search

edestecd / puppet-clamav

Puppet Module for managing ClamAV
GNU General Public License v3.0
6 stars 59 forks source link

Update docs for clamav-milter - unix socket #39

Open ubellavance opened 7 years ago

ubellavance commented 7 years ago

Latest update to clamav-milter makes the daemon run using the right SELinux context, but it's not included in the policy, so I can't use a tcp socket anymore, so I finally found how to make the unix socket work. 

  clamav_milter_options    => {
    'AddHeader'            => 'add',
    'OnInfected'           => 'Reject',
    'RejectMsg'            => 'Message rejected: Infected by %v',
    'MilterSocket'         => 'unix:/var/run/clamav-milter/clamav-milter.socket',
    'MilterSocketGroup'    => 'postfix',
    'MilterSocketMode'     => '660',
  },

  manage_clamd             => true,
  manage_user              => false,
  manage_freshclam         => true,
  manage_clamav_milter     => true,
  clamd_service_ensure     => 'running',
  freshclam_service_ensure => 'stopped',
  }

  file{ '/var/run/clamav-milter':
    ensure   => directory,
    group   => 'postfix',
    require => Package[['clamav_milter'],['postfix']],
  }

  user { 'clamilt':
    groups => 'postfix',
    require => Package[['clamav_milter'],['postfix']],
  }

To allow postfix to communicate with clamav-milter through an unix socket, it needs x permissions on the parent folder and rw permission on the socket file. The permissions on the socket file are determined in the clamav_milter_options block, but for the parent folder I had to create a file directive. The user directive is there because a user must be part of the group it wants to change something to.