FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 09-20-2012, 09:02 AM
Zdenek Pytela
 
Default Clamd and systemd

Arthur Dent pise:
> Well sadly no joy...
>
> # yum install clamav-scanner-systemd
>
> # systemctl enable clamd.scan.service
> Failed to issue method call: No such file or directory
Just for the record: there are differences between f16 and f17, the
f16's /lib/systemd/system/clamd.scan.service from clamav-scanner-systemd
changed to
/lib/systemd/system/clamd@scan.service from clamav-scanner-systemd and
clamd@.service from clamav-server-systemd which is called by the former one
in f 17 - sorry for confusing.

The scanning service calls executable
/usr/sbin/clamd -c /etc/clamd.d/%i.conf --nofork=yes
The config file /etc/clamd.d/scan.conf should be adjusted to your needs.

--

--Zdenek Pytela, <pytela@phil.muni.cz>

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 09:10 AM
Bill Shirley
 
Default Clamd and systemd

On 9/20/2012 5:02 AM, Zdenek Pytela wrote:

Arthur Dent pise:

Well sadly no joy...

# yum install clamav-scanner-systemd

# systemctl enable clamd.scan.service
Failed to issue method call: No such file or directory

Just for the record: there are differences between f16 and f17, the
f16's /lib/systemd/system/clamd.scan.service from clamav-scanner-systemd
changed to
/lib/systemd/system/clamd@scan.service from clamav-scanner-systemd and
clamd@.service from clamav-server-systemd which is called by the former one
in f 17 - sorry for confusing.

The scanning service calls executable
/usr/sbin/clamd -c /etc/clamd.d/%i.conf --nofork=yes
The config file /etc/clamd.d/scan.conf should be adjusted to your needs.

Thanks for pointing that out. I hadn't notice the difference. I have a
F16 server also and:

[root@elvis ~]# systemctl is-active clamd.scan.service
active

Bill

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 09:38 AM
Zdenek Pytela
 
Default Clamd and systemd

Daniel J Walsh pise:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/19/2012 07:36 AM, Bill Shirley wrote:
> >
> > On 9/19/2012 5:47 AM, Arthur Dent wrote:
> >>> "What tells it that it is a "scan" service? That bit of the puzzle
> >>> seems to be missing..."
> >>>
> >>> Whatever is the parameter after the @ and before the dot becomes %i
> >>> in the service file. Look at the service file: [Unit] Description =
> >>> clamd scanner (%i) daemon After = syslog.target nss-lookup.target
> >>> network.target
> >>>
> >>> [Service] Type = simple ExecStart = /usr/sbin/clamd -c
> >>> /etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp =
> >>> true
> >>>
> >>> so clamd@scan.service invokes clamd with the scan.conf file as it's
> >>> configuration file. This way you can have multiple clamd services each
> >>> using a different config file. Just create another config file in
> >>> /etc/clamd.d/my_config.conf and: ln -s
> >>> /lib/systemd/system/clamd@.service
> >>> /etc/systemd/system/clamd@my_config.service
> >>>
> >>> You should have the /etc/clamd.d/scan.conf I think:
> >>>
> >>> [root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
> >>> clamav-scanner-0.97.5-1700.fc17.noarch
> >> Thank you Bill for a helpful and, more importantly, informative reply. I
> >> think this will not only help me to solve my problem but, even better,
> >> help me to understand where I was going wrong.
> >>
> >> As before, I don't have access to the machine right now, so i will try
> >> when I get home to work through this and get it right.
> >>
> >> I will once again report back later...
> >>
> >> Thanks again. Your help is much appreciated.
> >>
> >> Mark
> >>
> >>
> >
> > You mentioned scanning email. I run clamav-milter and stop the virus at
> > smtp time. You may find this helpful:
> >
> > [root@moses clamav]# rpm -qa | grep clam | sort
> > clamav-data-0.97.5-1700.fc17.noarch
> > clamav-filesystem-0.97.5-1700.fc17.noarch
> > clamav-lib-0.97.5-1700.fc17.x86_64 clamav-milter-0.97.5-1700.fc17.x86_64
> > clamav-milter-systemd-0.97.5-1700.fc17.noarch
> > clamav-scanner-0.97.5-1700.fc17.noarch
> > clamav-scanner-systemd-0.97.5-1700.fc17.noarch
> > clamav-server-0.97.5-1700.fc17.x86_64
> > clamav-server-systemd-0.97.5-1700.fc17.noarch
> > clamav-update-0.97.5-1700.fc17.x86_64
> >
> > For clamav-milter, I had to add clamilt to the postfix group (usermod -a
> > -G postfix clamilt): [root@moses clamav]# egrep 'post|clam' /etc/group
> > mail:x:12ostfix postfix:x:89:clamilt postdrop:x:90:
> > clamscan:x:987:clamilt clamilt:x:988ostfix clamupdate:x:989:
> >
> >
> > Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure to
> > comment out above: Example
> >
> > ClamdSocket unix:/var/run/clamd.scan/clamd.sock MilterSocket
> > /var/run/clamav-milter/clamav-milter.socket ##MilterSocket
> > inet:3381 # usermod -a -G postfix clamilt MilterSocketGroup postfix
> > MilterSocketMode 660
> >
> > OnInfected Reject AddHeader Replace
> >
> > #LogFile /var/log/clamav-milter.log #LogFileMaxSize
> > 1M #LogTime yes LogSyslog yes LogFacility
> > LOG_MAIL #LogVerbose no LogClean Basic
> > LogInfected Full
> >
> > Add to postfix's main.cf: # usermod -a -G clamilt postfix smtpd_milters =
> > unix:/var/run/clamav-milter/clamav-milter.socket #milter_default_action =
> > accept milter_default_action = tempfail
> >
> > I can't remember if I had to create the directory, but here is that info:
> > [root@moses clamav]# ldpz /var/run/clamav-milter/clamav-milter.socket
> > drwxr-xr-x. root root system_ubject_r:var_t:s0 /var
> > lrwxrwxrwx. root root system_ubject_r:var_run_t:s0 /var/run ->
> > ../run drwx--x---. clamilt clamilt system_ubject_r:clamd_var_run_t:s0
> > /var/run/clamav-milter srw-rw----. clamilt postfix
> > system_ubject_r:clamd_var_run_t:s0
> > /var/run/clamav-milter/clamav-milter.socket
> >
> >
> > For clamav, to avoid selinux problems issue command: setsebool -P
> > clamd_use_jit on
> >
> > Add to end of scan.conf: # my stuff # be sure to commend out above:
> > Example
> >
> > #LogFile /var/log/clamav/clamd.scan #LogFacility
> > LOG_MAIL LogFacility LOG_DAEMON ExtendedDetectionInfo yes
> > LocalSocket /var/run/clamd.scan/clamd.sock #LocalSocketGroup
> > virusgroup #LocalSocketMode 660 FixStaleSocket yes
> > CrossFilesystems no ExcludePath ^/proc/ ExcludePath
> > ^/sys/ ExcludePath ^/fuse/ ExcludePath ^/backup/
> > ExcludePath ^/bacula/ SelfCheck 3600
> >
> >
> > And finally freshclam, add to the end of freshclam.conf: # my stuff
> > LogFacility LOG_DAEMON DatabaseMirror db.US.clamav.net TestDatabases yes
> >
> >
> > Note in all the clamav configuration file there is a line: Example that has
> > to be commented out for the service to run.
> >
> > Don't forget to systemctl enable these to services: [root@moses clamav]#
> > systemctl is-active clamav-milter.service active [root@moses clamav]#
> > systemctl is-active clamd@scan.service active
> >
> > Hope this helps, Bill
> >
> >
> >
> Is this the default setting for clamd now? clamd_use_jit on Should we turn
> this on by default?
On a fresh install there is

# Bytecode mode
#
# This option has been set to 'ForceInterpreter' in Fedora due to
# security concerns by default. You might need to enable the
# 'clamd_use_jit' SELinux boolean after setting this option to the
# more efficient 'ForceJIT' value.
#
# Default: ForceInterpreter
#ByteCodeMode ForceInterpreter

We didn't change this, but had to change clamd_use_jit --> on.

--

--Zdenek Pytela, <pytela@phil.muni.cz>

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 09:47 AM
Zdenek Pytela
 
Default Clamd and systemd

Arthur Dent pise:
> On Wed, 2012-09-19 at 17:00 -0400, Bill Shirley wrote:
> >
> > On 9/19/2012 3:36 PM, Arthur Dent wrote:
> >
> > > On Wed, 2012-09-19 at 10:47 +0100, Arthur Dent wrote:
>
> > >
> > > All is not _quite_ perfect however. In calling clamdscan from my script
> > > (itself called from procmail) I get the error:
> > > ERROR: Can't parse clamd configuration file /etc/clamd.conf
> > >
> > > Note the config file and location. In order to get it to work (which it
> > > does), I need to declare clamdscan in my script as:
> > > "/bin/clamdscan -c/etc/clamd.d/scan.conf"
> > >
> > > So where does it default to /etc/clamd.conf ? I have grepped the whole
> > > of /etc/* and can't find a reference to this location, and there is
> > > no /etc/sysconfig/clamd as there used to be.
> > >
> > > I think this is the last remaining mystery. After I have solved this I
> > > will be a very happy bunny!
>
> > /etc/clamd.conf is the old location for the config file. With the
> > flexibility of systemd allowing multiple daemons running, I think the
> > packager changed things to use /etc/clam.d/scan.conf but didn't catch
> > this change for clamdscan.
>
> Yes I know that /etc/clamd.conf is the old location. What I can't work
> out is why it still thinks that's where it is. Is it hard-coded
> somewhere?
>
> > I also run a Mandriva mail server that uses procmail to deliver mail.
> > Here is a snippet of my IMAP recipe:
> > :0
> > VIRUS=| clamdscan --no-summary --stdout - | cut -d' ' -f2 -
> >
> [snip] useful recipe (similar to mine). The thing is, for me "clamdscan
> --no-summary --stdout" won't work. I need to tell it explicitly where
> the config file is. I have this in my script:
> CLAMSCAN="/bin/clamdscan -c/etc/clamd.d/scan.conf"
> CLAMSCANOPT="--no-summary --stdout"
>
> and call it with ${CLAMSCAN} ${CLAMSCANOPT} - < ${MSGTMP}
>
> The same thing happens on the command line:
> # clamdscan -V
> ERROR: Can't parse clamd configuration file /etc/clamd.conf
> # clamdscan -c /etc/clamd.d/scan.conf -V
> ClamAV 0.97.5/15376/Wed Sep 19 19:35:38 2012
>
> Any ideas?
Definitely it is hardcoded:
strings /bin/clamdscan
...
/etc/clamd.conf
...
or
strace -e open,stat -o /tmp/clamscan.strace clamdscan -V
...
open("/etc/clamd.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
...

I guess that you can file a bug because the application doesn't work properly.

--

--Zdenek Pytela, <pytela@phil.muni.cz>

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-20-2012, 02:38 PM
"Arthur Dent"
 
Default Clamd and systemd

>
> On 9/19/2012 5:54 PM, Arthur Dent wrote:
>> On Wed, 2012-09-19 at 17:00 -0400, Bill Shirley wrote:
>>> On 9/19/2012 3:36 PM, Arthur Dent wrote:
>>>
>>>> On Wed, 2012-09-19 at 10:47 +0100, Arthur Dent wrote:
>>>>

>> [snip] useful recipe (similar to mine). The thing is, for me "clamdscan
>> --no-summary --stdout" won't work. I need to tell it explicitly where
>> the config file is. I have this in my script:
>> CLAMSCAN="/bin/clamdscan -c/etc/clamd.d/scan.conf"
>> CLAMSCANOPT="--no-summary --stdout"
>>
>> and call it with ${CLAMSCAN} ${CLAMSCANOPT} - < ${MSGTMP}
>>
>> The same thing happens on the command line:
>> # clamdscan -V
>> ERROR: Can't parse clamd configuration file /etc/clamd.conf
>> # clamdscan -c /etc/clamd.d/scan.conf -V
>> ClamAV 0.97.5/15376/Wed Sep 19 19:35:38 2012
>>
>> Any ideas?
>>

> Yes, I would just symlink it.
> ln -s /etc/clamd.d/scan.conf /etc/clamd.conf
>

That sound you can hear?
It's my head thumping on the table! Doh! Why didn't I think of that?
Especially as I used exactly the same technique to solve a similar problem
a couple of months ago...

Thanks for jogging my memory. It will work of course, but it still feels a
bit of a kludge. Zdenek Pytela has pointed out that it does indeed seem to
be hardcoded so I think I might report it as a bug.

Thank you once again. I think I am all sorted now!

Cheers!

Mark

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-21-2012, 09:23 AM
"Arthur Dent"
 
Default Clamd and systemd

>>
>> On 9/19/2012 5:54 PM, Arthur Dent wrote:
[snip]

> Thanks for jogging my memory. It will work of course, but it still feels a
> bit of a kludge. Zdenek Pytela has pointed out that it does indeed seem to
> be hardcoded so I think I might report it as a bug.
>

https://bugzilla.redhat.com/show_bug.cgi?id=859339


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-21-2012, 01:43 PM
Daniel J Walsh
 
Default Clamd and systemd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/20/2012 05:38 AM, Zdenek Pytela wrote:
> Daniel J Walsh pise:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 09/19/2012 07:36 AM, Bill Shirley wrote:
>>>
>>> On 9/19/2012 5:47 AM, Arthur Dent wrote:
>>>>> "What tells it that it is a "scan" service? That bit of the puzzle
>>>>> seems to be missing..."
>>>>>
>>>>> Whatever is the parameter after the @ and before the dot becomes
>>>>> %i in the service file. Look at the service file: [Unit]
>>>>> Description = clamd scanner (%i) daemon After = syslog.target
>>>>> nss-lookup.target network.target
>>>>>
>>>>> [Service] Type = simple ExecStart = /usr/sbin/clamd -c
>>>>> /etc/clamd.d/%i.conf --nofork=yes Restart = on-failure PrivateTmp
>>>>> = true
>>>>>
>>>>> so clamd@scan.service invokes clamd with the scan.conf file as it's
>>>>> configuration file. This way you can have multiple clamd services
>>>>> each using a different config file. Just create another config
>>>>> file in /etc/clamd.d/my_config.conf and: ln -s
>>>>> /lib/systemd/system/clamd@.service
>>>>> /etc/systemd/system/clamd@my_config.service
>>>>>
>>>>> You should have the /etc/clamd.d/scan.conf I think:
>>>>>
>>>>> [root@moses shorewall]# rpm -qf /etc/clamd.d/scan.conf
>>>>> clamav-scanner-0.97.5-1700.fc17.noarch
>>>> Thank you Bill for a helpful and, more importantly, informative
>>>> reply. I think this will not only help me to solve my problem but,
>>>> even better, help me to understand where I was going wrong.
>>>>
>>>> As before, I don't have access to the machine right now, so i will
>>>> try when I get home to work through this and get it right.
>>>>
>>>> I will once again report back later...
>>>>
>>>> Thanks again. Your help is much appreciated.
>>>>
>>>> Mark
>>>>
>>>>
>>>
>>> You mentioned scanning email. I run clamav-milter and stop the virus
>>> at smtp time. You may find this helpful:
>>>
>>> [root@moses clamav]# rpm -qa | grep clam | sort
>>> clamav-data-0.97.5-1700.fc17.noarch
>>> clamav-filesystem-0.97.5-1700.fc17.noarch
>>> clamav-lib-0.97.5-1700.fc17.x86_64
>>> clamav-milter-0.97.5-1700.fc17.x86_64
>>> clamav-milter-systemd-0.97.5-1700.fc17.noarch
>>> clamav-scanner-0.97.5-1700.fc17.noarch
>>> clamav-scanner-systemd-0.97.5-1700.fc17.noarch
>>> clamav-server-0.97.5-1700.fc17.x86_64
>>> clamav-server-systemd-0.97.5-1700.fc17.noarch
>>> clamav-update-0.97.5-1700.fc17.x86_64
>>>
>>> For clamav-milter, I had to add clamilt to the postfix group (usermod
>>> -a -G postfix clamilt): [root@moses clamav]# egrep 'post|clam'
>>> /etc/group mail:x:12ostfix postfix:x:89:clamilt postdrop:x:90:
>>> clamscan:x:987:clamilt clamilt:x:988ostfix clamupdate:x:989:
>>>
>>>
>>> Add to the end of /etc/mail/clamav-milter.conf: # my stuff # be sure
>>> to comment out above: Example
>>>
>>> ClamdSocket unix:/var/run/clamd.scan/clamd.sock
>>> MilterSocket /var/run/clamav-milter/clamav-milter.socket
>>> ##MilterSocket inet:3381 # usermod -a -G postfix clamilt
>>> MilterSocketGroup postfix MilterSocketMode 660
>>>
>>> OnInfected Reject AddHeader Replace
>>>
>>> #LogFile /var/log/clamav-milter.log #LogFileMaxSize 1M
>>> #LogTime yes LogSyslog yes LogFacility
>>> LOG_MAIL #LogVerbose no LogClean Basic
>>> LogInfected Full
>>>
>>> Add to postfix's main.cf: # usermod -a -G clamilt postfix smtpd_milters
>>> = unix:/var/run/clamav-milter/clamav-milter.socket
>>> #milter_default_action = accept milter_default_action = tempfail
>>>
>>> I can't remember if I had to create the directory, but here is that
>>> info: [root@moses clamav]# ldpz
>>> /var/run/clamav-milter/clamav-milter.socket drwxr-xr-x. root root
>>> system_ubject_r:var_t:s0 /var lrwxrwxrwx. root root
>>> system_ubject_r:var_run_t:s0 /var/run -> ../run drwx--x---. clamilt
>>> clamilt system_ubject_r:clamd_var_run_t:s0 /var/run/clamav-milter
>>> srw-rw----. clamilt postfix system_ubject_r:clamd_var_run_t:s0
>>> /var/run/clamav-milter/clamav-milter.socket
>>>
>>>
>>> For clamav, to avoid selinux problems issue command: setsebool -P
>>> clamd_use_jit on
>>>
>>> Add to end of scan.conf: # my stuff # be sure to commend out above:
>>> Example
>>>
>>> #LogFile /var/log/clamav/clamd.scan #LogFacility
>>> LOG_MAIL LogFacility LOG_DAEMON ExtendedDetectionInfo yes
>>> LocalSocket /var/run/clamd.scan/clamd.sock
>>> #LocalSocketGroup virusgroup #LocalSocketMode 660 FixStaleSocket
>>> yes CrossFilesystems no ExcludePath ^/proc/
>>> ExcludePath ^/sys/ ExcludePath ^/fuse/ ExcludePath
>>> ^/backup/ ExcludePath ^/bacula/ SelfCheck
>>> 3600
>>>
>>>
>>> And finally freshclam, add to the end of freshclam.conf: # my stuff
>>> LogFacility LOG_DAEMON DatabaseMirror db.US.clamav.net TestDatabases
>>> yes
>>>
>>>
>>> Note in all the clamav configuration file there is a line: Example that
>>> has to be commented out for the service to run.
>>>
>>> Don't forget to systemctl enable these to services: [root@moses
>>> clamav]# systemctl is-active clamav-milter.service active [root@moses
>>> clamav]# systemctl is-active clamd@scan.service active
>>>
>>> Hope this helps, Bill
>>>
>>>
>>>
>> Is this the default setting for clamd now? clamd_use_jit on Should we
>> turn this on by default?
> On a fresh install there is
>
> # Bytecode mode # # This option has been set to 'ForceInterpreter' in
> Fedora due to # security concerns by default. You might need to enable
> the # 'clamd_use_jit' SELinux boolean after setting this option to the #
> more efficient 'ForceJIT' value. # # Default: ForceInterpreter
> #ByteCodeMode ForceInterpreter
>
> We didn't change this, but had to change clamd_use_jit --> on.
>
Then I would open a bug with clamd.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBcbuYACgkQrlYvE4MpobPwDQCfToC2oaJq+A keqdoD2J9rPNus
uqcAoKQU6AAhhpUGqe+6LhSXPklNYgiS
=I0DO
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-21-2012, 01:54 PM
"Arthur Dent"
 
Default Clamd and systemd

> >>>>
>>> Is this the default setting for clamd now? clamd_use_jit on Should we
>>> turn this on by default?
>> On a fresh install there is
>>
>> # Bytecode mode # # This option has been set to 'ForceInterpreter' in
>> Fedora due to # security concerns by default. You might need to enable
>> the # 'clamd_use_jit' SELinux boolean after setting this option to the #
>> more efficient 'ForceJIT' value. # # Default: ForceInterpreter
>> #ByteCodeMode ForceInterpreter
>>
>> We didn't change this, but had to change clamd_use_jit --> on.
>>
> Then I would open a bug with clamd.

I have done nothing, but install and configure clamav (scanner + server)
and my logs are full of these:
=======================8<========================= ======================
LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory:
Permission denied
LibClamAV Warning: Bytecode: disabling JIT because SELinux is preventing
'execmem'
access.
Run 'setsebool -P clamd_use_jit on'.
=======================8<========================= ======================
I haven't had a chance to run the setsebool yet (I can't get access to the
machine from work at the moment)

Are there any other bools I should set while I'm at it?

Mark

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 09-24-2012, 01:58 PM
Zdenek Pytela
 
Default Clamd and systemd

Arthur Dent pise:
> I have done nothing, but install and configure clamav (scanner + server)
> and my logs are full of these:
> =======================8<========================= ======================
> LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory:
> Permission denied
> LibClamAV Warning: Bytecode: disabling JIT because SELinux is preventing
> 'execmem'
> access.
> Run 'setsebool -P clamd_use_jit on'.
> =======================8<========================= ======================
> I haven't had a chance to run the setsebool yet (I can't get access to the
> machine from work at the moment)
>
> Are there any other bools I should set while I'm at it?
semanage boolean -l|grep clam
clamscan_read_user_content (off , off) Allow clamscan to read user content
clamscan_can_scan_system (off , off) Allow clamscan to non security files on a system
clamd_use_jit (on , on) Allow clamd to use JIT compiler

but consult your clamd_selinux(8) man page first.

--

--Zdenek Pytela, <pytela@phil.muni.cz>

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 06:35 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org