FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 09-19-2012, 11:36 AM
Bill Shirley
 
Default Clamd and systemd

On 9/19/2012 5:47 AM, Arthur Dent wrote:

"What tells it that it is a "scan" service? That bit of the puzzle seems
to be missing..."

Whatever is the parameter after the @ and before the dot becomes %i in
the service file. Look at the service file:
[Unit]
Description = clamd scanner (%i) daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = simple
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --nofork=yes
Restart = on-failure
PrivateTmp = true

so clamd@scan.service invokes clamd with the scan.conf file as it's
configuration file.
This way you can have multiple clamd services each using a different
config file. Just create another config file in
/etc/clamd.d/my_config.conf and:
ln -s /lib/systemd/system/clamd@.service
/etc/systemd/system/clamd@my_config.service

You should have the /etc/clamd.d/scan.conf I think:

[root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
clamav-scanner-0.97.5-1700.fc17.noarch

Thank you Bill for a helpful and, more importantly, informative reply. I
think this will not only help me to solve my problem but, even better,
help me to understand where I was going wrong.

As before, I don't have access to the machine right now, so i will try
when I get home to work through this and get it right.

I will once again report back later...

Thanks again. Your help is much appreciated.

Mark




You mentioned scanning email. I run clamav-milter and stop the virus at
smtp time. You may find this helpful:


[root@moses clamav]# rpm -qa | grep clam | sort
clamav-data-0.97.5-1700.fc17.noarch
clamav-filesystem-0.97.5-1700.fc17.noarch
clamav-lib-0.97.5-1700.fc17.x86_64
clamav-milter-0.97.5-1700.fc17.x86_64
clamav-milter-systemd-0.97.5-1700.fc17.noarch
clamav-scanner-0.97.5-1700.fc17.noarch
clamav-scanner-systemd-0.97.5-1700.fc17.noarch
clamav-server-0.97.5-1700.fc17.x86_64
clamav-server-systemd-0.97.5-1700.fc17.noarch
clamav-update-0.97.5-1700.fc17.x86_64

For clamav-milter, I had to add clamilt to the postfix group (usermod -a
-G postfix clamilt):

[root@moses clamav]# egrep 'post|clam' /etc/group
mail:x:12ostfix
postfix:x:89:clamilt
postdrop:x:90:
clamscan:x:987:clamilt
clamilt:x:988ostfix
clamupdate:x:989:


Add to the end of /etc/mail/clamav-milter.conf:
# my stuff
# be sure to comment out above: Example

ClamdSocket unix:/var/run/clamd.scan/clamd.sock
MilterSocket /var/run/clamav-milter/clamav-milter.socket
##MilterSocket inet:3381
# usermod -a -G postfix clamilt
MilterSocketGroup postfix
MilterSocketMode 660

OnInfected Reject
AddHeader Replace

#LogFile /var/log/clamav-milter.log
#LogFileMaxSize 1M
#LogTime yes
LogSyslog yes
LogFacility LOG_MAIL
#LogVerbose no
LogClean Basic
LogInfected Full

Add to postfix's main.cf:
# usermod -a -G clamilt postfix
smtpd_milters = unix:/var/run/clamav-milter/clamav-milter.socket
#milter_default_action = accept
milter_default_action = tempfail

I can't remember if I had to create the directory, but here is that info:
[root@moses clamav]# ldpz /var/run/clamav-milter/clamav-milter.socket
drwxr-xr-x. root root system_ubject_r:var_t:s0 /var
lrwxrwxrwx. root root system_ubject_r:var_run_t:s0 /var/run ->
../run
drwx--x---. clamilt clamilt system_ubject_r:clamd_var_run_t:s0
/var/run/clamav-milter
srw-rw----. clamilt postfix system_ubject_r:clamd_var_run_t:s0
/var/run/clamav-milter/clamav-milter.socket



For clamav, to avoid selinux problems issue command:
setsebool -P clamd_use_jit on

Add to end of scan.conf:
# my stuff
# be sure to commend out above: Example

#LogFile /var/log/clamav/clamd.scan
#LogFacility LOG_MAIL
LogFacility LOG_DAEMON
ExtendedDetectionInfo yes
LocalSocket /var/run/clamd.scan/clamd.sock
#LocalSocketGroup virusgroup
#LocalSocketMode 660
FixStaleSocket yes
CrossFilesystems no
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/fuse/
ExcludePath ^/backup/
ExcludePath ^/bacula/
SelfCheck 3600


And finally freshclam, add to the end of freshclam.conf:
# my stuff
LogFacility LOG_DAEMON
DatabaseMirror db.US.clamav.net
TestDatabases yes


Note in all the clamav configuration file there is a line:
Example
that has to be commented out for the service to run.

Don't forget to systemctl enable these to services:
[root@moses clamav]# systemctl is-active clamav-milter.service
active
[root@moses clamav]# systemctl is-active clamd@scan.service
active

Hope this helps,
Bill



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-19-2012, 02:24 PM
"Arthur Dent"
 
Default Clamd and systemd

>
> On 9/19/2012 5:47 AM, Arthur Dent wrote:
>>> "What tells it that it is a "scan" service? That bit of the puzzle
>>> seems
>>> to be missing..."
>>>
>>> Whatever is the parameter after the @ and before the dot becomes %i in
>>> the service file. Look at the service file:
>>> [Unit]
>>> Description = clamd scanner (%i) daemon
>>> After = syslog.target nss-lookup.target network.target
>>>
>>> [Service]
>>> Type = simple
>>> ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --nofork=yes
>>> Restart = on-failure
>>> PrivateTmp = true
>>>
>>> so clamd@scan.service invokes clamd with the scan.conf file as it's
>>> configuration file.
>>> This way you can have multiple clamd services each using a different
>>> config file. Just create another config file in
>>> /etc/clamd.d/my_config.conf and:
>>> ln -s /lib/systemd/system/clamd@.service
>>> /etc/systemd/system/clamd@my_config.service
>>>
>>> You should have the /etc/clamd.d/scan.conf I think:
>>>
>>> [root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
>>> clamav-scanner-0.97.5-1700.fc17.noarch
>> Thank you Bill for a helpful and, more importantly, informative reply. I
>> think this will not only help me to solve my problem but, even better,
>> help me to understand where I was going wrong.
>>
>> As before, I don't have access to the machine right now, so i will try
>> when I get home to work through this and get it right.
>>
>> I will once again report back later...
>>
>> Thanks again. Your help is much appreciated.
>>
>> Mark
>>
>>
>
> You mentioned scanning email. I run clamav-milter and stop the virus at
> smtp time. You may find this helpful:
>
[Snip of some very useful stuff]

Thanks (again!) Bill,

That is very interesting. I have to say however, that my machine is a
simple home system serving web and mail for me and my family only.

I collect mail from (several) ISPs using fetchmail and then procmail to
scan (clamd and spamd) and filter into folders.

I am on a dynamic IP address so, whilst I know it is not impossible,
running my own SMTP operation is more work than I wish to take on at this
time. I have thought about this, but I think it will have to be an
iteresting project for when I retire - in about 10yrs time... (unless you
can convice me otherwise!)

Thanks again

Mark


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-19-2012, 07:21 PM
Daniel J Walsh
 
Default Clamd and systemd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 07:36 AM, Bill Shirley wrote:
>
> On 9/19/2012 5:47 AM, Arthur Dent wrote:
>>> "What tells it that it is a "scan" service? That bit of the puzzle
>>> seems to be missing..."
>>>
>>> Whatever is the parameter after the @ and before the dot becomes %i
>>> in the service file. Look at the service file: [Unit] Description =
>>> clamd scanner (%i) daemon After = syslog.target nss-lookup.target
>>> network.target
>>>
>>> [Service] Type = simple ExecStart = /usr/sbin/clamd -c
>>> /etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp =
>>> true
>>>
>>> so clamd@scan.service invokes clamd with the scan.conf file as it's
>>> configuration file. This way you can have multiple clamd services each
>>> using a different config file. Just create another config file in
>>> /etc/clamd.d/my_config.conf and: ln -s
>>> /lib/systemd/system/clamd@.service
>>> /etc/systemd/system/clamd@my_config.service
>>>
>>> You should have the /etc/clamd.d/scan.conf I think:
>>>
>>> [root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
>>> clamav-scanner-0.97.5-1700.fc17.noarch
>> Thank you Bill for a helpful and, more importantly, informative reply. I
>> think this will not only help me to solve my problem but, even better,
>> help me to understand where I was going wrong.
>>
>> As before, I don't have access to the machine right now, so i will try
>> when I get home to work through this and get it right.
>>
>> I will once again report back later...
>>
>> Thanks again. Your help is much appreciated.
>>
>> Mark
>>
>>
>
> You mentioned scanning email. I run clamav-milter and stop the virus at
> smtp time. You may find this helpful:
>
> [root@moses clamav]# rpm -qa | grep clam | sort
> clamav-data-0.97.5-1700.fc17.noarch
> clamav-filesystem-0.97.5-1700.fc17.noarch
> clamav-lib-0.97.5-1700.fc17.x86_64 clamav-milter-0.97.5-1700.fc17.x86_64
> clamav-milter-systemd-0.97.5-1700.fc17.noarch
> clamav-scanner-0.97.5-1700.fc17.noarch
> clamav-scanner-systemd-0.97.5-1700.fc17.noarch
> clamav-server-0.97.5-1700.fc17.x86_64
> clamav-server-systemd-0.97.5-1700.fc17.noarch
> clamav-update-0.97.5-1700.fc17.x86_64
>
> For clamav-milter, I had to add clamilt to the postfix group (usermod -a
> -G postfix clamilt): [root@moses clamav]# egrep 'post|clam' /etc/group
> mail:x:12ostfix postfix:x:89:clamilt postdrop:x:90:
> clamscan:x:987:clamilt clamilt:x:988ostfix clamupdate:x:989:
>
>
> Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure to
> comment out above: Example
>
> ClamdSocket unix:/var/run/clamd.scan/clamd.sock MilterSocket
> /var/run/clamav-milter/clamav-milter.socket ##MilterSocket
> inet:3381 # usermod -a -G postfix clamilt MilterSocketGroup postfix
> MilterSocketMode 660
>
> OnInfected Reject AddHeader Replace
>
> #LogFile /var/log/clamav-milter.log #LogFileMaxSize
> 1M #LogTime yes LogSyslog yes LogFacility
> LOG_MAIL #LogVerbose no LogClean Basic
> LogInfected Full
>
> Add to postfix's main.cf: # usermod -a -G clamilt postfix smtpd_milters =
> unix:/var/run/clamav-milter/clamav-milter.socket #milter_default_action =
> accept milter_default_action = tempfail
>
> I can't remember if I had to create the directory, but here is that info:
> [root@moses clamav]# ldpz /var/run/clamav-milter/clamav-milter.socket
> drwxr-xr-x. root root system_ubject_r:var_t:s0 /var
> lrwxrwxrwx. root root system_ubject_r:var_run_t:s0 /var/run ->
> ../run drwx--x---. clamilt clamilt system_ubject_r:clamd_var_run_t:s0
> /var/run/clamav-milter srw-rw----. clamilt postfix
> system_ubject_r:clamd_var_run_t:s0
> /var/run/clamav-milter/clamav-milter.socket
>
>
> For clamav, to avoid selinux problems issue command: setsebool -P
> clamd_use_jit on
>
> Add to end of scan.conf: # my stuff # be sure to commend out above:
> Example
>
> #LogFile /var/log/clamav/clamd.scan #LogFacility
> LOG_MAIL LogFacility LOG_DAEMON ExtendedDetectionInfo yes
> LocalSocket /var/run/clamd.scan/clamd.sock #LocalSocketGroup
> virusgroup #LocalSocketMode 660 FixStaleSocket yes
> CrossFilesystems no ExcludePath ^/proc/ ExcludePath
> ^/sys/ ExcludePath ^/fuse/ ExcludePath ^/backup/
> ExcludePath ^/bacula/ SelfCheck 3600
>
>
> And finally freshclam, add to the end of freshclam.conf: # my stuff
> LogFacility LOG_DAEMON DatabaseMirror db.US.clamav.net TestDatabases yes
>
>
> Note in all the clamav configuration file there is a line: Example that has
> to be commented out for the service to run.
>
> Don't forget to systemctl enable these to services: [root@moses clamav]#
> systemctl is-active clamav-milter.service active [root@moses clamav]#
> systemctl is-active clamd@scan.service active
>
> Hope this helps, Bill
>
>
>
Is this the default setting for clamd now? clamd_use_jit on Should we turn
this on by default?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaG0sACgkQrlYvE4MpobPBpgCeO3g4C646kE 7btcoipQcHR2q5
1vsAoKoQMCzHCCqHS3EgD+sx0cs9QiJZ
=eM1e
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-19-2012, 07:36 PM
Arthur Dent
 
Default Clamd and systemd

On Wed, 2012-09-19 at 10:47 +0100, Arthur Dent wrote:
> > "What tells it that it is a "scan" service? That bit of the puzzle seems
> > to be missing..."
> >
> > Whatever is the parameter after the @ and before the dot becomes %i in
> > the service file. Look at the service file:
> > [Unit]
> > Description = clamd scanner (%i) daemon
> > After = syslog.target nss-lookup.target network.target
> >
> > [Service]
> > Type = simple
> > ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --nofork=yes
> > Restart = on-failure
> > PrivateTmp = true
> >
> > so clamd@scan.service invokes clamd with the scan.conf file as it's
> > configuration file.
> > This way you can have multiple clamd services each using a different
> > config file. Just create another config file in
> > /etc/clamd.d/my_config.conf and:
> > ln -s /lib/systemd/system/clamd@.service
> > /etc/systemd/system/clamd@my_config.service
> >
> > You should have the /etc/clamd.d/scan.conf I think:
> >
> > [root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
> > clamav-scanner-0.97.5-1700.fc17.noarch
>
> Thank you Bill for a helpful and, more importantly, informative reply. I
> think this will not only help me to solve my problem but, even better,
> help me to understand where I was going wrong.
>
> As before, I don't have access to the machine right now, so i will try
> when I get home to work through this and get it right.
>
> I will once again report back later...

Well... Progress!

Because I have done so much tinkering and editing of configs (and had
previously even tried the script I mentioned earlier) I was unsure as to
what should be where, so I blitzed every clam* package with yum erase,
ran updatedb and then deleted any and all clam* files and directories
still left. I also deleted the clam* users that had been created
(including a "clamd user that I had created myself), and then
reinstalled the lot.

A quick edit of the freshclam configs and the /etc/clamd.d/scan.conf
file and a call to systemctl enable clamd@scan.service and systemctl
start clamd@scan.service and I am up and running!

Thank you so much.

All is not _quite_ perfect however. In calling clamdscan from my script
(itself called from procmail) I get the error:
ERROR: Can't parse clamd configuration file /etc/clamd.conf

Note the config file and location. In order to get it to work (which it
does), I need to declare clamdscan in my script as:
"/bin/clamdscan -c/etc/clamd.d/scan.conf"

So where does it default to /etc/clamd.conf ? I have grepped the whole
of /etc/* and can't find a reference to this location, and there is
no /etc/sysconfig/clamd as there used to be.

I think this is the last remaining mystery. After I have solved this I
will be a very happy bunny!

Thank you again.

Mark



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-19-2012, 08:41 PM
Bill Shirley
 
Default Clamd and systemd

On 9/19/2012 3:21 PM, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 07:36 AM, Bill Shirley wrote:

On 9/19/2012 5:47 AM, Arthur Dent wrote:

"What tells it that it is a "scan" service? That bit of the puzzle
seems to be missing..."

Whatever is the parameter after the @ and before the dot becomes %i
in the service file. Look at the service file: [Unit] Description =
clamd scanner (%i) daemon After = syslog.target nss-lookup.target
network.target

[Service] Type = simple ExecStart = /usr/sbin/clamd -c
/etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp =
true

so clamd@scan.service invokes clamd with the scan.conf file as it's
configuration file. This way you can have multiple clamd services each
using a different config file. Just create another config file in
/etc/clamd.d/my_config.conf and: ln -s
/lib/systemd/system/clamd@.service
/etc/systemd/system/clamd@my_config.service

You should have the /etc/clamd.d/scan.conf I think:

[root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
clamav-scanner-0.97.5-1700.fc17.noarch

Thank you Bill for a helpful and, more importantly, informative reply. I
think this will not only help me to solve my problem but, even better,
help me to understand where I was going wrong.

As before, I don't have access to the machine right now, so i will try
when I get home to work through this and get it right.

I will once again report back later...

Thanks again. Your help is much appreciated.

Mark



You mentioned scanning email. I run clamav-milter and stop the virus at
smtp time. You may find this helpful:

[root@moses clamav]# rpm -qa | grep clam | sort
clamav-data-0.97.5-1700.fc17.noarch
clamav-filesystem-0.97.5-1700.fc17.noarch
clamav-lib-0.97.5-1700.fc17.x86_64 clamav-milter-0.97.5-1700.fc17.x86_64
clamav-milter-systemd-0.97.5-1700.fc17.noarch
clamav-scanner-0.97.5-1700.fc17.noarch
clamav-scanner-systemd-0.97.5-1700.fc17.noarch
clamav-server-0.97.5-1700.fc17.x86_64
clamav-server-systemd-0.97.5-1700.fc17.noarch
clamav-update-0.97.5-1700.fc17.x86_64

For clamav-milter, I had to add clamilt to the postfix group (usermod -a
-G postfix clamilt): [root@moses clamav]# egrep 'post|clam' /etc/group
mail:x:12ostfix postfix:x:89:clamilt postdrop:x:90:
clamscan:x:987:clamilt clamilt:x:988ostfix clamupdate:x:989:


Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure to
comment out above: Example

ClamdSocket unix:/var/run/clamd.scan/clamd.sock MilterSocket
/var/run/clamav-milter/clamav-milter.socket ##MilterSocket
inet:3381 # usermod -a -G postfix clamilt MilterSocketGroup postfix
MilterSocketMode 660

OnInfected Reject AddHeader Replace

#LogFile /var/log/clamav-milter.log #LogFileMaxSize
1M #LogTime yes LogSyslog yes LogFacility
LOG_MAIL #LogVerbose no LogClean Basic
LogInfected Full

Add to postfix's main.cf: # usermod -a -G clamilt postfix smtpd_milters =
unix:/var/run/clamav-milter/clamav-milter.socket #milter_default_action =
accept milter_default_action = tempfail

I can't remember if I had to create the directory, but here is that info:
[root@moses clamav]# ldpz /var/run/clamav-milter/clamav-milter.socket
drwxr-xr-x. root root system_ubject_r:var_t:s0 /var
lrwxrwxrwx. root root system_ubject_r:var_run_t:s0 /var/run ->
../run drwx--x---. clamilt clamilt system_ubject_r:clamd_var_run_t:s0
/var/run/clamav-milter srw-rw----. clamilt postfix
system_ubject_r:clamd_var_run_t:s0
/var/run/clamav-milter/clamav-milter.socket


For clamav, to avoid selinux problems issue command: setsebool -P
clamd_use_jit on

Add to end of scan.conf: # my stuff # be sure to commend out above:
Example

#LogFile /var/log/clamav/clamd.scan #LogFacility
LOG_MAIL LogFacility LOG_DAEMON ExtendedDetectionInfo yes
LocalSocket /var/run/clamd.scan/clamd.sock #LocalSocketGroup
virusgroup #LocalSocketMode 660 FixStaleSocket yes
CrossFilesystems no ExcludePath ^/proc/ ExcludePath
^/sys/ ExcludePath ^/fuse/ ExcludePath ^/backup/
ExcludePath ^/bacula/ SelfCheck 3600


And finally freshclam, add to the end of freshclam.conf: # my stuff
LogFacility LOG_DAEMON DatabaseMirror db.US.clamav.net TestDatabases yes


Note in all the clamav configuration file there is a line: Example that has
to be commented out for the service to run.

Don't forget to systemctl enable these to services: [root@moses clamav]#
systemctl is-active clamav-milter.service active [root@moses clamav]#
systemctl is-active clamd@scan.service active

Hope this helps, Bill




Is this the default setting for clamd now? clamd_use_jit on Should we turn
this on by default?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaG0sACgkQrlYvE4MpobPBpgCeO3g4C646kE 7btcoipQcHR2q5
1vsAoKoQMCzHCCqHS3EgD+sx0cs9QiJZ
=eM1e
-----END PGP SIGNATURE-----
I can't speak for everyone else, but with my setup, I was getting
selinux errors with clamd. When I ran audit2allow it said to set this
boolean to eliminate the errors.


Bill


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-19-2012, 08:51 PM
Daniel J Walsh
 
Default Clamd and systemd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 04:41 PM, Bill Shirley wrote:
>
> On 9/19/2012 3:21 PM, Daniel J Walsh wrote: On 09/19/2012 07:36 AM, Bill
> Shirley wrote:
>>>> On 9/19/2012 5:47 AM, Arthur Dent wrote:
>>>>>> "What tells it that it is a "scan" service? That bit of the
>>>>>> puzzle seems to be missing..."
>>>>>>
>>>>>> Whatever is the parameter after the @ and before the dot becomes
>>>>>> %i in the service file. Look at the service file: [Unit]
>>>>>> Description = clamd scanner (%i) daemon After = syslog.target
>>>>>> nss-lookup.target network.target
>>>>>>
>>>>>> [Service] Type = simple ExecStart = /usr/sbin/clamd -c
>>>>>> /etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp
>>>>>> = true
>>>>>>
>>>>>> so clamd@scan.service invokes clamd with the scan.conf file as
>>>>>> it's configuration file. This way you can have multiple clamd
>>>>>> services each using a different config file. Just create another
>>>>>> config file in /etc/clamd.d/my_config.conf and: ln -s
>>>>>> /lib/systemd/system/clamd@.service
>>>>>> /etc/systemd/system/clamd@my_config.service
>>>>>>
>>>>>> You should have the /etc/clamd.d/scan.conf I think:
>>>>>>
>>>>>> [root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
>>>>>> clamav-scanner-0.97.5-1700.fc17.noarch
>>>>> Thank you Bill for a helpful and, more importantly, informative
>>>>> reply. I think this will not only help me to solve my problem but,
>>>>> even better, help me to understand where I was going wrong.
>>>>>
>>>>> As before, I don't have access to the machine right now, so i will
>>>>> try when I get home to work through this and get it right.
>>>>>
>>>>> I will once again report back later...
>>>>>
>>>>> Thanks again. Your help is much appreciated.
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>> You mentioned scanning email. I run clamav-milter and stop the virus
>>>> at smtp time. You may find this helpful:
>>>>
>>>> [root@moses clamav]# rpm -qa | grep clam | sort
>>>> clamav-data-0.97.5-1700.fc17.noarch
>>>> clamav-filesystem-0.97.5-1700.fc17.noarch
>>>> clamav-lib-0.97.5-1700.fc17.x86_64
>>>> clamav-milter-0.97.5-1700.fc17.x86_64
>>>> clamav-milter-systemd-0.97.5-1700.fc17.noarch
>>>> clamav-scanner-0.97.5-1700.fc17.noarch
>>>> clamav-scanner-systemd-0.97.5-1700.fc17.noarch
>>>> clamav-server-0.97.5-1700.fc17.x86_64
>>>> clamav-server-systemd-0.97.5-1700.fc17.noarch
>>>> clamav-update-0.97.5-1700.fc17.x86_64
>>>>
>>>> For clamav-milter, I had to add clamilt to the postfix group (usermod
>>>> -a -G postfix clamilt): [root@moses clamav]# egrep 'post|clam'
>>>> /etc/group mail:x:12ostfix postfix:x:89:clamilt postdrop:x:90:
>>>> clamscan:x:987:clamilt clamilt:x:988ostfix clamupdate:x:989:
>>>>
>>>>
>>>> Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure
>>>> to comment out above: Example
>>>>
>>>> ClamdSocket unix:/var/run/clamd.scan/clamd.sock
>>>> MilterSocket /var/run/clamav-milter/clamav-milter.socket
>>>> ##MilterSocket inet:3381 # usermod -a -G postfix clamilt
>>>> MilterSocketGroup postfix MilterSocketMode 660
>>>>
>>>> OnInfected Reject AddHeader Replace
>>>>
>>>> #LogFile /var/log/clamav-milter.log #LogFileMaxSize 1M
>>>> #LogTime yes LogSyslog yes LogFacility
>>>> LOG_MAIL #LogVerbose no LogClean Basic
>>>> LogInfected Full
>>>>
>>>> Add to postfix's main.cf: # usermod -a -G clamilt postfix
>>>> smtpd_milters = unix:/var/run/clamav-milter/clamav-milter.socket
>>>> #milter_default_action = accept milter_default_action = tempfail
>>>>
>>>> I can't remember if I had to create the directory, but here is that
>>>> info: [root@moses clamav]# ldpz
>>>> /var/run/clamav-milter/clamav-milter.socket drwxr-xr-x. root root
>>>> system_ubject_r:var_t:s0 /var lrwxrwxrwx. root root
>>>> system_ubject_r:var_run_t:s0 /var/run -> ../run drwx--x---. clamilt
>>>> clamilt system_ubject_r:clamd_var_run_t:s0 /var/run/clamav-milter
>>>> srw-rw----. clamilt postfix system_ubject_r:clamd_var_run_t:s0
>>>> /var/run/clamav-milter/clamav-milter.socket
>>>>
>>>>
>>>> For clamav, to avoid selinux problems issue command: setsebool -P
>>>> clamd_use_jit on
>>>>
>>>> Add to end of scan.conf: # my stuff # be sure to commend out above:
>>>> Example
>>>>
>>>> #LogFile /var/log/clamav/clamd.scan #LogFacility
>>>> LOG_MAIL LogFacility LOG_DAEMON ExtendedDetectionInfo
>>>> yes LocalSocket /var/run/clamd.scan/clamd.sock
>>>> #LocalSocketGroup virusgroup #LocalSocketMode 660
>>>> FixStaleSocket yes CrossFilesystems no ExcludePath
>>>> ^/proc/ ExcludePath ^/sys/ ExcludePath ^/fuse/
>>>> ExcludePath ^/backup/ ExcludePath ^/bacula/
>>>> SelfCheck 3600
>>>>
>>>>
>>>> And finally freshclam, add to the end of freshclam.conf: # my stuff
>>>> LogFacility LOG_DAEMON DatabaseMirror db.US.clamav.net TestDatabases
>>>> yes
>>>>
>>>>
>>>> Note in all the clamav configuration file there is a line: Example
>>>> that has to be commented out for the service to run.
>>>>
>>>> Don't forget to systemctl enable these to services: [root@moses
>>>> clamav]# systemctl is-active clamav-milter.service active [root@moses
>>>> clamav]# systemctl is-active clamd@scan.service active
>>>>
>>>> Hope this helps, Bill
>>>>
>>>>
>>>>
> Is this the default setting for clamd now? clamd_use_jit on Should we
> turn this on by default? I can't speak for everyone else, but with my
> setup, I was getting selinux errors with clamd. When I ran audit2allow it
> said to set this boolean to eliminate the errors.
>
> Bill
>
>
Well had you changed any default settings in clamd to turn on JIT or does it
come with JIT turned on by default?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaMGAACgkQrlYvE4MpobO1hQCgu6O9WCIZ2b yEgkkFX09ophHd
0bwAoLJkGJxgx1IWrqpumUEs4M7FHJih
=pzaT
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-19-2012, 09:00 PM
Bill Shirley
 
Default Clamd and systemd

On 9/19/2012 3:36 PM, Arthur Dent
wrote:



On Wed, 2012-09-19 at 10:47 +0100, Arthur Dent wrote:



"What tells it that it is a "scan" service? That bit of the puzzle seems
to be missing..."

Whatever is the parameter after the @ and before the dot becomes %i in
the service file. Look at the service file:
[Unit]
Description = clamd scanner (%i) daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = simple
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --nofork=yes
Restart = on-failure
PrivateTmp = true

so clamd@scan.service invokes clamd with the scan.conf file as it's
configuration file.
This way you can have multiple clamd services each using a different
config file. Just create another config file in
/etc/clamd.d/my_config.conf and:
ln -s /lib/systemd/system/clamd@.service
/etc/systemd/system/clamd@my_config.service

You should have the /etc/clamd.d/scan.conf I think:

[root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
clamav-scanner-0.97.5-1700.fc17.noarch



Thank you Bill for a helpful and, more importantly, informative reply. I
think this will not only help me to solve my problem but, even better,
help me to understand where I was going wrong.

As before, I don't have access to the machine right now, so i will try
when I get home to work through this and get it right.

I will once again report back later...



Well... Progress!

Because I have done so much tinkering and editing of configs (and had
previously even tried the script I mentioned earlier) I was unsure as to
what should be where, so I blitzed every clam* package with yum erase,
ran updatedb and then deleted any and all clam* files and directories
still left. I also deleted the clam* users that had been created
(including a "clamd user that I had created myself), and then
reinstalled the lot.

A quick edit of the freshclam configs and the /etc/clamd.d/scan.conf
file and a call to systemctl enable clamd@scan.service and systemctl
start clamd@scan.service and I am up and running!

Thank you so much.

All is not _quite_ perfect however. In calling clamdscan from my script
(itself called from procmail) I get the error:
ERROR: Can't parse clamd configuration file /etc/clamd.conf

Note the config file and location. In order to get it to work (which it
does), I need to declare clamdscan in my script as:
"/bin/clamdscan -c/etc/clamd.d/scan.conf"

So where does it default to /etc/clamd.conf ? I have grepped the whole
of /etc/* and can't find a reference to this location, and there is
no /etc/sysconfig/clamd as there used to be.

I think this is the last remaining mystery. After I have solved this I
will be a very happy bunny!

Thank you again.

Mark










/etc/clamd.conf is the old location for the config file.* With the
flexibility of systemd allowing multiple daemons running, I think
the packager changed things to use /etc/clam.d/scan.conf but didn't
catch this change for clamdscan.



I also run a Mandriva mail server that uses procmail to deliver
mail.* Here is a snippet of my IMAP recipe:

:0

VIRUS=| clamdscan --no-summary --stdout - | cut -d' ' -f2 -



:0

* VIRUS ?? !^Can't

{

* :0

* * VIRUS ?? !^OK

* {

*** :0

*** SUBJECT=| egrep '^Subject:' - | sed -e 's/Subject: //' -

*** :0 fw

*** | formail -i "Subject: [VIRUS: ${VIRUS}] ${SUBJECT}" -I
"X-Clamav-Virus-Detected: Yes, ${VIRUS}"

*** :0

*** $DEFAULT.SystemFolders.Infected/

* }



* :0Efw

* | formail -b -f -t -I "X-Clamav-Virus-Detected: No"

}



To be honest, I don't remember what all the commands do except when
it detects a spam email it puts it in a different directory
($DEFAULT.SystemFolders.Infected/).* This Mandriva server uses
/etc/clamd.conf.



Bill





--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-19-2012, 09:10 PM
Bill Shirley
 
Default Clamd and systemd

Well had you changed any default settings in clamd to turn on JIT or does it
come with JIT turned on by default?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaMGAACgkQrlYvE4MpobO1hQCgu6O9WCIZ2b yEgkkFX09ophHd
0bwAoLJkGJxgx1IWrqpumUEs4M7FHJih
=pzaT
-----END PGP SIGNATURE-----


I must have. My best guess is the TestDatabases in freshclam.conf:
# my stuff
LogFacility LOG_DAEMON
DatabaseMirror db.US.clamav.net
TestDatabases yes

Bill

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-19-2012, 09:54 PM
Arthur Dent
 
Default Clamd and systemd

On Wed, 2012-09-19 at 17:00 -0400, Bill Shirley wrote:
>
> On 9/19/2012 3:36 PM, Arthur Dent wrote:
>
> > On Wed, 2012-09-19 at 10:47 +0100, Arthur Dent wrote:

> >
> > All is not _quite_ perfect however. In calling clamdscan from my script
> > (itself called from procmail) I get the error:
> > ERROR: Can't parse clamd configuration file /etc/clamd.conf
> >
> > Note the config file and location. In order to get it to work (which it
> > does), I need to declare clamdscan in my script as:
> > "/bin/clamdscan -c/etc/clamd.d/scan.conf"
> >
> > So where does it default to /etc/clamd.conf ? I have grepped the whole
> > of /etc/* and can't find a reference to this location, and there is
> > no /etc/sysconfig/clamd as there used to be.
> >
> > I think this is the last remaining mystery. After I have solved this I
> > will be a very happy bunny!

> /etc/clamd.conf is the old location for the config file. With the
> flexibility of systemd allowing multiple daemons running, I think the
> packager changed things to use /etc/clam.d/scan.conf but didn't catch
> this change for clamdscan.

Yes I know that /etc/clamd.conf is the old location. What I can't work
out is why it still thinks that's where it is. Is it hard-coded
somewhere?

> I also run a Mandriva mail server that uses procmail to deliver mail.
> Here is a snippet of my IMAP recipe:
> :0
> VIRUS=| clamdscan --no-summary --stdout - | cut -d' ' -f2 -
>
[snip] useful recipe (similar to mine). The thing is, for me "clamdscan
--no-summary --stdout" won't work. I need to tell it explicitly where
the config file is. I have this in my script:
CLAMSCAN="/bin/clamdscan -c/etc/clamd.d/scan.conf"
CLAMSCANOPT="--no-summary --stdout"

and call it with ${CLAMSCAN} ${CLAMSCANOPT} - < ${MSGTMP}

The same thing happens on the command line:
# clamdscan -V
ERROR: Can't parse clamd configuration file /etc/clamd.conf
# clamdscan -c /etc/clamd.d/scan.conf -V
ClamAV 0.97.5/15376/Wed Sep 19 19:35:38 2012

Any ideas?

Thanks (yet) again...

Mark


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-19-2012, 10:10 PM
Bill Shirley
 
Default Clamd and systemd

On 9/19/2012 5:54 PM, Arthur Dent
wrote:



On Wed, 2012-09-19 at 17:00 -0400, Bill Shirley wrote:



On 9/19/2012 3:36 PM, Arthur Dent wrote:



On Wed, 2012-09-19 at 10:47 +0100, Arthur Dent wrote:








All is not _quite_ perfect however. In calling clamdscan from my script
(itself called from procmail) I get the error:
ERROR: Can't parse clamd configuration file /etc/clamd.conf

Note the config file and location. In order to get it to work (which it
does), I need to declare clamdscan in my script as:
"/bin/clamdscan -c/etc/clamd.d/scan.conf"

So where does it default to /etc/clamd.conf ? I have grepped the whole
of /etc/* and can't find a reference to this location, and there is
no /etc/sysconfig/clamd as there used to be.

I think this is the last remaining mystery. After I have solved this I
will be a very happy bunny!






/etc/clamd.conf is the old location for the config file. With the
flexibility of systemd allowing multiple daemons running, I think the
packager changed things to use /etc/clam.d/scan.conf but didn't catch
this change for clamdscan.



Yes I know that /etc/clamd.conf is the old location. What I can't work
out is why it still thinks that's where it is. Is it hard-coded
somewhere?



I also run a Mandriva mail server that uses procmail to deliver mail.
Here is a snippet of my IMAP recipe:
:0
VIRUS=| clamdscan --no-summary --stdout - | cut -d' ' -f2 -



[snip] useful recipe (similar to mine). The thing is, for me "clamdscan
--no-summary --stdout" won't work. I need to tell it explicitly where
the config file is. I have this in my script:
CLAMSCAN="/bin/clamdscan -c/etc/clamd.d/scan.conf"
CLAMSCANOPT="--no-summary --stdout"

and call it with ${CLAMSCAN} ${CLAMSCANOPT} - < ${MSGTMP}

The same thing happens on the command line:
# clamdscan -V
ERROR: Can't parse clamd configuration file /etc/clamd.conf
# clamdscan -c /etc/clamd.d/scan.conf -V
ClamAV 0.97.5/15376/Wed Sep 19 19:35:38 2012

Any ideas?

Thanks (yet) again...

Mark









Yes, I would just symlink it.

ln -s /etc/clamd.d/scan.conf /etc/clamd.conf



Bill





--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 03:33 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org