On Fri, 11 Mar 2011 00:28:18 +0100 Jan-Frode Myklebust janfrode@tanso.net wrote:
On 2011-03-10, Kevin Fenzi kevin@scrye.com wrote:
Do you have any thoughts/patches for getting amavisd-new working with the new clamav?
Not sure, I quickly gave up when I hit an selinux denial and saw that this denial wasn´t happening with the old packaging. Was hoping we could run our new mailservers on default selinux policy if possible.
Sure, that would be a bug worth fixing I agree.
First step is probably to add back in the clamd-wrapper (which is part of the current EPEL6 clamav), so that amavisd-new can continue to use it´s own scanner instance trough /usr/share/clamav/clamd-wrapper, /etc/clamd.d/amavisd.conf and /etc/rc.d/init.d/clamd.amavisd.. Removing this clamd-wrapper is bound to break existing installations that has followed the recommendations from the old packaging about creating per-service clamd-instances (maybe not just for amavisd-new).
Yes, thats something the old package said. In practice I don't know how much security it really provides. ;(
Anyhow, yeah, if we could add the wrapper thing that amavisd-new needs that might be a quick solution.
Also, security-wise the old packaging said to:
NEVER use 'clamav' as the user since he can modify the
database.
while the new packaging runs as "clam" and has database-files owned by "clam":
What runs as 'clam'? clamd?
yes, thats true. It does mean the clam user could modify the db files, but the additional security here I don't know is worth it.
If you wish to seperate things like that, I would suggest running clamscan instead as whatever user.
Also, there is no amavisd-new pushed in epel6 yet, so we could push clamav now, and push the fixed amavisd-new as soon as it's ready, no?
There is a clamav with the previous packaging format in EPEL6. Are you sure changing it woun´t break existing installations ? Nobody expecting the existing clamscan, clamupdate, clamilt users/group to exist?
I tested it here and it worked fine for upgrades, with one exception: the /etc/freshclam.conf.rpmnew file needed to be moved in place before freshclam would work.
I´m mostly worried that we´ll end up with confusing/different clamav and amavisd-new installations on our RHEL5 and RHEL6 servers, plus pushing this big change now will probably delay amavisd-new in EPEL6.. (and I need it now! :-)
Yeah, it's all no fun for sure. ;(
Where I would like to get:
* clamav packaged the new way on 4/5/6 * amavisd-new packaged to use that on 4/5/6
How we get there is up to the maintainers... I know several people were looking at amavisd-new. Perhaps we could get everyone together at an irc meeting and hash out what needs to happen?
kevin