Bug 1367848

Summary:	razor2 check failed, invalid argument since upgrade to FC24
Product:	[Fedora] Fedora	Reporter:	dan
Component:	perl-Razor-Agent	Assignee:	Robert Scheck <redhat-bugzilla>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	25	CC:	awilliam, dan, perl-devel, redhat-bugzilla
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-12-07 14:00:24 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description dan 2016-08-17 16:00:10 UTC

Description of problem:

After a recent upgrade to FC24, I have started seeing many of the following in the journal:

spamd[1708]: razor2: razor2 check failed: Invalid argument razor2: razor2 had unknown error during get_server_info at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/Razor2.pm line 187. at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/Razor2.pm line 330.


Occurs on all inbound email to sendmail.  Email is then further processed and ends up at its destination mailbox.

Razor home directory exists at /var/spool/spamassassin/.razor.

razor-admin -v
Razor Agents 2.84, protocol version 3

Comment 1 dan 2016-08-17 17:44:39 UTC

In investigating further, I noticed that the pacakage which installed razor did not perform the registration step.  So I performed the following:

sudo razor-admin -home /var/spool/spamassassin/.razor -create
sudo razor-admin -home /var/spool/spamassassin/.razor -discover
sudo razor-admin -home /var/spool/spamassassin/.razor -register

Next, I sent a test email to my system.  Email was received but the follwoing was observed:

Aug 17 13:27:09 zzzz.private setroubleshoot[7986]: failed to retrieve rpm info for /var/spool/spamassassin/.razor/identity
Aug 17 13:27:10 zzzz.private setroubleshoot[7986]: SELinux is preventing 7370616D64206368696C64 from getattr access on the lnk_file /var/spool/spamassassin/.razor/identity. For complete SELinux messages. run sealert -l 18943e08-7857-4327-9740-838113738d5f
Aug 17 13:27:10 zzzz.private python3[7986]: SELinux is preventing 7370616D64206368696C64 from getattr access on the lnk_file /var/spool/spamassassin/.razor/identity.
                                            
                                            *****  Plugin catchall (100. confidence) suggests   **************************
                                            
                                            If you believe that 7370616D64206368696C64 should be allowed getattr access on the identity lnk_file by default.
                                            Then you should report this as a bug.
                                            You can generate a local policy module to allow this access.
                                            Do
                                            allow this access for now by executing:
                                            # ausearch -c '7370616D64206368696C64' --raw | audit2allow -M my-7370616D64206368696C64
                                            # semodule -X 300 -i my-7370616D64206368696C64.pp

Comment 2 dan 2016-08-31 11:42:07 UTC

When I attempt to execute the above recommended work around, there are no matches.

ausearch -c '7370616D64206368696C64' --raw | audit2allow -M my-7370616D64206368696C64
Nothing to do

ausearch -c '7370616D64206368696C64'
<no matches>

Comment 3 dan 2016-11-05 00:48:19 UTC

Any hope of moving this forward?

Comment 4 Adam Williamson 2016-11-24 22:34:33 UTC

I've filed a bug on the SELinux part of this, as I ran into it too. I didn't see the other thing you saw.

Comment 5 Robert Scheck 2016-11-29 07:09:30 UTC

(In reply to dan from comment #0)
> spamd[1708]: razor2: razor2 check failed: Invalid argument razor2: razor2
> had unknown error during get_server_info at
> /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/Razor2.pm line 187. at
> /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/Razor2.pm line 330.

This just reads a bit like a local firewall issue.

(In reply to Adam Williamson from comment #4)
> I've filed a bug on the SELinux part of this, as I ran into it too. I didn't
> see the other thing you saw.

That's bug #1398437, right? I'm not sure if /var/spool/mail is really a great
location for a user home directory...where does it come from? Spamd does not
seem to drop privileges by default, but this is "mail" user's home directory.

Comment 6 Adam Williamson 2016-11-29 07:31:09 UTC

mail is a system user. /var/spool/mail has been kinda the traditional location for mail drops on Linux since, well, ever, so far as I remember. it's in the FHS.

mail is actually one of the *very* few system users considered so core that it's right in the copy of /etc/passwd shipped with the 'setup' package:

https://git.fedorahosted.org/cgit/setup.git/tree/passwd

mail:*:8:12:mail:/var/spool/mail:/sbin/nologin

I just checked and that same line is present in the setup package from FC2:

https://dl.fedoraproject.org/pub/archive/fedora/linux/core/2/x86_64/os/SRPMS/setup-2.5.33-1.src.rpm

(I'd check FC1, but large chunks of FC1 seem to be missing). So, uh, you're probably not going to have a lot of luck arguing that that should be changed, is what I'm saying. :)

Comment 7 dan 2016-11-29 21:54:47 UTC

Re "reads a bit like a local firewall issue", port 783 is answering, so I'm not certain what else to be looking for.

Comment 8 dan 2016-12-06 19:46:01 UTC

Exists in FC25.

Comment 9 Adam Williamson 2016-12-06 19:52:30 UTC

razor seems to work fine on F25 with selinux-policy from updates-testing, for me. maillog shows lots of RAZOR2_* checks.

Comment 10 dan 2016-12-07 14:00:24 UTC

Working fine as of policy 13.1-225.1.  Ran overnight with no issues, can be closed.  Thank you.