Posts relating to the softpixel computer club.
clam readme

Posted by bbinkovitz on 2006.10.21 @ 08:27

Filed under:

To create individual clamd-instance take the following files and
modify/copy them in the suggested way:

clamd.conf:
  * set LogFile, PidFile, LocalSocket and User to suitable values
  * place this file into /etc/clamd.d with an unique service-name;
    e.g. as /etc/clamd.d/<SERVICE>.conf

  To make logfile rotation work properly, the LogFile should be
  writable for the assigned User. Recommended way to reach this, is
  to:
  * make it owned by the User's *group*
  * assign at least 0620 (u+rw,g+w) permissions

  A suitable command might be
  | # touch <logfile>
  | # chgrp <user> <logfile>
  | # chmod 0620   <logfile>

  NEVER use 'clamav' as the user since he can modify the database.
  This is the user who is running the application; e.g. for mimedefang
  (http://www.roaringpenguin.com/mimedefang), the user might be
  'defang'.Theoretically, distinct users could be used, but it must be
  made sure that the application-user can write into the socket-file,
  and that the clamd-user can access the files asked by the
  application to be checked.


clamd.logrotate:
  * set the correct value for the logfile
  * place it into /etc/logrotate.d

clamd.sysconfig:
  * set the name of the config-file and the local socket
  * copy it to /etc/sysconfig/clamd.<SERVICE>

clamd.init:
  * set the service-name
  * place it into /etc/init.d/ with an unique name and activate it
    (e.g. with /sbin/chkconfig clamd.<SERVICE> on)

Additionally, a symlink must be set to clamd in a way like
  | # ln -s clamd /usr/sbin/clamd.<SERVICE>
and the directory for the socket file must be created (see 'LocalSocket'
in clamd.conf)
  | # mkdir -p /var/run/clamd.<SERVICE>


This directory must be writable by the 'User' chosen in the config-file.



[Disclaimer:
 this file and the script/configfiles are not part of the official
 clamav package.

 Please send complaints and comments to
 mailto:enrico.scholz@informatik.tu-chemnitz.de!]
/var/log/maillog qmail-scanner error

Posted by bbinkovitz on 2006.10.21 @ 08:22

Filed under:

We were getting this series of errors when running the qmail-scanner test script (/downloads/qmailrocks/qmail-scanner-1.25/contrib/test_installation.sh -doit):

spamd[18368]: spamd: connection from localhost.localdomain [127.0.0.1] at port 51721 
spamd[18368]: spamd: setuid to qscand succeeded 
spamd[18368]: spamd: creating default_prefs: /home/qscand/.spamassassin/user_prefs 
spamd[18368]: config: cannot write to /home/qscand/.spamassassin/user_prefs: Permission denied 
spamd[18368]: spamd: failed to create readable default_prefs: /home/qscand/.spamassassin/user_prefs 
spamd[18368]: spamd: checking message <20061020172304.21308.qmail@leikata.softpixel.com> for qscand:509 
spamd[18368]: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/auto-whitelist.lock.leikata.softpixel.com.18368 for /home/qscand/.spamassassin/auto-whitelist.lock: Permission denied 
spamd[18368]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/auto-whitelist.lock.leikata.softpixel.com.18368 for /home/qscand/.spamassassin/auto-whitelist.lock: Permission denied 
spamd[18368]: bayes: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/bayes.lock.leikata.softpixel.com.18368 for /home/qscand/.spamassassin/bayes.lock: Permission denied 
spamd[18368]: spamd: clean message (-0.0/5.0) for qscand:509 in 0.0 seconds, 327 bytes. 
spamd[18368]: spamd: result: . 0 - NO_RECEIVED,NO_RELAYS scantime=0.0, size=327,user=qscand,uid=509, required_score=5.0,rhost=localhost.localdomain, raddr=127.0.0.1, rport=51721,mid=< 20061020172304.21308.qmail@leikata.softpixel.com>, autolearn=failed 
spamd[18366]: prefork: child states: II 
qmail-scanner[21309]: Clear:RC:1(127.0.0.1):SA:0(0.0/5.0): 0.068512 327 <> postmaster@softpixel.com Qmail-Scanner_test_(1/4):_inoffensive_message <20061020172304.21308.qmail@leikata.softpixel.com> 1161364984.21311-0.leikata:68 orig-leikata116136498477521309:327 
X-Antivirus-MYDOMAIN-1.25-st-qms: [leikata116136498577521320] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2 

I had to manually create the .spamassassin directory for user spamd:

# cd /home/qscand
# mkdir .spamassassin
# chown qscand:qscand .spamassassin/
# chmod 700 .spamassassin/

This solved the first few errors.

We still got the qmail-scanner error, however:

spamd[21615]: spamd: connection from localhost.localdomain [127.0.0.1] at port 52795 
spamd[21615]: spamd: checking message <20061020174801.21726.qmail@leikata.softpixel.com> for root:510 
spamd[21615]: spamd: clean message (-0.0/5.0) for root:510 in 0.1 seconds, 327 bytes. 
spamd[21615]: spamd: result: . 0 - NO_RECEIVED,NO_RELAYS scantime=0.1,size=327,user=root,uid=510, required_score=5.0, rhost=localhost.localdomain, raddr=127.0.0.1,rport=52795, mid=< 20061020174801.21726.qmail@leikata.softpixel.com>, autolearn=ham 
spamd[21612]: prefork: child states: II 
qmail-scanner[21727]: Clear:RC:1(127.0.0.1):SA:0(0.0/5.0): 0.105559 327 <> postmaster@softpixel.com Qmail-Scanner_test_(1/4):_inoffensive_message < 20061020174801.21726.qmail@leikata.softpixel.com> orig-leikata116136648177521727:327 1161366481.21729-0.leikata:68 
X-Antivirus-MYDOMAIN-1.25-st-qms: [leikata116136648177521738] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2 

By turning on debugging in qmail-scanner.pl, I determined that this was a permissions issue: qmail-scanner was running clamd as user qscand, but user qscand didn’t have privileges to see the files qmail-scanner wanted it to scan.

Making qmail-scanner run as root by disabling the setuid line in /etc/clamd.conf…

# Run as a selected user (clamd must be started by root).
# Default: disabled
#User qscand

…causes it to work (and the qmail-scanner test script to execute successfully), but we really shouldn’t be doing this.

Instead we need to make qmail-scanner write the files to scan with appropriate permissions.

qmail setup, 2006.10.20

Posted by bbinkovitz on 2006.10.21 @ 08:06

Filed under:

Here’s the path I took to install http://www.qmailrocks.org/ on fedora core 5 x86_64 running on an Athlon 64.

  • pre-install
    • yum install php-imap
    • yum install php-mysql
    • cpan Digest::SHA1
    • cpan Digest::HMAC
    • cpan Net::DNS
    • cpan Time::HiRes
    • cpan HTML::Tagset
    • cpan HTML::Parser
  • downloaded, compiled, etc. according to the qmailrocks redhat howto with the following exceptions:
    • skipped installing the autoresponder — we don’t want any autoresponder functionality.
    • installed vpopmail WITH mysql integration.
    • mysql integration failed with some compilation errors. It looks like this is a 64-bit compatibility issue — it seems to be trying to link against 32-bit libraries and the ld line is failing. I don’t have time to troubleshoot this now.
    • went back and installed autoresponder because it was required for another install. Sigh.
    • skipped vqadmin because it gave us inscrutable compile errors and wouldn’t install.
  • tested SMTP with no problems
  • Post-install add-ons
    • Clam Antivirus
      • Clam is not installing properly due to dependency conflicts. Upon further investigation, certain perl modules were missing. ran:
        • cpan Time::HiRes – for some reason this did an install when i ran it this time, although earlier it had said it was UTD.
        • cpan The Pod::Usage
        • cpan Parse::Syslog
        • cpan Statistics::Distributions
      • Clam is now not able to install because the qmailrocks RPMs won’t work on the 64-bit processor, so i’m yumming them.
        • yum install perl-suidperl
        • yum install clamav clamav-milter clamav-server clamav-update
      • ClamReadMe
        • [root@leikata etc]# mv /etc/clamd.conf /etc/clamd.d/softpixel.conf
        • [root@leikata etc]# ln -s /etc/clamd.d/softpixel.conf /etc/clamd.conf
        • replaced all “<SERVICE>” tags with “softpixel” (also removing brackets) in the clamd.conf file.
        • [root@leikata template]# mv clamd.logrotate /etc/logrotate.d
        • replaced all “<SERVICE>” tags with “softpixel” (also removing brackets) in the clamd.logrotate
        • [root@leikata clamd.d]# mkdir /var/log/clamav/
        • [root@leikata clamd.d]# touch /var/log/clamav/clamd.softpixel
        • [root@leikata clamd.d]# chgrp qscand /var/log/clamav/clamd.softpixel
        • [root@leikata clamd.d]# chmod 0620 /var/log/clamav/clamd.softpixel
      • Setting the updater:
        • [root@leikata clamav]# touch /var/log/clamav/clam-update.log
        • [root@leikata clamav]# chmod 775 /var/log/clamav/clam-update.log
        • [root@leikata clamav]# chown qscand:qscand /var/log/clamav/clam-update.log
        • [root@leikata log]# chown qscand:qscand -R /var/lib/clamav
        • [root@leikata log]# /usr/bin/freshclam -l /var/log/clamav/clam-update.log
        • it updated.
    • SpamAssasin
    • Qmail Scanner
      • [root@leikata qlogtools-3.1]# vi /usr/local/qmailanalog/bin/zfailures <– replaced the “sort +2” pipe with “sort -n -r -k 2” — the version of sort included with fedora doesn’t support the “+2” syntax.
      • [root@leikata qlogtools-3.1]# vi /usr/local/qmailanalog/bin/zdeferrals <– replaced the “sort +2” pipe with “sort -n -r -k 2”

After this, we discovered clamd wasn’t starting properly at boot-time. SELinux was bitching:

kernel: audit(1161390036.976:4): avc: denied { search } for pid=2356 comm="clamd.softpixel" scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir kernel: audit(1161390036.976:5): avc: denied { search } for pid=2356 comm="clamd.softpixel" name="sys" dev=proc ino=4026531867 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir kernel: audit(1161390037.268:6): avc: denied { append } for pid=2356 comm="clamd.softpixel" name="clamd.softpixel" dev=dm-0 ino=2851961 scontext=system_u:system_r:clamd_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file kernel: audit(1161390037.272:7): avc: denied { sys_tty_config } for pid=2356 comm="clamd.softpixel" capability=26 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:system_r:clamd_t:s0 tclass=capability

Clamd started happily when we disabled SELinux protection for it:

  • in system-config-securitylevel, under SELinux / Modify SELinux Policy, I checked:
    • Other / clamscan_disable_trans
    • SELinux Service Protection / Disable SELinux protection for clamd daemon

Of course, I first tried to create a new policy allowing exactly what clamd was needing (which would be way preferable to disabling SELinux), but I got the following error…

# audit2allow -M local -l -i aud [root@leikata ~]# semodule -i local.pp libsepol.permission_copy_callback: Module local depends on permission search in class file, not satisfied libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!

… and haven’t been able to figure this out yet.