====== Yet Another Way To Configure DAZ ====== One morning, after drinking my first cup of coffee at this day I decided to try DAZ. In handbook appeared that was required to run as root, but with the strength given by my breakfast I decided, not I will not. Here you have the result: ===== Preparation ===== I'm one hardened gentoo user so I decided emerge clamav (in case you weren't you must be sure that your clamav is not compiled with --disable-clamuko). Into its configuration file (/etc/clamd.conf) I set this options in (one of them, the interesting one): User clamav __//**UM RELATED STUFF**//__ After setting up UM clamav user properly with (as secoff or bofh in my system): bofh@orion~$rsbac_useradd -m -r -P -i 20 -d /adm/clamav -g 700 -u 700 The user was added with its own password by separation of duties concern. I proceed to configure AUTH properly: __//**AUTH RELATED STUFF**//__ bofh@orion~$auth_set_cap FD add /usr/sbin/clamd 0/700 bofh@orion~$auth_set_cap -e FD add /usr/sbin/clamd 0/700 bofh@orion~$auth_set_cap -f FD add /usr/sbin/clamd 0/700 Above commands with -e and -f flags are only required if you have CONFIG_RSBAC_AUTH_DAC_OWNER in you kernel config if not omit them. Other question you have to keep in mind is that if you enabled CONFIG_RSBAC_AUTH_GROUP you have to add the AUTH capabilities to its group (-G -E -F flags to auth_set_cap). And then I start granting clamd the privileges required to work (in capabilities): __//**CAP RELATED STUFF**//__ In my tests, clamd needs CHOWN DAC_READ_SEARCH FOWNER SETGID and SETUID as minimal capabilities. So I grant them as minimal caps: bofh@orion~$attr_set_file_dir FD /usr/sbin/clamd min_caps CHOWN DAC_READ_SEARCH FOWNER SETGID SETUID and of course as I granted minimal caps I forbid passing LD environment variables bofh@orion~$attr_set_file_dir FD /usr/sbin/clamd cap_ld_env 0 __//**RC RELATED STUFF**//__ If you use Role Compatibility module, you should grant required permissions, and create required roles and types. In particular you should grant R to clamav config files, RW to clamav_log file and clamav home dir, and MAP_EXEC and EXECUTE to required libraries. Grant "R" to every type of files that clamav should scan. Clamav should access to dazuko device, grant it READ READ_WRITE_OPEN READ_OPEN WRITE and WRITE_OPEN and READ_WRITE_OPEN READ_OPEN WRITE_OPEN to common devices (as could be /dev/zero, /dev/null etc...) It's a good idea to create its own IPC and grant clamav_r CLOSE CREATE READ WRITE LISTEN SEND RECEIVE and MAP_EXEC. This can be a resume. Adapt number types to suit your needs *Type creation bofh@orion~$ rc_set_item TYPE 100 type_fd_name "bindir_t" bofh@orion~$ rc_set_item TYPE 102 type_fd_name "sbindir_t" bofh@orion~$ rc_set_item TYPE 103 type_fd_name "logdir_t" bofh@orion~$ rc_set_item TYPE 104 type_fd_name "devdir_t" bofh@orion~$ rc_set_item TYPE 105 type_fd_name "genusrdatadirt" bofh@orion~$ rc_set_item TYPE 109 type_fd_name "libdir_t" bofh@orion~$ rc_set_item TYPE 113 type_fd_name "varlibdir_t" bofh@orion~$ rc_set_item TYPE 114 type_fd_name "varrundir_t" bofh@orion~$ rc_set_item TYPE 115 type_fd_name "tmpdir_t" bofh@orion~$ rc_set_item TYPE 116 type_fd_name "vartmpdir_t" bofh@orion~$ rc_set_item TYPE 125 type_fd_name "globaletcdir_t" bofh@orion~$ rc_set_item TYPE 135 type_fd_name "usrdir_t" bofh@orion~$ rc_set_item TYPE 200 type_fd_name "clamav_t" bofh@orion~$ rc_set_item TYPE 3 type_dev_name "dazuko" bofh@orion~$ rc_set_item TYPE 4 type_dev_name "tty_t" bofh@orion~$ rc_set_item TYPE 9 type_dev_name "common_t" bofh@orion~$ rc_set_item TYPE 17 type_dev_name "console_t" __//**PaX RELATED STUFF**//__ In order to get DAZ working you must disable PAX_UDEREF and PAX_USERCOPY options in your kernel config, it must be tested if UDEREF can be changed by some gcc plugin If you wish to come back: [[https://www.rsbac.org/wiki/experiences/tazok]]