On Mon, Feb 02, 2009 at 07:27:25PM +0000, Arthur Dent wrote:
On Mon, Feb 02, 2009 at 01:52:36PM -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Arthur Dent wrote:
On Mon, Feb 02, 2009 at 07:01:16PM +0100, Dominick Grift wrote:
#============= spamd_t ============== allow spamd_t admin_home_t:dir { read write add_name remove_name }; allow spamd_t admin_home_t:file { write getattr read create unlink ioctl append };
This is spamd creating stuff in the /root directory. Not sure if you want to actually allow this. Might want to setup the directory with properly lableing to allow spamd to write there. userdom_read_sysadm_home_content_files(spamd_t)
Hmmm... I was about to say that nothing is run as root WRT spamassassin or spamd, but then I looked at the avcs. It seems that razor is the offender here: avc: denied { getattr } for pid=2200 comm="spamd" path="/root/.razor/razor-agent.conf"
(and several others like it)
I don't know if razor can be installed by a non-root user. If not, can I (should I?) just do what you suggest below?
What directory?
Could this be /root/.razor/ ?
You could setup labeling of
# semanage fcontext -a -t spamassassin_home_t '/root/.spamassassin(/.*)?' #restorecon -R -v /root
Does this make the command: # semanage fcontext -a -t spamassassin_home_t '/root/.razor(/.*)?' # restorecon -R -v /root
OK. Forget this... I poked around my filesystem and found that actually I *did* have razor in my non-privileged user area. However, strangely, I also had it in /root. The odd thing is that it seems that for the most part razor would use the /home/mark/.razor files, but on this occasion (and others clearly) - on a whim - must have used the /root/.razor files to do its stuff.
I have removed the /root/.razor directory and also removed those items from my local policy. So far (touching wood here) it seems OK...
Thanks for your help on this...
Mark