[users] clamav/clamd selinux problems

Jan-Frode Myklebust janfrode at tanso.net
Fri Jul 20 09:26:56 CEST 2007


On 7/20/07, Dag Wieers <dag at wieers.com> wrote:
>
> On Thu, 19 Jul 2007, Jan-Frode Myklebust wrote:
>
> > Instead of modifying the selinux policy, I think it would be much better
> to
> > fix the clamd (and the RPM) to use /var/lib/clamav as it's
> DatabaseDirectory
> > (instead of /var/clamav), and use /var/spool/amavisd/clamd.sock as
> > LocalSocket (instead of /tmp/clamd.socket). Then the clamd process would
> be
> > properly contained by the RHEL5 selinux policy.
>
> That is a very sensible solution, yes. The problem however is to migrate
> clamav users away from the previous setup


Can't you do a "no change" for upgrades, and new paths for new installs ?
Already installed clamav's will have had to implement some workaround for
this anyway, and automatically moving their /var/clamav + socket woun't make
too much sense.

Then they'll have the option of manually fixing it by:

   # /etc/init.d/clamd stop
   # mv /var/clamav /var/lib/clamav
   # mkdir /var/spool/amavisd
   # chown amavis:amavis /var/spool/amavisd
   # chmod g+w /var/spool/amavisd
   # restorecon -R /var/lib/clamav /var/spool/amavisd
   # perl -pi -e 's/^DatabaseDirectory.*/DatabaseDirectory /var/lib/clamav/'
/etc/clamd.conf
   # perl -pi -e 's/^Socketsomethin.*/Socketsomething
/var/spool/amavisd/clamd.sock/' /etc/clamd.conf

And then I assume similar changes will be needed for amavisd...


The more it is being discussed, the sooner I will have something that I'm
> confident in.



The longer you wait,  the more new users will be impacted... And they'll
likely get frustrated and disable selinux in the process, which is
bad-bad-bad for something like clamav.


  -jf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.repoforge.org/pipermail/users/attachments/20070720/59b8261f/attachment-0004.html>


More information about the users mailing list