Bug 489995
| Summary: | reboot removes everything in /var/run/spamass-milter/.spamassassin (bayes_seen, bayes_toks, etc.) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Eddie Lania <eddie> |
| Component: | spamass-milter | Assignee: | Paul Howarth <paul> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | low | ||
| Version: | 10 | CC: | paul |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 0.3.1-13.fc10 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-04-23 12:17:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Eddie Lania
2009-03-12 19:51:22 UTC
How are you configuring spamassassin and spamass-milter? What's in /etc/sysconfig/spamass-milter ? ### Override for your different local config #SOCKET=/var/run/spamass-milter/spamass-milter.sock ### Standard parameters for spamass-milter are: ### -P /var/run/spamass-milter.pid (PID file) ### ### Note that the -f parameter for running the milter in the background ### is not required because the milter runs in a wrapper script that ### backgrounds itself ### ### You may add another parameters here, see spamass-milter(1) #EXTRA_FLAGS="-m -r 15" EXTRA_FLAGS="-i 192.168.1.0/24,192.168.2.0/24,127.0.0.1/32 -M -b dev-null" Do I need to provide more data? If so, please mention it. (In reply to comment #3) > Do I need to provide more data? If so, please mention it. I think I've got everything I need, thanks. It's normal for everything under /var/run to be cleared at root; I hadn't realized that people ran the milter without using separate per-user config files and databases (having common ones doesn't work as well) and that these files would end up in /var/run/spamass-milter/. In fact this answers the question I raised in https://bugzilla.redhat.com/show_bug.cgi?id=483849#c5 about a change to the SELinux policy for the milter that was made in Fedora. What I'll need to do is to move the sa-milt user's home directory to somewhere other than /var/run so that it doesn't get cleared out at boot time. I'll need to think about that a bit to see if I can figure out a change that won't need a change to the SELinux policy too. Can you try this: # service spamass-milter stop # mkdir /var/spool/spamassassin # chmod 755 /var/spool/spamassassin # usermod -m --home /var/spool/spamassassin/milter sa-milt # mkdir /var/run/spamass-milter # chown sa-milt:sa-milt /var/run/spamass-milter # chmod 711 /var/run/spamass-milter # restorecon -rv /var/run/spamass-milter /var/spool/spamassassin # service spamass-milter start Are you running with SELinux enabled? (In reply to comment #5) > Can you try this: > > # service spamass-milter stop > # mkdir /var/spool/spamassassin > # chmod 755 /var/spool/spamassassin > # usermod -m --home /var/spool/spamassassin/milter sa-milt > # mkdir /var/run/spamass-milter > # chown sa-milt:sa-milt /var/run/spamass-milter > # chmod 711 /var/run/spamass-milter > # restorecon -rv /var/run/spamass-milter /var/spool/spamassassin > # service spamass-milter start Forget this, it's broken with SELinux. I'll need a different location and an SELinux policy update. (In reply to comment #5) > Can you try this: > > # service spamass-milter stop > # mkdir /var/spool/spamassassin > # chmod 755 /var/spool/spamassassin > # usermod -m --home /var/spool/spamassassin/milter sa-milt > # mkdir /var/run/spamass-milter > # chown sa-milt:sa-milt /var/run/spamass-milter > # chmod 711 /var/run/spamass-milter > # restorecon -rv /var/run/spamass-milter /var/spool/spamassassin > # service spamass-milter start Forget this, it's broken with SELinux. I'll need a different location and an SELinux policy update. (In reply to comment #5) > Can you try this: > > # service spamass-milter stop > # mkdir /var/spool/spamassassin > # chmod 755 /var/spool/spamassassin > # usermod -m --home /var/spool/spamassassin/milter sa-milt > # mkdir /var/run/spamass-milter > # chown sa-milt:sa-milt /var/run/spamass-milter > # chmod 711 /var/run/spamass-milter > # restorecon -rv /var/run/spamass-milter /var/spool/spamassassin > # service spamass-milter start Forget this, it's broken with SELinux. I'll need a different location and an SELinux policy update. Apologies for the multiple comments - I got error responses from bugzilla and resubmitted my comments. I am running this on a production server. The server acts as a DNS, DHCP, HTTP and MAIL gateway server. It relays the mail in- and outwards from/to an exchange server. Just recently I went over from an older fedora Core 3 version to F10. It is great having a Linux server in between internet and an intranet. It filters all spam and viruses before reaching the inside of our LAN. Because of the troubles with SELinux, I disabled SELinux. What would be the benefit of running SELinux? Am I more vulnerable now running without it? Regards, E. Well I personally wouldn't dream of running an Internet-connected box without SELinux. It's not causing me issues on my DNS/DHCP/HTTP/Mail/FTP/Samba etc. servers but then I do know how to fix problems if they crop up. I think the key point of SELinux is that it can limit the damage an attacker can cause if they do manage to exploit a vulnerability in some service - they won't in most cases be able to anything that the compromised service should normally be able to do. Like a firewall, it's an additional layer of protection you can employ. You might consider running SELinux in permissive mode, where it reports things that it would not allow but still allows them to happen. If you can run your servers without generating such reports, it would be safe to switch to enforcing mode and get the benefit of SELinux protection. Be warned that if you switch from disabled to permissive mode, you'll need to reboot and relabel your filesystems to add SELinux attributes to files, which may take quite some time, particularly on a large system. I've submitted an SELinux policy patch upstream (http://oss.tresys.com/pipermail/refpolicy/2009-March/000753.html) with a view to getting this fixed before updating spamass-milter itself. Given that you're not using SELinux yourself, all you should need to do to fix things is make a new directory /var/lib/spamass-milter, make it owned by user/group sa-milt and permissions 0755, and use vipw or usermod to change the home directory of user sa-milt to /var/lib/spamass-milter. You could also copy /var/run/spamass-milter/.spamassassin to /var/lib/spamass-milter/.spamassassin. Then restart the milter. The package update I'm planning will include the /var/lib/spamass-milter directory and will update the sa-milt user's home directory if necessary. Will /var/lib/spamass-milter be the default directory in future version of spamassassin? I'd be happy to apply the workaround but I wonder what will happen if there will be updated rpm packages installed for it. Regards, E. Yes - this is a spamass-milter package function, not a spamassassin package function. The spamassassin daemon just tries to look for preferences/bayes databases etc. in the home directory of the user that connects to it, which in the case of the milter is sa-milt. So whatever the home directory of sa-milt is (as set in the spamass-milter package) will be the place spamassassin uses. As I mentioned last time, the update I'm intending to do will make the sa-milt user's home directory /var/lib/spamass-milter (if it isn't set to that already). Apologies for that - I missed that last part of your message. I applied the changes. One question tough: I suppose the original /var/run/spamass-milter must be kept in place for the milter socket file? The rest can be deleted? (In reply to comment #14) > Apologies for that - I missed that last part of your message. > > I applied the changes. > > One question tough: I suppose the original /var/run/spamass-milter must be kept > in place for the milter socket file? The rest can be deleted? Yes. You'd want to move the .spamassassin directory to /var/lib/spamass-milter to retain your preferences/bayes stuff. Is there anything else there apart from the socket? there is also a .pyzor and a .razor directory. I copied them over to the new location as well. It seems to me it is save to remove them from the old /var/run/spamass-milter directory too since they do not seem to change anymore (date/time stamps/size). In the new location /var/lib/spamass-milter I can see that they do change. As far as I can see, the only thing that remains in /var/run/spamass-milter is the milter sock file. Regards, Eddie. That looks good then. The underlying problem, by the way, was that all files under /var/run are deleted at boot time in rc.sysinit. Rebooted a few times now. No problems. SELinux however does complain a lot. I opened a bug for it: https://bugzilla.redhat.com/show_bug.cgi?id=492550 Regards, Eddie. spamass-milter-0.3.1-13.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/spamass-milter-0.3.1-13.fc10 spamass-milter-0.3.1-13.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/spamass-milter-0.3.1-13.fc9 spamass-milter-0.3.1-13.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. spamass-milter-0.3.1-13.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. |