Bug 360041
| Summary: | SELinux prevents spamassassin from creating files in /var/lib/spamassassin and NFS home dirs | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Leonid Zeitlin <lz> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 7 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-12-10 21:06:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Is the use_nfs_home_dirs boolean turned on? getsebool use_nfs_home_dirs Turn it on with the following command setsebool -P use_nfs_home_dirs 1 I will fix the auto-whitelist problem in the next update Fixed in selinux-policy-2.6.4-52 Thank you, but use_nfs_home_dirs is actually on. I think fs_manage_nfs_files doesn't allow to create directories. Your right, sorry about that I will add this ability in Fixed in selinux-policy-2.6.4-53 Sorry for delay in testing. Now I am running selinux-policy-2.6.4-59.fc7. The issue is fixed |
Description of problem: 1. Spamassassin can store its Bayes database and auto-whitelist either in user home directories or in a shared location. In the latter case the shared location usually is in /var/lib/spamassassin. However, SELinux prevents Spamassassin from creating files in this directory. As the result Spamassassin can't create/update its auto-whitelist and create/update Bayes database, which limits its functionality. Example of error message logged by spamassassin: spamd[2972]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /var/lib/spamassassin/auto- whitelist.lock.hostname.2972 for /var/lib/spamassassin/auto-whitelist.lock: Permission denied By trial and error the following rules were found to allow the necessary access to /var/lib/spamassassin: allow spamd_t spamd_var_lib_t:dir { write remove_name add_name }; allow spamd_t spamd_var_lib_t:file { write rename create unlink link append setattr }; 2. Spamassassin automatically creates .spamassassin directory in user's home directory. However, if the home directory is mounted via NFS, SELinux prevents Spamassassin from creating this directory. The following error messages are logged by spamd: Oct 30 14:24:19 hostname spamd[10324]: spamd: creating default_prefs: /home/lz/. spamassassin/user_prefs Oct 30 14:24:19 hostname spamd[10324]: config: cannot write to /home/lz/.spamass assin/user_prefs: No such file or directory Oct 30 14:24:19 hostname spamd[10324]: spamd: failed to create readable default_ prefs: /home/lz/.spamassassin/user_prefs The following rule was found to help: allow spamd_t nfs_t:dir create; Version-Release number of selected component (if applicable): spamassassin-3.2.2-2.fc7 selinux-policy-2.6.4-48.fc7 selinux-policy-targeted-2.6.4-48.fc7 How reproducible: Always Steps to Reproduce: 1. Set up spamassasin to store auto-whitelist and Bayes database in a shared location, i.e. have the followig in /etc/mail/spamassassin/local.cf: auto_whitelist_path /var/lib/spamassassin/auto-whitelist bayes_path /var/lib/spamassassin/bayes 2. Start spamd service Actual results: Auto-whitelist is not created. Error is logged by spamd (see "Description of problem" above) Expected results: Auto-whitelist is created. Additional info: When all audit messages are enabled (with semodule -b enableaudit.pp), spamd also complains that it wants to "name_bind" to a "hi_reserved_port_t". Don't know if this is a problem or not, since no visible problems were observed.