87 lines
2.8 KiB
Plaintext
87 lines
2.8 KiB
Plaintext
Update 2021: Log to syslog is obsolete, journalctl superseded it
|
|
|
|
By default, clamd provides a general "scan" service that requires minimal
|
|
configuration. To configure, edit /etc/clamd/scan.conf and:
|
|
|
|
* set LocalSocket for localhost access or TCPSocket for network access.
|
|
|
|
Default configuration will:
|
|
|
|
* Log to syslog
|
|
* Run as the user "clamscan"
|
|
|
|
When LogFile feature is wanted, it must be writable for the assigned
|
|
User. The recommended way is to:
|
|
|
|
* make it owned by the User's *group*
|
|
* assign at least 0620 (u+rw,g+w) permissions
|
|
|
|
A suitable command might be
|
|
| # touch <logfile>
|
|
| # chgrp <user> <logfile>
|
|
| # chmod 0620 <logfile>
|
|
| # restorecon <logfile>
|
|
|
|
NEVER use 'clamav' as the user since it can modify the database. This is
|
|
the user who is running the application; e.g. for mimedefang
|
|
(http://www.roaringpenguin.com/mimedefang), the user might be 'defang'.
|
|
Theoretically, distinct users could be used, but it must be made sure that
|
|
the application-user can write into the socket-file, and that the clamd-user
|
|
can access the files asked by the application to be checked.
|
|
|
|
The default service can be enabled and started with:
|
|
|
|
systemctl enable clamd@scan.service
|
|
systemctl start clamd@scan.service
|
|
|
|
To create other individual clamd-instances take the following files in
|
|
/usr/share/doc/clamd/ and modify/copy them in the suggested way:
|
|
|
|
clamd.conf, copy to /etc/clamd.d/<SERVICE>.conf
|
|
* Change <SERVICE> as to match name of config file
|
|
* Any other changes as noted above
|
|
|
|
clamd.logrotate: (only when LogFile feature is used)
|
|
* set the correct value for the logfile
|
|
* place it into /etc/logrotate.d
|
|
|
|
Additionally, when using LocalSocket instead of TCPSocket, the directory
|
|
for the socket file must be created. For tmpfiles based systems, you might
|
|
want to create a file /etc/tmpfiles.d/clamd.<SERVICE>.conf with a content of
|
|
|
|
| d /run/clamd.<SERVICE> <MODE> <USER> <GROUP>
|
|
|
|
Adjust <MODE> (0710 should suffice for most cases) and <USER> + <GROUP>
|
|
so that the socket can be accessed by clamd and by the applications using
|
|
clamd. Make sure that the socket is not world accessible; else, DOS attacks
|
|
or worse are trivial.
|
|
|
|
After emulating these steps by hand (or else rebooting), you still need set
|
|
SELinux:
|
|
|
|
chcon -t clamd_var_run_t /run/clamd.<SERVICE>
|
|
or
|
|
restorecon -R -v "/run/clamd.<SERVICE>"
|
|
|
|
More SELinux notes:
|
|
you may need run:
|
|
|
|
setsebool -P antivirus_can_scan_system 1
|
|
|
|
and also maybe this one (I need to confirm that is obsolete)
|
|
|
|
setsebool -P antivirus_use_jit 1
|
|
|
|
The new service can be enabled and started with:
|
|
|
|
systemctl enable clamd@<SERVICE>.service
|
|
systemctl start clamd@<SERVICE>.service
|
|
|
|
|
|
[Disclaimer:
|
|
this file and the script/configfiles are not part of the official
|
|
clamav package.
|
|
|
|
Please send complaints and comments to
|
|
https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=clamav]
|