 6.3
usermod -a -G amavis clam service clamd restart be happy On 24.01.2013, at 04:16, Robert Moskowitz wrote: > I am trying to follow: > > http://wiki.centos.org/HowTos/Amavisd > > Which seems to really be written for Centos 5, with just some selinux > references for Centos 6. There are real problems here for Centos 6 with > the userids section. > > It gives the following command and result: > > cat /etc/passwd | grep "amavis\|clamav" > clamav:x:101:102:Clam Anti Virus Checker:/var/clamav:/sbin/nologin > amavis:x:102:103:Amavis email scan user:/var/amavis:/bin/sh > > But my Centos 6.3 has: > > clam:x:494:490:Clam Anti Virus Checker:/var/lib/clamav:/sbin/nologin > amavis:x:493:489::/var/spool/amavisd:/sbin/nologin > > Note the difference in userid clam instead of clamav. So this causes > problems with the group recommendation: > > In addition, the clamav user should automatically have been added to the > amavis group: > > # groups clamav > clamav : clamav amavis > > If not, you can manually add clamav to the amavis group: > > gpasswd -a clamav amavis > > > so I did: > > gpasswd -a clam amavis > > > So far, it seems just changing what userid is now used by clamav... > > But in testing for spam I see the following in /var/log/maillog > > Jan 23 15:56:17 test1 amavis[25669]: (25669-01) (!)run_av (ClamAV-clamd) > FAILED - unexpected , > output="/var/spool/amavisd/tmp/amavis-20130123T155617-25669/parts: > lstat() failed: Permission denied. ERROR\n" > > I checked this directory tree and all along the tree the permissions are > to amavis:amavis > > So where is my permission problem? > > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos