Bug 665586
| Summary: | SELinux is preventing /usr/bin/perl from 'append' accesses on the file /razor-agent.log. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | John Griffiths <fedora.jrg01> |
| Component: | perl-Razor-Agent | Assignee: | Robert Scheck <redhat-bugzilla> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 14 | CC: | dwalsh, mgrepl, perl-devel, redhat-bugzilla |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:e918a3962385a0e6554eeac3b882cdfac764375abed4903b847b0950f2f66d11 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-12-30 01:25:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Why is the razor log file in /? It should be under /var/log. I have no idea why. A fresh install of Fedora 14 puts it there. Is this file created by perl-Razor? It is created by perl-Razor-Agent. The only reference to the file "razor-agent.log" is in file /usr/share/perl5/Razor2/Client/Config.pm . /usr/share/perl5/vendor_perl/Razor2/Client/Config.pm:
[...]
sub default_agent_conf {
my $self = shift;
#
# These get overwritten by whatever's in config file,
# which in turn gets overwritten by cmd-line options.
#
my $defaults = {
debuglevel => "3",
logfile => "razor-agent.log",
listfile_catalogue => "servers.catalogue.lst",
listfile_nomination => "servers.nomination.lst",
listfile_discovery => "servers.discovery.lst",
min_cf => "ac",
turn_off_discovery => "0",
ignorelist => "0",
razordiscovery => "discovery.razor.cloudmark.com",
rediscovery_wait => "172800",
report_headers => "1",
whitelist => "razor-whitelist",
use_engines => "4, 8",
identity => "identity",
logic_method => 4,
};
[...]
From my point of view, the reporter did simply not configure razor, just
installed it. If I'm wrong, please provide e.g. razor-agent.conf and how
it is included/enabled in your setup (SpamAssassin maybe)? If related to
SpamAssasin, you might want to read e.g. the following:
- http://wiki.apache.org/spamassassin/RazorSiteWide
- http://linux.die.net/man/5/razor-agent.conf
Never had the problem before Fedora 14. http://koji.fedoraproject.org/koji/packageinfo?packageID=3205 will show you, that perl-Razor-Agent did not change for nearly ages now. All that happened are some mass-rebuilds, but that didn't affect anything. Please provide your configuration and/or more details. Pardon my ignorance. I installed Postfix, spamassassin, clamav, spambayes, and perl-Razor-Agent many years ago originally under Suse and then moved to Fedora Core, I think with FC4. I do not remember doing much of anything to configure perl-Razor-Agent directly ever. I had to enable and do some edits in freshclam.conf, amavisd.conf, dovecot.conf. Had to modify and compile the data base files and the master.cf and main.cf files for Postfix. But I never remember doing anything to configure razor. All has seemed to work OK over the years. Guess I must have missed properly configuring razor. It was not until Fedora 14 that selinux started complaining about razor-agent.log. Guess it is lucking it did or I would have gone on thinking all was OK. Thanks. I'll give configuring a try and see how it goes. Appears that razor-agent.log was created in / on the first install and never appended to after that. Razor-agent home is in /var/spool/amavisd/.razor and there is a log file in there that is being appended to although I never see an actual registration in the beginning of the file. I do see conf files: server.c301.cloudmark.com.conf server.c302.cloudmark.com.conf server.c303.cloudmark.com.conf and these files as well: servers.catalogue.lst servers.discovery.lst servers.nomination.lst So I have no idea how these got installed or configured, but it all seems to work. I deleted the razor-agent.log that was created in / . I'll see if this makes the selinux alert go away. Since deleting /razor-agent.log the sealert no longer occurs. |
SELinux is preventing /usr/bin/perl from 'append' accesses on the file /razor-agent.log. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed append access on the razor-agent.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/bin/perl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:spamd_t:s0 Target Context system_u:object_r:etc_runtime_t:s0 Target Objects /razor-agent.log [ file ] Source spamd Source Path /usr/bin/perl Port <Unknown> Host (removed) Source RPM Packages perl-5.12.2-140.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-18.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-72.fc14.i686.PAE #1 SMP Mon Dec 20 21:47:25 UTC 2010 i686 i686 Alert Count 3 First Seen Wed 22 Dec 2010 04:32:40 AM EST Last Seen Fri 24 Dec 2010 05:21:13 AM EST Local ID c380924d-028f-446b-90a1-9ab37ed94592 Raw Audit Messages type=AVC msg=audit(1293186073.579:51589): avc: denied { append } for pid=14479 comm="spamd" name="razor-agent.log" dev=dm-3 ino=14 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file spamd,spamd_t,etc_runtime_t,file,append type=SYSCALL msg=audit(1293186073.579:51589): arch=i386 syscall=open success=no exit=EACCES a0=aded298 a1=8441 a2=1b6 a3=0 items=0 ppid=14477 pid=14479 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=712 comm=spamd exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null) spamd,spamd_t,etc_runtime_t,file,append #============= spamd_t ============== allow spamd_t etc_runtime_t:file append;