rpms / clamav

Clone
Source Code
GIT

Files

el4 el5 el6 epel7 epel8 epel8-playground epel9 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fc6 main rawhide
  1.   epel8
  2.   clamd-README
Blob Blame History Raw 
Update 2021: Log to syslog is obsolete, journalctl superseded it

  By default, clamd provides a general "scan" service that requires minimal
configuration.  To configure, edit /etc/clamd/scan.conf and:

  * set LocalSocket for localhost access or TCPSocket for network access.

  Default configuration will:

  * Log to syslog
  * Run as the user "clamscan"

  When LogFile feature is wanted, it must be writable for the assigned
User.  The recommended way is to:

  * make it owned by the User's *group*
  * assign at least 0620 (u+rw,g+w) permissions

  A suitable command might be
  | # touch <logfile>
  | # chgrp <user> <logfile>
  | # chmod 0620   <logfile>
  | # restorecon <logfile>

  NEVER use 'clamav' as the user since it can modify the database.  This is
the user who is running the application; e.g. for mimedefang
(http://www.roaringpenguin.com/mimedefang), the user might be 'defang'.
Theoretically, distinct users could be used, but it must be made sure that
the application-user can write into the socket-file, and that the clamd-user
can access the files asked by the application to be checked.

  The default service can be enabled and started with:

  systemctl enable clamd@scan.service
  systemctl start clamd@scan.service

  To create other individual clamd-instances take the following files in
/usr/share/doc/clamd/ and modify/copy them in the suggested way:

clamd.conf, copy to /etc/clamd.d/<SERVICE>.conf
  * Change <SERVICE> as to match name of config file
  * Any other changes as noted above

clamd.logrotate: (only when LogFile feature is used)
  * set the correct value for the logfile
  * place it into /etc/logrotate.d

  Additionally, when using LocalSocket instead of TCPSocket, the directory
for the socket file must be created.  For tmpfiles based systems, you might
want to create a file /etc/tmpfiles.d/clamd.<SERVICE>.conf with a content of

 | d /run/clamd.<SERVICE> <MODE> <USER> <GROUP>

  Adjust <MODE> (0710 should suffice for most cases) and <USER> + <GROUP>
so that the socket can be accessed by clamd and by the applications using
clamd. Make sure that the socket is not world accessible; else, DOS attacks
or worse are trivial.

  After emulating these steps by hand (or else rebooting), you still need set
SELinux:

 chcon -t clamd_var_run_t /run/clamd.<SERVICE>
or
 restorecon -R -v "/run/clamd.<SERVICE>"

More SELinux notes:
you may need run:

 setsebool -P antivirus_can_scan_system 1

and also maybe this one (I need to confirm that is obsolete)

 setsebool -P antivirus_use_jit 1

  The new service can be enabled and started with:

  systemctl enable clamd@<SERVICE>.service
  systemctl start clamd@<SERVICE>.service


[Disclaimer:
 this file and the script/configfiles are not part of the official
 clamav package.

 Please send complaints and comments to
 https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=clamav]
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.