Hi,
I'm still trying to get spamassassin to work properly with procmail selinux (this is bug #172088, been open almost 50 days, still not closed). I'm getting a bit tired of watching my spam system fail and will probably revert to no selinux testing at all (selinux=0, like almost everyone else) if this continues. 50 days is more than enough to fix a reported problem.
I have the following entry in my procmail :
:0fw: .spamc.lock * < 256000 | spamc
Now maildir logs show spamassassin is denied access to its own files when selinux is enabled :
Dec 17 11:30:05 rousalka spamd[2681]: spamd: connection from localhost.localdomain [127.0.0.1] at port 50637 Dec 17 11:30:05 rousalka spamd[2681]: spamd: setuid to nim succeeded
(yes spamd does setuids)
Dec 17 11:30:05 rousalka spamd[2681]: spamd: creating default_prefs: /home/nim/.spamassassin/user_prefs
(spamd didn't see the pref files already existed - probably because of selinux - so it tries to create it)
Dec 17 11:30:05 rousalka spamd[2681]: mkdir /home/nim: Le fichier existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line 1467
(the system tells it to get lost, the file already exists)
Dec 17 11:30:05 rousalka spamd[2681]: config: cannot write to /home/nim/.spamassassin/user_prefs: Permission non accordée
(and spamd is not allowed to write it)
Dec 17 11:30:05 rousalka spamd[2681]: spamd: failed to create readable default_prefs: /home/nim/.spamassassin/user_prefs
likewise pyzor is dead
Dec 17 11:30:05 rousalka spamd[2681]: internal error Dec 17 11:30:05 rousalka spamd[2681]: pyzor: check failed: internal error
and the autowhitelist can not be modified, because spamd can not create a lockfile
Dec 17 11:30:05 rousalka spamd[2681]: locker: safe_lock: cannot create tmp lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2681 for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée Dec 17 11:30:05 rousalka spamd[2681]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2681 for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée Dec 17 11:30:05 rousalka spamd[2681]: Can't call method "finish" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/Plugin/AWL.pm line 397.
This on a fully relabeled selinux-policy-targeted-2.1.6-8 rawhide system
Nicolas Mailhot wrote:
Hi,
I'm still trying to get spamassassin to work properly with procmail selinux (this is bug #172088, been open almost 50 days, still not closed). I'm getting a bit tired of watching my spam system fail and will probably revert to no selinux testing at all (selinux=0, like almost everyone else) if this continues. 50 days is more than enough to fix a reported problem.
I have the following entry in my procmail :
:0fw: .spamc.lock
- < 256000
| spamc
Now maildir logs show spamassassin is denied access to its own files when selinux is enabled :
Dec 17 11:30:05 rousalka spamd[2681]: spamd: connection from localhost.localdomain [127.0.0.1] at port 50637 Dec 17 11:30:05 rousalka spamd[2681]: spamd: setuid to nim succeeded
(yes spamd does setuids)
Dec 17 11:30:05 rousalka spamd[2681]: spamd: creating default_prefs: /home/nim/.spamassassin/user_prefs
(spamd didn't see the pref files already existed - probably because of selinux - so it tries to create it)
Dec 17 11:30:05 rousalka spamd[2681]: mkdir /home/nim: Le fichier existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line 1467
(the system tells it to get lost, the file already exists)
Dec 17 11:30:05 rousalka spamd[2681]: config: cannot write to /home/nim/.spamassassin/user_prefs: Permission non accordée
(and spamd is not allowed to write it)
Dec 17 11:30:05 rousalka spamd[2681]: spamd: failed to create readable default_prefs: /home/nim/.spamassassin/user_prefs
likewise pyzor is dead
Dec 17 11:30:05 rousalka spamd[2681]: internal error Dec 17 11:30:05 rousalka spamd[2681]: pyzor: check failed: internal error
and the autowhitelist can not be modified, because spamd can not create a lockfile
Dec 17 11:30:05 rousalka spamd[2681]: locker: safe_lock: cannot create tmp lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2681 for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée Dec 17 11:30:05 rousalka spamd[2681]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2681 for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée Dec 17 11:30:05 rousalka spamd[2681]: Can't call method "finish" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/Plugin/AWL.pm line 397.
This on a fully relabeled selinux-policy-targeted-2.1.6-8 rawhide system
Funny this bug was just closed for FC4. What avc messages are you seeing?
Current policy has userdom_manage_generic_user_home_dirs(spamd_t) userdom_manage_generic_user_home_files(spamd_t)
Which should allow spamd_t to write to the users home directories.
Dan
Daniel J Walsh wrote:
Funny this bug was just closed for FC4. What avc messages are you seeing?
Current policy has userdom_manage_generic_user_home_dirs(spamd_t) userdom_manage_generic_user_home_files(spamd_t)
Which should allow spamd_t to write to the users home directories.
I'm not seeing anything closely related nowadays. I did at first but now it's failing without logging any clear avcs :
# audit2allow < /var/log/audit/audit.log allow dovecot_auth_t tmp_t:dir getattr; allow saslauthd_t usr_t:lnk_file read; allow sysadm_su_t etc_runtime_t:file read; allow sysadm_su_t tmp_t:dir getattr; allow sysadm_su_t usr_t:lnk_file read; allow unconfined_t lib_t:file execmod;
But shutting down selinux fixes the problem, so it's selinux-related
selinux@lists.fedoraproject.org