Bug 514968

Summary: Clamav-milter busted in fedora 11
Product: [Fedora] Fedora Reporter: Michael Breuer <mbreuer>
Component: clamavAssignee: Enrico Scholz <rh-bugzilla>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: low    
Version: 11CC: nb, redhat-bugzilla, rh-bugzilla, steve
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 495502 Environment:
Last Closed: 2009-07-31 18:42:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Breuer 2009-07-31 17:24:09 UTC 
Description of problem:

Fresh install - multiple errors that appear identical to https://bugzilla.redhat.com/show_bug.cgi?id=495502 - filed against RHEL.

Basically, Clamav + clamav-milter + sendmail doesn't work.

Issues include:

Configuration files mismatch (i.e., .sock vs. .socket),

Permissions hosed  - i.e., clamd scanner can't connect properly to the milter... fixing that selinux complains. Fixing that, sendmail can't communicate properly with the milter... many errors (again, pretty much what is documented against RHEL in the above link.

Version-Release number of selected component (if applicable):
95-1.2

How reproducible:

Totally - just do a clean fedora 11 install including sendmail and clamav + milter. It doesn't work. (I did have this working on Fedora 11 and did try copying config files over... no go).

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Enrico Scholz 2009-07-31 18:42:12 UTC 
Thanks for pointing out the inconsistency in README.fedora about 'clamav.sock' vs. 'clamav-milter.sock'.

Regarding SELinux issues you might try to file a bug against selinux-policy with more details.

I can not reproduce the issues in #495502 in Fedora 11.

Else, I highly suggest a setup which communicates over TCP sockets.
Comment 2 Enrico Scholz 2009-08-01 09:52:06 UTC 
fwiw, I added some comments to README.fedora explaining a sample setup

http://cvs.fedora.redhat.com/viewvc/rpms/clamav/devel/README.fedora?root=extras&r1=1.3&r2=1.4
Comment 3 Michael Breuer 2009-08-01 13:44:02 UTC 
Ok, but I think perhaps suggesting ".sock" would be more consistent with everything else.

I also added:

   allow sendmail_t device_t:file {read write }; 
   allow sendmail_t devpts_1:chr_file write;
    
to my selinux policy based on the AVC denials that seem to be related to clamav-milter.

I haven't yet retested everything but will later today.
Comment 4 Michael Breuer 2009-08-08 05:41:03 UTC 
Ok - I've gotten past AVC errors, but cannot get this (or any other milter) working with unix domain sockets.

This worked in F10, doesn't in F11. 

The failure seems to be directory permissions as checked by the safefile call in sendmail. It's got to be the directory as I get the same error whether the .sock file is present or not.

I've tried just about everything except running sendmail in debug (next step I guess).

As of now, I've been working with both clamav and mimedefang. I tried forcing both to the smmsp user, changing directory ownership for the milter socket parents to smmsp:smmsp; and smmsp:mail with just about every permutation of permissions possible.

No matter the log level, I get only the one relevant message: 

sendmail[20025]: NOQUEUE: SYSERR(root): /etc/mail/sendmail.cf: line 1782: Xmimedefang: local socket name /var/spool/MIMEDefang/mimedefang.sock unsafe: Permission denied

I get the corresponding messages from clamav (and also spamass-milter).

I'm going to open a ticket against sendmail.
Comment 5 Enrico Scholz 2009-08-08 07:36:17 UTC 
Again: I highly suggest a setup which communicates over TCP sockets.