On 2011-03-10, Kevin Fenzi kevin@scrye.com wrote:
Do you have any thoughts/patches for getting amavisd-new working with the new clamav?
Not sure, I quickly gave up when I hit an selinux denial and saw that this denial wasn´t happening with the old packaging. Was hoping we could run our new mailservers on default selinux policy if possible.
First step is probably to add back in the clamd-wrapper (which is part of the current EPEL6 clamav), so that amavisd-new can continue to use it´s own scanner instance trough /usr/share/clamav/clamd-wrapper, /etc/clamd.d/amavisd.conf and /etc/rc.d/init.d/clamd.amavisd.. Removing this clamd-wrapper is bound to break existing installations that has followed the recommendations from the old packaging about creating per-service clamd-instances (maybe not just for amavisd-new).
Also, security-wise the old packaging said to:
NEVER use 'clamav' as the user since he can modify the database.
while the new packaging runs as "clam" and has database-files owned by "clam":
[janfrode@asav.lab:~]$ ps -ef|grep clam clam 20082 1 0 00:00 ? 00:00:00 clamd [janfrode@asav.lab:~]$ ls -al /var/lib/clamav/ totalt 30560 drwxr-xr-x. 2 clam clam 4096 2011-03-10 04:29 . drwxr-xr-x. 28 root root 4096 2011-03-03 14:38 .. -rw-r--r--. 1 clam clam 460288 2011-03-09 03:07 bytecode.cld -rw-r--r--. 1 clam clam 4588544 2011-03-10 04:29 daily.cld -rw-r--r--. 1 clam clam 26224310 2011-02-24 00:39 main.cvd -rw-------. 1 498 397 416 2011-03-05 12:20 mirrors.dat [janfrode@asav.lab:~]$ rpm -q clamd clamd-0.97-3.el6.x86_64
Also, there is no amavisd-new pushed in epel6 yet, so we could push clamav now, and push the fixed amavisd-new as soon as it's ready, no?
There is a clamav with the previous packaging format in EPEL6. Are you sure changing it woun´t break existing installations ? Nobody expecting the existing clamscan, clamupdate, clamilt users/group to exist?
I´m mostly worried that we´ll end up with confusing/different clamav and amavisd-new installations on our RHEL5 and RHEL6 servers, plus pushing this big change now will probably delay amavisd-new in EPEL6.. (and I need it now! :-)
-jf