[users] clamav/clamd selinux problems
Jan-Frode Myklebust
janfrode at tanso.net
Fri Jul 20 09:26:56 CEST 2007
On 7/20/07, Dag Wieers <dag at wieers.com> wrote:
>
> On Thu, 19 Jul 2007, Jan-Frode Myklebust wrote:
>
> > Instead of modifying the selinux policy, I think it would be much better
> to
> > fix the clamd (and the RPM) to use /var/lib/clamav as it's
> DatabaseDirectory
> > (instead of /var/clamav), and use /var/spool/amavisd/clamd.sock as
> > LocalSocket (instead of /tmp/clamd.socket). Then the clamd process would
> be
> > properly contained by the RHEL5 selinux policy.
>
> That is a very sensible solution, yes. The problem however is to migrate
> clamav users away from the previous setup
Can't you do a "no change" for upgrades, and new paths for new installs ?
Already installed clamav's will have had to implement some workaround for
this anyway, and automatically moving their /var/clamav + socket woun't make
too much sense.
Then they'll have the option of manually fixing it by:
# /etc/init.d/clamd stop
# mv /var/clamav /var/lib/clamav
# mkdir /var/spool/amavisd
# chown amavis:amavis /var/spool/amavisd
# chmod g+w /var/spool/amavisd
# restorecon -R /var/lib/clamav /var/spool/amavisd
# perl -pi -e 's/^DatabaseDirectory.*/DatabaseDirectory /var/lib/clamav/'
/etc/clamd.conf
# perl -pi -e 's/^Socketsomethin.*/Socketsomething
/var/spool/amavisd/clamd.sock/' /etc/clamd.conf
And then I assume similar changes will be needed for amavisd...
The more it is being discussed, the sooner I will have something that I'm
> confident in.
The longer you wait, the more new users will be impacted... And they'll
likely get frustrated and disable selinux in the process, which is
bad-bad-bad for something like clamav.
-jf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.rpmforge.net/pipermail/users/attachments/20070720/59b8261f/attachment.html
More information about the users
mailing list