Bug 514968 - Clamav-milter busted in fedora 11
Summary: Clamav-milter busted in fedora 11
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: clamav
Version: 11
Hardware: x86_64
OS: Linux
low
urgent
Target Milestone: ---
Assignee: Enrico Scholz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-31 17:24 UTC by Michael Breuer
Modified: 2009-08-08 07:36 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 495502
Environment:
Last Closed: 2009-07-31 18:42:24 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Michael Breuer 2009-07-31 17:24:09 UTC 
Description of problem:

Fresh install - multiple errors that appear identical to https://bugzilla.redhat.com/show_bug.cgi?id=495502 - filed against RHEL.

Basically, Clamav + clamav-milter + sendmail doesn't work.

Issues include:

Configuration files mismatch (i.e., .sock vs. .socket),

Permissions hosed  - i.e., clamd scanner can't connect properly to the milter... fixing that selinux complains. Fixing that, sendmail can't communicate properly with the milter... many errors (again, pretty much what is documented against RHEL in the above link.

Version-Release number of selected component (if applicable):
95-1.2

How reproducible:

Totally - just do a clean fedora 11 install including sendmail and clamav + milter. It doesn't work. (I did have this working on Fedora 11 and did try copying config files over... no go).

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Enrico Scholz 2009-07-31 18:42:12 UTC 
Thanks for pointing out the inconsistency in README.fedora about 'clamav.sock' vs. 'clamav-milter.sock'.

Regarding SELinux issues you might try to file a bug against selinux-policy with more details.

I can not reproduce the issues in #495502 in Fedora 11.

Else, I highly suggest a setup which communicates over TCP sockets.
Comment 2 Enrico Scholz 2009-08-01 09:52:06 UTC 
fwiw, I added some comments to README.fedora explaining a sample setup

http://cvs.fedora.redhat.com/viewvc/rpms/clamav/devel/README.fedora?root=extras&r1=1.3&r2=1.4
Comment 3 Michael Breuer 2009-08-01 13:44:02 UTC 
Ok, but I think perhaps suggesting ".sock" would be more consistent with everything else.

I also added:

   allow sendmail_t device_t:file {read write }; 
   allow sendmail_t devpts_1:chr_file write;
    
to my selinux policy based on the AVC denials that seem to be related to clamav-milter.

I haven't yet retested everything but will later today.
Comment 4 Michael Breuer 2009-08-08 05:41:03 UTC 
Ok - I've gotten past AVC errors, but cannot get this (or any other milter) working with unix domain sockets.

This worked in F10, doesn't in F11. 

The failure seems to be directory permissions as checked by the safefile call in sendmail. It's got to be the directory as I get the same error whether the .sock file is present or not.

I've tried just about everything except running sendmail in debug (next step I guess).

As of now, I've been working with both clamav and mimedefang. I tried forcing both to the smmsp user, changing directory ownership for the milter socket parents to smmsp:smmsp; and smmsp:mail with just about every permutation of permissions possible.

No matter the log level, I get only the one relevant message: 

sendmail[20025]: NOQUEUE: SYSERR(root): /etc/mail/sendmail.cf: line 1782: Xmimedefang: local socket name /var/spool/MIMEDefang/mimedefang.sock unsafe: Permission denied

I get the corresponding messages from clamav (and also spamass-milter).

I'm going to open a ticket against sendmail.
Comment 5 Enrico Scholz 2009-08-08 07:36:17 UTC 
Again: I highly suggest a setup which communicates over TCP sockets.
Note You need to log in before you can comment on or make changes to this bug.