Bug 1287795 - 0.99 breaks milter
Summary: 0.99 breaks milter
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: clamav
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Nick Bebout
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-02 16:58 UTC by Harald Reindl
Modified: 2016-01-28 19:25 UTC (History)
7 users (show)

Fixed In Version: clamav-0.99-2.fc22 clamav-0.99-2.fc23 clamav-0.99-2.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-13 09:51:35 UTC


Attachments (Terms of Use)

Description Harald Reindl 2015-12-02 16:58:27 UTC
why in the world?

untouched configuration from Fedora 21 to Fedora 23 until now

Dec  2 17:49:41 testserver clamav-milter: ClamAV: Unable to stat() /run/clamav-milter/clamav-milter.socket: Permission denied
Dec  2 17:49:41 testserver clamav-milter: ClamAV: Unable to create listening socket on conn /run/clamav-milter/clamav-milter.socket
Dec  2 17:49:41 testserver clamav-milter: ERROR: Failed to create socket /run/clamav-milter/clamav-milter.socket
______________________________________________________

[root@testserver:~]$ stat /run/clamav-milter/
  File: '/run/clamav-milter/'
  Size: 40              Blocks: 0          IO Block: 4096   directory
Device: 13h/19d Inode: 1555        Links: 2
Access: (0710/drwx--x---)  Uid: (  109/ clamilt)   Gid: (  106/ clamilt)
Access: 2015-12-02 17:56:42.964288524 +0100
Modify: 2015-12-02 17:49:10.073955319 +0100
Change: 2015-12-02 17:49:10.073955319 +0100
 Birth: -
______________________________________________________

[root@testserver:~]$ cat /etc/systemd/system/clamav-milter.service
[Unit]
Description=ClamAV Postfix-Milter
Wants=clamd.service
After=clamd.service
Before=postfix.service

[Service]
Type=simple
Environment="TMPDIR=/tmp"
ExecStart=/usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --nofork=yes
Environment="LANG=en_GB.UTF-8"
Restart=always
RestartSec=1
Nice=5

PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
RestrictAddressFamilies=~AF_APPLETALK AF_ATMPVC AF_AX25 AF_IPX AF_NETLINK AF_PACKET AF_X25
SystemCallArchitectures=x86-64

ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
InaccessibleDirectories=-/var/lib/spamass-milter/training

InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/media
InaccessibleDirectories=-/root
InaccessibleDirectories=-/etc/dbus-1
InaccessibleDirectories=-/etc/modprobe.d
InaccessibleDirectories=-/etc/modules-load.d
InaccessibleDirectories=-/etc/postfix
InaccessibleDirectories=-/etc/ssh
InaccessibleDirectories=-/etc/sysctl.d
InaccessibleDirectories=-/run/console
InaccessibleDirectories=-/run/dbus
InaccessibleDirectories=-/run/lock
InaccessibleDirectories=-/run/mount
InaccessibleDirectories=-/run/systemd/generator
InaccessibleDirectories=-/run/systemd/system
InaccessibleDirectories=-/run/systemd/users
InaccessibleDirectories=-/run/udev
InaccessibleDirectories=-/run/user
InaccessibleDirectories=-/usr/lib64/dbus-1
InaccessibleDirectories=-/usr/lib64/xtables
InaccessibleDirectories=-/usr/lib/dracut
InaccessibleDirectories=-/usr/libexec/iptables
InaccessibleDirectories=-/usr/libexec/openssh
InaccessibleDirectories=-/usr/libexec/postfix
InaccessibleDirectories=-/usr/lib/grub
InaccessibleDirectories=-/usr/lib/kernel
InaccessibleDirectories=-/usr/lib/modprobe.d
InaccessibleDirectories=-/usr/lib/modules
InaccessibleDirectories=-/usr/lib/modules-load.d
InaccessibleDirectories=-/usr/lib/rpm
InaccessibleDirectories=-/usr/lib/sysctl.d
InaccessibleDirectories=-/usr/lib/udev
InaccessibleDirectories=-/usr/local/scripts
InaccessibleDirectories=-/var/db
InaccessibleDirectories=-/var/lib/dbus
InaccessibleDirectories=-/var/lib/rpm
InaccessibleDirectories=-/var/lib/systemd
InaccessibleDirectories=-/var/lib/yum
InaccessibleDirectories=-/var/spool

[Install]
WantedBy=multi-user.target
______________________________________________________

[root@testserver:~]$ cat /etc/mail/clamav-milter.conf
# Postfix Milter-Konfiguration
# Pre-Queue Virenscanner
#
# Postfix muss in die "clamilt"-Usergruppe
# usermod -a -G clamilt postfix
# usermod -a -G sa-milt postfix

User clamilt
AllowSupplementaryGroups yes

MilterSocket /run/clamav-milter/clamav-milter.socket
MilterSocketMode 0660
ClamdSocket unix:/run/clamd/clamd.sock
FixStaleSocket yes

ReadTimeout 120
Foreground yes
TemporaryDirectory /tmp
LocalNet 127.0.0.1
MaxFileSize 35M

OnClean Accept
OnFail Defer
OnInfected Reject
RejectMsg Virus found: "%v"
AddHeader Replace

LogFile /var/log/clamav-milter.log
LogFileUnlock yes
LogFileMaxSize 128M
LogTime yes
LogSyslog yes
LogFacility LOG_MAIL
LogVerbose no
LogRotate yes
LogInfected Off
LogClean Off
SupportMultipleRecipients yes

Whitelist /etc/mail/clamav-milter-whitelist.conf

Comment 1 Robert Scheck 2015-12-02 19:38:25 UTC
Are you sure that it is definately working with 0.98.7? Because neither the
changelog nor the release notes of 0.99 mention any milter-related changes.
May you try a downgrade please to see if it works again with 0.98.7?

Comment 2 Harald Reindl 2015-12-02 19:47:15 UTC
100% percent sure

the milter service stopped directly after the update, also after a reboot it crashed with the permission errors and since downgrade all is runnign as before


Dec 02 18:08:08 INFO Downgraded: clamav-lib-0.98.7-3.fc23.x86_64
Dec 02 18:08:08 INFO Downgraded: clamav-lib-0.98.7-3.fc23.x86_64
Dec 02 18:08:08 INFO Downgraded: clamav-filesystem-0.98.7-3.fc23.noarch
Dec 02 18:08:08 INFO Downgraded: clamav-filesystem-0.98.7-3.fc23.noarch
Dec 02 18:08:08 INFO Downgraded: clamav-server-0.98.7-3.fc23.x86_64
Dec 02 18:08:08 INFO Downgraded: clamav-server-0.98.7-3.fc23.x86_64
Dec 02 18:08:08 INFO Downgraded: clamav-server-systemd-0.98.7-3.fc23.noarch
Dec 02 18:08:08 INFO Downgraded: clamav-server-systemd-0.98.7-3.fc23.noarch
Dec 02 18:08:08 INFO Downgraded: clamav-scanner-0.98.7-3.fc23.noarch
Dec 02 18:08:08 INFO Downgraded: clamav-scanner-0.98.7-3.fc23.noarch
Dec 02 18:08:08 INFO Downgraded: clamav-scanner-systemd-0.98.7-3.fc23.noarch
Dec 02 18:08:08 INFO Downgraded: clamav-scanner-systemd-0.98.7-3.fc23.noarch
Dec 02 18:08:08 INFO Downgraded: clamav-milter-systemd-0.98.7-3.fc23.noarch
Dec 02 18:08:08 INFO Downgraded: clamav-milter-systemd-0.98.7-3.fc23.noarch
Dec 02 18:08:08 INFO Downgraded: clamav-milter-0.98.7-3.fc23.x86_64
Dec 02 18:08:08 INFO Downgraded: clamav-milter-0.98.7-3.fc23.x86_64
Dec 02 18:08:08 INFO Downgraded: clamav-update-0.98.7-3.fc23.x86_64
Dec 02 18:08:08 INFO Downgraded: clamav-update-0.98.7-3.fc23.x86_64
Dec 02 18:08:08 INFO Erased: clamav-scanner-systemd-0.99-1.fc23.noarch
Dec 02 18:08:08 INFO Erased: clamav-scanner-systemd-0.99-1.fc23.noarch
Dec 02 18:08:08 INFO Erased: clamav-scanner-0.99-1.fc23.noarch
Dec 02 18:08:08 INFO Erased: clamav-scanner-0.99-1.fc23.noarch
Dec 02 18:08:08 INFO Erased: clamav-update-0.99-1.fc23.x86_64
Dec 02 18:08:08 INFO Erased: clamav-update-0.99-1.fc23.x86_64
Dec 02 18:08:08 INFO Erased: clamav-server-systemd-0.99-1.fc23.noarch
Dec 02 18:08:08 INFO Erased: clamav-server-systemd-0.99-1.fc23.noarch
Dec 02 18:08:08 INFO Erased: clamav-server-0.99-1.fc23.x86_64
Dec 02 18:08:08 INFO Erased: clamav-server-0.99-1.fc23.x86_64
Dec 02 18:08:08 INFO Erased: clamav-milter-systemd-0.99-1.fc23.noarch
Dec 02 18:08:08 INFO Erased: clamav-milter-systemd-0.99-1.fc23.noarch
Dec 02 18:08:08 INFO Erased: clamav-milter-0.99-1.fc23.x86_64
Dec 02 18:08:08 INFO Erased: clamav-milter-0.99-1.fc23.x86_64
Dec 02 18:08:08 INFO Erased: clamav-filesystem-0.99-1.fc23.noarch
Dec 02 18:08:08 INFO Erased: clamav-filesystem-0.99-1.fc23.noarch
Dec 02 18:08:08 INFO Erased: clamav-lib-0.99-1.fc23.x86_64
Dec 02 18:08:08 INFO Erased: clamav-lib-0.99-1.fc23.x86_64

[root@testserver:~]$ systemctl status clamav-milter.service
? clamav-milter.service - ClamAV Postfix-Milter
   Loaded: loaded (/etc/systemd/system/clamav-milter.service; enabled; vendor preset: disabled)
   Active: active (running) since Mi 2015-12-02 19:44:13 CET; 1h 1min ago
 Main PID: 1391 (clamav-milter)
   CGroup: /system.slice/clamav-milter.service
           ??1391 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --nofork=yes

Dez 02 19:44:13 testserver.rhsoft.net systemd[1]: Started ClamAV Postfix-Milter.
Dez 02 19:44:13 testserver.rhsoft.net systemd[1]: Starting ClamAV Postfix-Milter...
Dez 02 19:44:13 testserver.rhsoft.net clamav-milter[1391]: +++ Started at Wed Dec  2 19:44:13 2015

Comment 3 Jan ONDREJ 2015-12-03 07:30:10 UTC
Is it possible, that this change caused this?

commit daca419a0ae02d5503d0adf97b9e711a7d5623f8
Author: Robert Scheck <robert@fedoraproject.org>
Date:   Tue Jun 30 02:46:50 2015 +0200

    Move /etc/tmpfiles.d/ to /usr/lib/tmpfiles.d/ (#1126595)

Comment 4 Harald Reindl 2015-12-03 08:01:15 UTC
No, tmpfiles is only relevant due boot to recreate the folders but the daemon failed straight after the update and automatic restart - i have posted the folder permissions and they are identical on our production server running 0.98 on f22

there is no reason that the daemon pretends it has no permissions

maybe there is something wrong with drop privileges and they are dropped to nobody instead the user in the configuration?

Comment 5 Robert Scheck 2015-12-06 14:11:28 UTC
Have you been able to exclude that this is a SELinux policy issue? Does it
change anything if you run it with "setenforce 0"? By the way, could you try
to use also the original shipped systemd targets rather your own ones (at
least for testing)?

Comment 6 Harald Reindl 2015-12-06 14:31:38 UTC
SELinux is *not* enabled on any of my machines

it's "CapabilityBoundingSet=CAP_KILL CAP_SETGID CAP_SETUID CAP_SYS_CHROOT" but i am unable to figure out *what* it needs and why the hell it does now

tried add "CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_NET_ADMIN"

Dec  6 15:28:26 testserver clamav-milter: ERROR: Failed to change socket ownership to user clamiltestserver systemd: clamav-milter.service: Failed with result 'exit-code'
_________________________

frankly why can't that damend service not just support get startet like spamass-milter directly with User/Group and without any capabilities like below


User=sa-milt
Group=sa-milt
PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL

Comment 7 Robert Scheck 2015-12-06 14:35:55 UTC
The error sounds like you need CAP_CHOWN - given this has been tracked down
to a custom CapabilityBoundingSet, this is anyway not really a packaging bug.

Comment 8 Harald Reindl 2015-12-06 14:42:33 UTC
"CapabilityBoundingSet=CAP_KILL CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE" works - looks like some monkey upstream borked the ordering of operations due create the socket with the correct permissions, otherwise "CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE" would not be needed now when it's not needed with exactly the same pemissions below /run with the downgraded version

honestly there is no excuse for require CAP_DAC_OVERRIDE for a daemon which only needs to talk with another daemon over a socket nor should it need to get started as root with later drop privileges

would the milter-service support to get started with the low-privileged user/group and create the socket with the correct flags it would even not need to chown/chmod

Comment 9 Harald Reindl 2015-12-06 14:45:38 UTC
"given this has been tracked down to a custom CapabilityBoundingSet, this is anyway not really a packaging bug" - well, in a perfect world the Fedora systemd units would use more secure defaults at all

at least this 4 directives should be part of nearly any service

PrivateTmp=yes
PrivateDevices=yes
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr

Comment 10 Harald Reindl 2015-12-06 15:03:38 UTC
IT IS BORKED EVEN WITOUT THE CAPABILITIES

the group of the socket is "root" instead "clamilt" and as result postfix can't connect to the milter - upstream made some bugs in the socket code and "this is anyway not really a packaging bug" does not matter - the update of the software has regressions and so it's not suiteable for a stable release until they got fixed

Dec  6 15:57:42 testserver postfix/submission/smtpd[15848]: connect from unknown[192.168.196.2]
Dec  6 15:57:42 testserver postfix/submission/smtpd[15848]: warning: connect to Milter service unix:/run/clamav-milter/clamav-milter.socket: Permission denied
Dec  6 15:57:42 testserver postfix/submission/smtpd[15848]: NOQUEUE: milter-reject: CONNECT from unknown[192.168.196.2]: 451 4.7.1 Service unavailable - try again later; proto=SMTP

[root@testserver:~]$ stat /run/clamav-milter/clamav-milter.socket
  File: '/run/clamav-milter/clamav-milter.socket'
  Size: 0               Blocks: 0          IO Block: 4096   socket
Device: 13h/19d Inode: 253755      Links: 1
Access: (0660/srw-rw----)  Uid: (  109/ clamilt)   Gid: (    0/    root)
Access: 2015-12-06 15:59:38.861766729 +0100
Modify: 2015-12-06 15:59:38.861766729 +0100
Change: 2015-12-06 15:59:38.861766729 +0100
 Birth: -

[root@mail-gw:~]$ stat /run/clamav-milter/clamav-milter.socket
  File: '/run/clamav-milter/clamav-milter.socket'
  Size: 0               Blocks: 0          IO Block: 4096   socket
Device: 13h/19d Inode: 60599504    Links: 1
Access: (0660/srw-rw----)  Uid: (  190/ clamilt)   Gid: (  189/ clamilt)
Access: 2015-12-06 16:00:44.843856572 +0100
Modify: 2015-12-06 15:53:07.956492942 +0100
Change: 2015-12-06 15:53:07.956492942 +0100
 Birth: -

Comment 11 Robert Scheck 2015-12-06 15:08:10 UTC
Harald, may I kindly ask you first to stop this rude behaviour on this report
immediately before we continue? Calling e.g. upstream people "monkeys" shows 
from my point of view, that you don't honor their work at all.

Comment 12 Harald Reindl 2015-12-06 15:15:24 UTC
i honor the work, honestly

what i do not honor is a regression in a trivial part like create a socket while the whole purpose of /run/clamav-milter/ onwed by "clamilt" is that the whole socket creation happens *after* drop privileges which would automatically lead in ownership "clamilt:clamilt" as well as the file-creation mode should be 0660 instead chown it later

doing that correctly would even allow "User=clamilt" and "Group=clamilt" in the systemd-unit, the dameon would only need to skip the complete drop-privileges/chmod/chown if it notcies that it's not running as root from the begin

Comment 13 Robert Scheck 2015-12-06 15:55:21 UTC
https://bugzilla.clamav.net/show_bug.cgi?id=10731 is likely the cause for
the current situation.

Comment 14 Harald Reindl 2015-12-06 16:00:19 UTC
But that (forget Capabilities for now) don't explain "MilterSocketMode 0660" in "/etc/mail/clamav-milter.conf" results in which makes the whole 0660 meaningless until somebody is crazy enough running his MTA as root :-)

[root@testserver:~]$ stat /run/clamav-milter/clamav-milter.socket
  File: '/run/clamav-milter/clamav-milter.socket'
  Size: 0               Blocks: 0          IO Block: 4096   socket
Device: 13h/19d Inode: 253755      Links: 1
Access: (0660/srw-rw----)  Uid: (  109/ clamilt)   Gid: (    0/    root)
Access: 2015-12-06 15:59:38.861766729 +0100
Modify: 2015-12-06 15:59:38.861766729 +0100
Change: 2015-12-06 15:59:38.861766729 +0100
 Birth: -

Comment 15 Harald Reindl 2015-12-06 16:16:30 UTC
interesting - when you change the systemd-unit to start it directly as "clamilt" the socket permissions are correct and you don't need any capabilities - shows how much a bug "Unable to stat() /run/clamav-milter/clamav-milter.socket" is when started in fact as root

may i propose the following systemd-unit?

that solves all problems at once, avoids touching anything as root and restrcits the milter as much as possible, there is no business to write below /var/lib because it's only the glue between MTA/ClamAV and /usr as well as /etc should be read-only in general
_______________________________________________________

[Unit]
Description = Milter module for the Clam Antivirus scanner
After = syslog.target nss-lookup.target network.target
Before = sendmail.service
Before = postfix.service

[Service]
Type = simple
ExecStart = /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf --nofork=yes
Restart = on-failure

User=clamilt
Group=clamilt

PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL

ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib

[Install]
WantedBy = multi-user.target
_______________________________________________________

Dec  6 17:12:52 testserver clamav-milter[17180]: +++ Started at Sun Dec  6 17:12:52 2015
Dec  6 17:13:11 testserver postfix/submission/smtpd[17188]: connect from unknown[192.168.196.2]
Dec  6 17:13:11 testserver postfix/submission/smtpd[17188]: Anonymous TLS connection established from unknown[192.168.196.2]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Dec  6 17:13:11 testserver postfix/submission/smtpd[17188]: 3pDCVb5GkYz295Z: client=unknown[192.168.196.2], sasl_method=CRAM-MD5, sasl_username=test@testserver.rhsoft.net
Dec  6 17:13:11 testserver postfix/cleanup[17194]: 3pDCVb5GkYz295Z: info: header Subject: Test from unknown[192.168.196.2]; from=<test@testserver.rhsoft.net> to=<rhsoft@test.rh> proto=ESMTP helo=<srv-rhsoft.rhsoft.net>
Dec  6 17:13:11 testserver postfix/cleanup[17194]: 3pDCVb5GkYz295Z: message-id=<56645E97.8040201@testserver.rhsoft.net>
Dec  6 17:13:11 testserver spamd[1296]: spamd: got connection over /run/spamassassin/spamassassin.sock
Dec  6 17:13:11 testserver spamd[1296]: spamd: processing message <56645E97.8040201@testserver.rhsoft.net> for sa-milt:189
Dec  6 17:13:13 testserver spamd[1296]: pyzor: check failed: internal error, python traceback seen in response
Dec  6 17:13:13 testserver spamd[1296]: spamd: clean message (0.6/5.5) for sa-milt:189 in 1.5 seconds, 1368 bytes.
Dec  6 17:13:13 testserver spamd[1296]: spamd: result: . 0 - ALL_TRUSTED,BAYES_50,TVD_SPACE_RATIO scantime=1.5,size=1368,user=sa-milt,uid=189,required_score=5.5,rhost=localhost,raddr=127.0.0.1,rport=/run/spamassassin/spamassassin.sock,mid=<56645E97.8040201@testserver.rhsoft.net>,bayes=0.499785,autolearn=disabled
Dec  6 17:13:13 testserver postfix/cleanup[17194]: 3pDCVb5GkYz295Z: milter-reject: END-OF-MESSAGE from unknown[192.168.196.2]: 5.7.1 Virus found: "Eicar-Test-Signature"; from=<test@testserver.rhsoft.net> to=<rhsoft@test.rh> proto=ESMTP helo=<srv-rhsoft.rhsoft.net>
Dec  6 17:13:14 testserver postfix/submission/smtpd[17188]: disconnect from unknown[192.168.196.2] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=0/1 quit=1 commands=7/8

Comment 16 Harald Reindl 2015-12-06 16:27:18 UTC
BTW - i deployed 0.99 on F22 now on our production server with the proposed unit-changes, interesting is that clamd seems not to be affected by the socket troubles, until now unchanged unit, i will give it also i try to get started as restricted user - but that's off-topic for this bugreport

[root@mail-gw:~]$ cat /etc/systemd/system/clamd.service
[Unit]
Description=ClamAV Scanner Daemon

[Service]
Type=forking
Environment="TMPDIR=/tmp"
Environment="LANG=en_GB.UTF-8"
ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf
Restart=always
RestartSec=1

PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
RestrictAddressFamilies=~AF_APPLETALK AF_ATMPVC AF_AX25 AF_IPX AF_NETLINK AF_PACKET AF_X25
SystemCallArchitectures=x86-64

ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
ReadWriteDirectories=/var/lib/clamav-quarantine
InaccessibleDirectories=-/var/lib/spamass-milter

Comment 17 Harald Reindl 2015-12-06 16:39:03 UTC
just for the record: clamd works also started as unrestricted user using "clamilt" as group, not sure how that all is intended to work, as i installed the systema year ago i need to put postfix into the "clamilt" to get all 3 pieces work together without making the sockets chmod 0666 and especially open the folder permissions of /run/clamav-milter

however, i am happy with running both as non-root from the begin
__________________________________________________________

[root@mail-gw:~]$ cat /etc/systemd/system/clamd.service
[Unit]
Description=ClamAV Scanner Daemon

[Service]
Type=forking
Environment="TMPDIR=/tmp"
Environment="LANG=en_GB.UTF-8"
ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf
Restart=always
RestartSec=1
Nice=5

User=clamscan
Group=clamilt

PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
RestrictAddressFamilies=~AF_APPLETALK AF_ATMPVC AF_AX25 AF_IPX AF_NETLINK AF_PACKET AF_X25
SystemCallArchitectures=x86-64

ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
InaccessibleDirectories=-/var/lib/spamass-milter

InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/media
InaccessibleDirectories=-/root
InaccessibleDirectories=-/etc/dbus-1
InaccessibleDirectories=-/etc/modprobe.d
InaccessibleDirectories=-/etc/modules-load.d
InaccessibleDirectories=-/etc/postfix
InaccessibleDirectories=-/etc/ssh
InaccessibleDirectories=-/etc/sysctl.d
InaccessibleDirectories=-/run/console
InaccessibleDirectories=-/run/dbus
InaccessibleDirectories=-/run/lock
InaccessibleDirectories=-/run/mount
InaccessibleDirectories=-/run/systemd/generator
InaccessibleDirectories=-/run/systemd/system
InaccessibleDirectories=-/run/systemd/users
InaccessibleDirectories=-/run/udev
InaccessibleDirectories=-/run/user
InaccessibleDirectories=-/usr/lib64/dbus-1
InaccessibleDirectories=-/usr/lib64/xtables
InaccessibleDirectories=-/usr/lib/dracut
InaccessibleDirectories=-/usr/libexec/iptables
InaccessibleDirectories=-/usr/libexec/openssh
InaccessibleDirectories=-/usr/libexec/postfix
InaccessibleDirectories=-/usr/lib/grub
InaccessibleDirectories=-/usr/lib/kernel
InaccessibleDirectories=-/usr/lib/modprobe.d
InaccessibleDirectories=-/usr/lib/modules
InaccessibleDirectories=-/usr/lib/modules-load.d
InaccessibleDirectories=-/usr/lib/rpm
InaccessibleDirectories=-/usr/lib/sysctl.d
InaccessibleDirectories=-/usr/lib/udev
InaccessibleDirectories=-/usr/local/scripts
InaccessibleDirectories=-/var/db
InaccessibleDirectories=-/var/lib/dbus
InaccessibleDirectories=-/var/lib/rpm
InaccessibleDirectories=-/var/lib/systemd
InaccessibleDirectories=-/var/lib/yum
InaccessibleDirectories=-/var/spool

[Install]
WantedBy=multi-user.target
__________________________________________________________

[root@mail-gw:~]$ cat /etc/clamd.d/scan.conf
User clamscan
AllowSupplementaryGroups yes

PidFile /run/clamd.scan/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly no
LocalSocket /run/clamd/clamd.sock 
LocalSocketMode 0666
MaxConnectionQueueLength 100
StreamMaxLength 35M
StreamMinPort 30000
StreamMaxPort 32000
MaxThreads 20
MaxQueue 50
ReadTimeout 120
CommandReadTimeout 5
SendBufTimeout 200
IdleTimeout 60
ExcludePath ^/proc/
ExcludePath ^/sys/
MaxDirectoryRecursion 20
FollowDirectorySymlinks no
FollowFileSymlinks no
CrossFilesystems yes
SelfCheck 1200
ExitOnOOM yes
Foreground no
Debug no
LeaveTemporaryFiles no
AllowAllMatchScan yes
DetectPUA no
AlgorithmicDetection yes
DisableCache no

ScanPE yes
DisableCertCheck yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
OLE2BlockMacros no
ScanPDF yes
ScanSWF yes
ScanMail yes
ScanPartialMessages no
PhishingSignatures yes
PhishingScanURLs yes
PhishingAlwaysBlockSSLMismatch no
PhishingAlwaysBlockCloak no
PartitionIntersection no
HeuristicScanPrecedence yes
StructuredDataDetection no
ScanHTML yes
ScanArchive yes
ArchiveBlockEncrypted no
MaxScanSize 50M
MaxFileSize 50M
MaxRecursion 15
MaxFiles 10000
MaxEmbeddedPE 10M
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
MaxPartitions 50
MaxIconsPE 100
ScanOnAccess no
Bytecode yes
BytecodeSecurity TrustSigned
BytecodeTimeout 1000
StatsEnabled no
StatsPEDisabled yes

Comment 18 Robert Scheck 2015-12-06 16:53:03 UTC
Did I get you right, that the proposed systemd unit from comment #15 should
solve the issues introduced by the update to clamav-0.99-1.fc2x?

Comment 19 Harald Reindl 2015-12-06 17:00:15 UTC
yes, when starting not as root at all the chown/chgrp/chmod code doesn't happen and the socket has the group "clamilt" instead "root" which makes "MilterSocketMode 0660" working properly

User=clamilt
Group=clamilt

however ending the socket as group "root" without User/Group in the systemd-unit is still a upstream bug but the above is preferred anyways because there is no point running code as root when it's not really needed

Comment 20 Fedora Update System 2015-12-06 17:27:00 UTC
clamav-0.99-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-a81b2c2212

Comment 21 Fedora Update System 2015-12-06 17:27:06 UTC
clamav-0.99-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-a81b2c2212

Comment 22 Fedora Update System 2015-12-06 17:28:29 UTC
clamav-0.99-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-13661ecb72

Comment 23 Fedora Update System 2015-12-06 17:28:33 UTC
clamav-0.99-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-13661ecb72

Comment 24 Fedora Update System 2015-12-06 17:29:31 UTC
clamav-0.99-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7b36c1ca5a

Comment 25 Fedora Update System 2015-12-06 17:29:35 UTC
clamav-0.99-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7b36c1ca5a

Comment 26 Fedora Update System 2015-12-06 23:51:42 UTC
clamav-0.99-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update clamav'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-a81b2c2212

Comment 27 Fedora Update System 2015-12-06 23:55:48 UTC
clamav-0.99-2.fc23 dansguardian-2.10.1.1-17.fc23 klamav-0.46-18.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-a81b2c2212

Comment 28 Fedora Update System 2015-12-07 00:22:28 UTC
clamav-0.99-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update clamav'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13661ecb72

Comment 29 Fedora Update System 2015-12-07 00:37:00 UTC
clamav-0.99-2.fc22 dansguardian-2.10.1.1-17.fc22 klamav-0.46-18.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-13661ecb72

Comment 30 Fedora Update System 2015-12-07 23:22:39 UTC
clamav-0.99-2.fc22, dansguardian-2.10.1.1-17.fc22, klamav-0.46-18.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update dansguardian klamav clamav'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13661ecb72

Comment 31 Fedora Update System 2015-12-08 04:33:22 UTC
clamav-0.99-2.fc23, dansguardian-2.10.1.1-17.fc23, klamav-0.46-18.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update dansguardian klamav clamav'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-a81b2c2212

Comment 32 Fedora Update System 2015-12-08 07:22:38 UTC
clamav-0.99-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update clamav'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7b36c1ca5a

Comment 33 Fedora Update System 2015-12-13 09:51:28 UTC
clamav-0.99-2.fc22, dansguardian-2.10.1.1-17.fc22, klamav-0.46-18.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 34 Fedora Update System 2015-12-17 07:32:53 UTC
clamav-0.99-2.fc23, dansguardian-2.10.1.1-17.fc23, klamav-0.46-18.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 35 Fedora Update System 2016-01-28 19:25:39 UTC
clamav-0.99-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.