On 09/11/16 11:48, Gordon Messmer wrote:> On 11/08/2016 03:24 AM, Rob Kampen wrote: >> If there is anyone that has this combo of services working under >> CentOS7 and can shed any insight on why I cannot get this service to >> actually run, it would be very much appreciated. > > > When setting up a clamd service, you should need to enable the > service, create the configuration file, and typically set up > /etc/tmpfiles.d/clamd-<service>.conf. That file should have one line: > > d /run/clamd.<service> 0700 daemon daemon - > > ...or whatever user you use for clamd. If you don't have the proper > tmpfiles setup, the run directory won't exist or won't have the > correct owner, and either standard permissions or SELinux may deny the > process access to the run directory. >so I have /etc/tmpfiles.d/clamd.amavisd.conf with content d /var/run/clamd.amavisd 0755 amavis amavis - the process owner name and group name are amavis this is not quite what you specified - which should it be? My real head scratch problem is that running clamd from a cli works perfectly. Trying to get systemd (via systemctl start clamd at amavisd.service) brings it up but after 1 second removes the pid file and shuts down. set up clamd via the service file to use --debug and get nothing helpful Trying to debug this systemd stuff seems impossible Thanks Rob> _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
On 11/09/2016 02:07 AM, Rob Kampen wrote:> so I have /etc/tmpfiles.d/clamd.amavisd.conf with content > d /var/run/clamd.amavisd 0755 amavis amavis - > > the process owner name and group name are amavis > this is not quite what you specified - which should it be?If "User" is set to amavis in the clamd configuration, that looks fine.> My real head scratch problem is that running clamd from a cli works > perfectly. > Trying to get systemd (via systemctl start clamd at amavisd.service) > brings it up but after 1 second removes the pid file and shuts down. > set up clamd via the service file to use --debug and get nothing helpful > Trying to debug this systemd stuff seems impossiblesystemd starts processes in the correct SELinux context, while running it from the shell does not. So my first guess would be that it's an SELinux issue. Use "setenforce" to put the system in permissive mode to see if that's the case. If so, "grep AVC /var/log/audit/audit.log" for more info.
On 11/11/16 13:36, Gordon Messmer wrote:> On 11/09/2016 02:07 AM, Rob Kampen wrote: >> so I have /etc/tmpfiles.d/clamd.amavisd.conf with content >> d /var/run/clamd.amavisd 0755 amavis amavis - >> >> the process owner name and group name are amavis >> this is not quite what you specified - which should it be? > > If "User" is set to amavis in the clamd configuration, that looks fine. > >> My real head scratch problem is that running clamd from a cli works >> perfectly. >> Trying to get systemd (via systemctl start clamd at amavisd.service) >> brings it up but after 1 second removes the pid file and shuts down. >> set up clamd via the service file to use --debug and get nothing helpful >> Trying to debug this systemd stuff seems impossible > > systemd starts processes in the correct SELinux context, while running > it from the shell does not. So my first guess would be that it's an > SELinux issue. Use "setenforce" to put the system in permissive mode > to see if that's the case. If so, "grep AVC /var/log/audit/audit.log" > for more info.Tried this - set it to permissive and tried the systemctl start clamd at amavisd.service and got exactly the same result - tried a number of times - no messages in the logs to indicate a problem - just after the final start up message of :- >Self checking every 600 seconds. after one second we get >Pid file removed. >Stopped at Fri Nov 11 04:35:49 2016 >Socket file removed. So not selinux. Thanks for the idea - I was unaware that systemd is selinux aware and friendly. I'll keep looking .....> _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
On 11/11/16 13:36, Gordon Messmer wrote:> On 11/09/2016 02:07 AM, Rob Kampen wrote: >> so I have /etc/tmpfiles.d/clamd.amavisd.conf with content >> d /var/run/clamd.amavisd 0755 amavis amavis - >> >> the process owner name and group name are amavis >> this is not quite what you specified - which should it be? > > If "User" is set to amavis in the clamd configuration, that looks fine. > >> My real head scratch problem is that running clamd from a cli works >> perfectly. >> Trying to get systemd (via systemctl start clamd at amavisd.service) >> brings it up but after 1 second removes the pid file and shuts down. >> set up clamd via the service file to use --debug and get nothing helpful >> Trying to debug this systemd stuff seems impossible > > systemd starts processes in the correct SELinux context, while running > it from the shell does not. So my first guess would be that it's an > SELinux issue. Use "setenforce" to put the system in permissive mode > to see if that's the case. If so, "grep AVC /var/log/audit/audit.log" > for more info.Another random thought When I invoke from the CLI - there is a -nofork=yes as a part of the invocation. When systemd tries to do the invocation via the ExecStart line - the original clamd at .service file had this --nofork=yes also, the problem was that this just caused an abend of the start up with the message: > /usr/sbin/clamd: unrecognized option `--nofork=yes' > ERROR: Unknown option passed > ERROR: Can't parse command line options and a look at the clamd man shows no such parameter - thus I removed it. I wonder if this is the issue? Not sure what I can or how I can test. Will keep playing> _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos