[users] clamav/clamd selinux problems

Dag Wieers dag at wieers.com
Fri Jul 20 09:31:06 CEST 2007


On Fri, 20 Jul 2007, Jan-Frode Myklebust wrote:

> On 7/20/07, Dag Wieers <dag at wieers.com> wrote:
> >
> > On Thu, 19 Jul 2007, Jan-Frode Myklebust wrote:
> >
> > > Instead of modifying the selinux policy, I think it would be much better
> > to
> > > fix the clamd (and the RPM) to use /var/lib/clamav as it's
> > DatabaseDirectory
> > > (instead of /var/clamav), and use /var/spool/amavisd/clamd.sock as
> > > LocalSocket (instead of /tmp/clamd.socket). Then the clamd process would
> > be
> > > properly contained by the RHEL5 selinux policy.
> >
> > That is a very sensible solution, yes. The problem however is to migrate
> > clamav users away from the previous setup
> 
> Can't you do a "no change" for upgrades, and new paths for new installs ?
> Already installed clamav's will have had to implement some workaround for
> this anyway, and automatically moving their /var/clamav + socket woun't make
> too much sense.

It may leave unowned directories behind, and the databases are no longer 
there. freshclam also will update the database in another directory than 
the configuration points to.


> Then they'll have the option of manually fixing it by:
> 
>   # /etc/init.d/clamd stop
>   # mv /var/clamav /var/lib/clamav
>   # mkdir /var/spool/amavisd
>   # chown amavis:amavis /var/spool/amavisd
>   # chmod g+w /var/spool/amavisd
>   # restorecon -R /var/lib/clamav /var/spool/amavisd
>   # perl -pi -e 's/^DatabaseDirectory.*/DatabaseDirectory /var/lib/clamav/'
> /etc/clamd.conf
>   # perl -pi -e 's/^Socketsomethin.*/Socketsomething
> /var/spool/amavisd/clamd.sock/' /etc/clamd.conf

No, they are forced to.


> > The more it is being discussed, the sooner I will have something that 
> > I'm confident in.
> 
> The longer you wait,  the more new users will be impacted... And they'll
> likely get frustrated and disable selinux in the process, which is
> bad-bad-bad for something like clamav.

Well, it's less worse than implementing something that we have to change 
once again, impacting the old users twice and the users in between once. 
And having 3 different situations to potentially troubleshoot.

--   dag wieers,  dag at wieers.com,  http://dag.wieers.com/   --
[Any errors in spelling, tact or fact are transmission errors]



More information about the users mailing list