/var/log/maillog qmail-scanner error

We were getting this series of errors when running the qmail-scanner test script (/downloads/qmailrocks/qmail-scanner-1.25/contrib/ -doit):

spamd[18368]: spamd: connection from localhost.localdomain [] at port 51721 
spamd[18368]: spamd: setuid to qscand succeeded 
spamd[18368]: spamd: creating default_prefs: /home/qscand/.spamassassin/user_prefs 
spamd[18368]: config: cannot write to /home/qscand/.spamassassin/user_prefs: Permission denied 
spamd[18368]: spamd: failed to create readable default_prefs: /home/qscand/.spamassassin/user_prefs 
spamd[18368]: spamd: checking message <> for qscand:509 
spamd[18368]: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/ for /home/qscand/.spamassassin/auto-whitelist.lock: Permission denied 
spamd[18368]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/ for /home/qscand/.spamassassin/auto-whitelist.lock: Permission denied 
spamd[18368]: bayes: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/ for /home/qscand/.spamassassin/bayes.lock: Permission denied 
spamd[18368]: spamd: clean message (-0.0/5.0) for qscand:509 in 0.0 seconds, 327 bytes. 
spamd[18368]: spamd: result: . 0 - NO_RECEIVED,NO_RELAYS scantime=0.0, size=327,user=qscand,uid=509, required_score=5.0,rhost=localhost.localdomain, raddr=, rport=51721,mid=<>, autolearn=failed 
spamd[18366]: prefork: child states: II 
qmail-scanner[21309]: Clear:RC:1( 0.068512 327 <> Qmail-Scanner_test_(1/4):_inoffensive_message <> 1161364984.21311-0.leikata:68 orig-leikata116136498477521309:327 
X-Antivirus-MYDOMAIN-1.25-st-qms: [leikata116136498577521320] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2 

I had to manually create the .spamassassin directory for user spamd:

# cd /home/qscand
# mkdir .spamassassin
# chown qscand:qscand .spamassassin/
# chmod 700 .spamassassin/

This solved the first few errors.

We still got the qmail-scanner error, however:

spamd[21615]: spamd: connection from localhost.localdomain [] at port 52795 
spamd[21615]: spamd: checking message <> for root:510 
spamd[21615]: spamd: clean message (-0.0/5.0) for root:510 in 0.1 seconds, 327 bytes. 
spamd[21615]: spamd: result: . 0 - NO_RECEIVED,NO_RELAYS scantime=0.1,size=327,user=root,uid=510, required_score=5.0, rhost=localhost.localdomain, raddr=,rport=52795, mid=<>, autolearn=ham 
spamd[21612]: prefork: child states: II 
qmail-scanner[21727]: Clear:RC:1( 0.105559 327 <> Qmail-Scanner_test_(1/4):_inoffensive_message <> orig-leikata116136648177521727:327 1161366481.21729-0.leikata:68 
X-Antivirus-MYDOMAIN-1.25-st-qms: [leikata116136648177521738] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2 

By turning on debugging in, I determined that this was a permissions issue: qmail-scanner was running clamd as user qscand, but user qscand didn’t have privileges to see the files qmail-scanner wanted it to scan.

Making qmail-scanner run as root by disabling the setuid line in /etc/clamd.conf…

# Run as a selected user (clamd must be started by root).
# Default: disabled
#User qscand

…causes it to work (and the qmail-scanner test script to execute successfully), but we really shouldn’t be doing this.

Instead we need to make qmail-scanner write the files to scan with appropriate permissions.

qmail setup, 2006.10.20

Here’s the path I took to install on fedora core 5 x86_64 running on an Athlon 64.

  • pre-install
    • yum install php-imap
    • yum install php-mysql
    • cpan Digest::SHA1
    • cpan Digest::HMAC
    • cpan Net::DNS
    • cpan Time::HiRes
    • cpan HTML::Tagset
    • cpan HTML::Parser
  • downloaded, compiled, etc. according to the qmailrocks redhat howto with the following exceptions:
    • skipped installing the autoresponder – we don’t want any autoresponder functionality.
    • installed vpopmail WITH mysql integration.
    • mysql integration failed with some compilation errors. It looks like this is a 64-bit compatibility issue – it seems to be trying to link against 32-bit libraries and the ld line is failing. I don’t have time to troubleshoot this now.
    • went back and installed autoresponder because it was required for another install. Sigh.
    • skipped vqadmin because it gave us inscrutable compile errors and wouldn’t install.
  • tested SMTP with no problems
  • Post-install add-ons
    • Clam Antivirus
      • Clam is not installing properly due to dependency conflicts. Upon further investigation, certain perl modules were missing. ran:
        • cpan Time::HiRes — for some reason this did an install when i ran it this time, although earlier it had said it was UTD.
        • cpan The Pod::Usage
        • cpan Parse::Syslog
        • cpan Statistics::Distributions
      • Clam is now not able to install because the qmailrocks RPMs won’t work on the 64-bit processor, so i’m yumming them.
        • yum install perl-suidperl
        • yum install clamav clamav-milter clamav-server clamav-update
      • ClamReadMe
        • [root@leikata etc]# mv /etc/clamd.conf /etc/clamd.d/softpixel.conf
        • [root@leikata etc]# ln -s /etc/clamd.d/softpixel.conf /etc/clamd.conf
        • replaced all “<SERVICE>” tags with “softpixel” (also removing brackets) in the clamd.conf file.
        • [root@leikata template]# mv clamd.logrotate /etc/logrotate.d
        • replaced all “<SERVICE>” tags with “softpixel” (also removing brackets) in the clamd.logrotate
        • [root@leikata clamd.d]# mkdir /var/log/clamav/
        • [root@leikata clamd.d]# touch /var/log/clamav/clamd.softpixel
        • [root@leikata clamd.d]# chgrp qscand /var/log/clamav/clamd.softpixel
        • [root@leikata clamd.d]# chmod 0620 /var/log/clamav/clamd.softpixel
      • Setting the updater:
        • [root@leikata clamav]# touch /var/log/clamav/clam-update.log
        • [root@leikata clamav]# chmod 775 /var/log/clamav/clam-update.log
        • [root@leikata clamav]# chown qscand:qscand /var/log/clamav/clam-update.log
        • [root@leikata log]# chown qscand:qscand -R /var/lib/clamav
        • [root@leikata log]# /usr/bin/freshclam -l /var/log/clamav/clam-update.log
        • it updated.
    • SpamAssasin
    • Qmail Scanner
      • [root@leikata qlogtools-3.1]# vi /usr/local/qmailanalog/bin/zfailures <— replaced the “sort +2” pipe with “sort -n -r -k 2” – the version of sort included with fedora doesn’t support the “+2” syntax.
      • [root@leikata qlogtools-3.1]# vi /usr/local/qmailanalog/bin/zdeferrals <— replaced the “sort +2” pipe with “sort -n -r -k 2”

After this, we discovered clamd wasn’t starting properly at boot-time. SELinux was bitching:

kernel: audit(1161390036.976:4): avc: denied { search } for pid=2356 comm="clamd.softpixel" scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir kernel: audit(1161390036.976:5): avc: denied { search } for pid=2356 comm="clamd.softpixel" name="sys" dev=proc ino=4026531867 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir kernel: audit(1161390037.268:6): avc: denied { append } for pid=2356 comm="clamd.softpixel" name="clamd.softpixel" dev=dm-0 ino=2851961 scontext=system_u:system_r:clamd_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file kernel: audit(1161390037.272:7): avc: denied { sys_tty_config } for pid=2356 comm="clamd.softpixel" capability=26 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:system_r:clamd_t:s0 tclass=capability

Clamd started happily when we disabled SELinux protection for it:

  • in system-config-securitylevel, under SELinux / Modify SELinux Policy, I checked:
    • Other / clamscan_disable_trans
    • SELinux Service Protection / Disable SELinux protection for clamd daemon

Of course, I first tried to create a new policy allowing exactly what clamd was needing (which would be way preferable to disabling SELinux), but I got the following error…

# audit2allow -M local -l -i aud [root@leikata ~]# semodule -i local.pp libsepol.permission_copy_callback: Module local depends on permission search in class file, not satisfied libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!

… and haven’t been able to figure this out yet.