Description of problem: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/SpamCop.pm: Permission non accordée at (eval 38) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm: Permission non accordée at (eval 39) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/WhiteListSubject.pm: Permission non accordée at (eval 40) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/MIMEHeader.pm: Permission non accordée at (eval 41) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/ReplaceTags.pm: Permission non accordée at (eval 42) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/DKIM.pm: Permission non accordée at (eval 43) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/Check.pm: Permission non accordée at (eval 44) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/HTTPSMismatch.pm: Permission non accordée at (eval 45) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/URIDetail.pm: Permission non accordée at (eval 46) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/Bayes.pm: Permission non accordée at (eval 47) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/BodyEval.pm: Permission non accordée at (eval 48) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/DNSEval.pm: Permission non accordée at (eval 49) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/HTMLEval.pm: Permission non accordée at (eval 50) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/HeaderEval.pm: Permission non accordée at (eval 51) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/MIMEEval.pm: Permission non accordée at (eval 52) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/RelayEval.pm: Permission non accordée at (eval 53) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/URIEval.pm: Permission non accordée at (eval 54) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/WLBLEval.pm: Permission non accordée at (eval 55) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/VBounce.pm: Permission non accordée at (eval 56) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/ImageInfo.pm: Permission non accordée at (eval 57) line 1. plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/FreeMail.pm: Permission non accordée at (eval 58) line 1. Version-Release number of selected component (if applicable): spamassassin-3.3.2-17.fc20.x86_64 How reproducible: Every time
Can't duplicate here. Any selinux denials? Anything from 'rpm -V spamassassin' ?
# rpm -V spamassassin prelink: /usr/bin/spamc: at least one of file's dependencies has changed since prelinking S.?...... /usr/bin/spamc missing /var/run/spamassassin ausearch -m AVC -ts '13:30' ---- time->Mon Sep 16 17:02:10 2013 type=SYSCALL msg=audit(1379343730.497:57): arch=c000003e syscall=2 success=no exit=-13 a0=3d529e0 a1=441 a2=1b6 a3=0 items=0 ppid=986 pid=1046 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=2F7573722F62696E2F7370616D6420 exe="/usr/bin/perl" subj=system_u:system_r:spamd_t:s0 key=(null) type=AVC msg=audit(1379343730.497:57): avc: denied { append } for pid=1046 comm=2F7573722F62696E2F7370616D6420 name="razor-agent.log" dev="dm-0" ino=4115 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file ---- time->Mon Sep 16 17:08:10 2013 type=SYSCALL msg=audit(1379344090.450:128): arch=c000003e syscall=248 success=no exit=-13 a0=300928b6c3 a1=300928b6e8 a2=0 a3=0 items=0 ppid=1 pid=1935 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 ses=4294967295 tty=(none) comm="goa-daemon" exe="/usr/libexec/goa-daemon" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1379344090.450:128): avc: denied { write } for pid=1935 comm="goa-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=key ---- time->Mon Sep 16 17:08:10 2013 type=SYSCALL msg=audit(1379344090.921:129): arch=c000003e syscall=248 success=no exit=-13 a0=300928b6c3 a1=300928b6e8 a2=0 a3=0 items=0 ppid=1 pid=1942 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 ses=4294967295 tty=(none) comm="pool" exe="/usr/libexec/goa-daemon" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1379344090.921:129): avc: denied { write } for pid=1942 comm="pool" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=key
ok, none of those look related. Can you strace it and attach the strace output?
It seems the cron job does a /sbin/runuser user -c '/usr/bin/sa-learn --sync' after learning all new spam and indeed that's the failing part. Attaching strace
Created attachment 798385 [details] strace
Odd. That works just fine here as well. Anything in /var/log/secure ? The strace seems to differ at: 32017 chdir("/") = 0 32018 set_robust_list(0x7f64dddf6a20, 24 <unfinished ...> 32017 rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], <unfinished ...> 32018 <... set_robust_list resumed> ) = 0 32017 <... rt_sigprocmask resumed> NULL, 8) = 0 32017 rt_sigaction(SIGTERM, {0x4024f0, [], SA_RESTORER, 0x7f64dd446cd0}, NULL, 8) = 0 32017 rt_sigprocmask(SIG_UNBLOCK, [INT QUIT ALRM TERM], NULL, 8) = 0 32017 rt_sigaction(SIGINT, {0x4024f0, [], SA_RESTORER, 0x7f64dd446cd0}, NULL, 8) = 0 32017 rt_sigaction(SIGQUIT, {0x4024f0, [], SA_RESTORER, 0x7f64dd446cd0}, NULL, 8) = 0 32017 wait4(32018, <unfinished ...> 32018 setgid(100037) = 0 32018 setuid(100037) = 0 32018 setsid() = 32018 32018 open("/etc/defaults/runuser", O_RDONLY) = -1 ENOENT (No such file or directory) 32018 open("/etc/login.defs", O_RDONLY) = 4 32018 fstat(4, {st_mode=S_IFREG|0644, st_size=2045, ...}) = 0 32018 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f64dddf5000 32018 read(4, "#\n# Please note that the paramet"..., 4096) = 2045 32018 read(4, "", 4096) = 0 32018 close(4) = 0 32018 munmap(0x7f64dddf5000, 4096) = 0 32018 execve("/bin/bash", ["bash", "-c", "/usr/bin/sa-learn --sync"], [/* 25 vars */]) = 0
(In reply to Kevin Fenzi from comment #6) > Odd. That works just fine here as well. > > Anything in /var/log/secure ? nothing except the expected Sep 16 20:45:01 arekh runuser: pam_unix(runuser:session): session opened for user nim by (uid=0) Sep 16 20:45:02 arekh runuser: pam_unix(runuser:session): session closed for user nim
Can you do a: /sbin/runuser user -c 'perl -V' and we can see if there's some other @INC in there or something... and also that runuser otherwise works?
# /sbin/runuser nim -c 'perl -V' Summary of my perl5 (revision 5 version 18 subversion 1) configuration: Platform: osname=linux, osvers=3.10.9-200.fc19.x86_64, archname=x86_64-linux-thread-multi uname='linux buildvm-10.phx2.fedoraproject.org 3.10.9-200.fc19.x86_64 #1 smp wed aug 21 19:27:58 utc 2013 x86_64 x86_64 x86_64 gnulinux ' config_args='-des -Doptimize=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Dccdlflags=-Wl,--enable-new-dtags -Dlddlflags=-shared -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wl,-z,relro -Dshrpdir=/usr/lib64 -DDEBUGGING=-g -Dversion=5.18.1 -Dmyhostname=localhost -Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl5 -Dsitearch=/usr/local/lib64/perl5 -Dprivlib=/usr/share/perl5 -Dvendorlib=/usr/share/perl5/vendor_perl -Darchlib=/usr/lib64/perl5 -Dvendorarch=/usr/lib64/perl5/vendor_perl -Darchname=x86_64-linux-thread-multi -Dlibpth=/usr/local/lib64 /lib64 /usr/lib64 -Duseshrplib -Dusethreads -Duseithreads -Dusedtrace=/usr/bin/dtrace -Duselargefiles -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstallusrbinperl=n -Ubincompat5005 -Uversiononly -Dpager=/usr/bin/less -isr -Dd_gethostent_r_proto -Ud_endhostent_r_proto -Ud_sethostent_r_proto -Ud_endprotoent_r_proto -Ud_setprotoent_r_proto -Ud_endservent_r_proto -Ud_setservent_r_proto -Dscriptdir=/usr/bin -Dusesitecustomize' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=define, use64bitall=define, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic', cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include' ccversion='', gccversion='4.8.1 20130909 (Red Hat 4.8.1-8)', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='gcc', ldflags =' -fstack-protector' libpth=/usr/local/lib64 /lib64 /usr/lib64 libs=-lresolv -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat perllibs=-lresolv -lnsl -ldl -lm -lcrypt -lutil -lpthread -lc libc=, so=so, useshrplib=true, libperl=libperl.so gnulibc_version='2.18.90' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,--enable-new-dtags' cccdlflags='-fPIC', lddlflags='-shared -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wl,-z,relro ' Characteristics of this binary (from libperl): Compile-time options: HAS_TIMES MULTIPLICITY PERLIO_LAYERS PERL_DONT_CREATE_GVSV PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP PERL_PRESERVE_IVUV PERL_SAWAMPERSAND USE_64_BIT_ALL USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF USE_REENTRANT_API USE_SITECUSTOMIZE Locally applied patches: Fedora Patch1: Removes date check, Fedora/RHEL specific Fedora Patch3: support for libdir64 Fedora Patch4: use libresolv instead of libbind Fedora Patch5: USE_MM_LD_RUN_PATH Fedora Patch6: Skip hostname tests, due to builders not being network capable Fedora Patch7: Dont run one io test due to random builder failures Fedora Patch9: Fix find2perl to translate ? glob properly (RT#113054) Fedora Patch10: Update h2ph(1) documentation (RT#117647) Fedora Patch11: Update pod2html(1) documentation (RT#117623) Fedora Patch12: Disable ornaments on perl5db AutoTrace tests (RT#118817) Fedora Patch14: Do not use system Term::ReadLine::Gnu in tests (RT#118821) Fedora Patch15: Define SONAME for libperl.so Fedora Patch16: Install libperl.so to -Dshrpdir value Fedora Patch17: Fix rules for parsing numeric escapes in regexes Fedora Patch18: Fix crash with \&$glob_copy (RT#119051) Fedora Patch19: Fix coreamp.t rand test (RT#118237) Fedora Patch20: Reap child in case where exception has been thrown (RT#114722) Fedora Patch21: Fix using regular expressions containing multiple code blocks (RT#117917) Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux Built under linux Compiled at Sep 11 2013 12:12:28 @INC: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5
That looks normal/right. Does sa-learn run fine as that user without using runuser?
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
I get the same 'permission denied' when running as root: su -c 'sa-learn --dbpath /home/bill/.spamassassin -p /home/bill/.spamassassin/user_prefs --spam /home/bill/Maildir/.SystemFolders.Spam/cur' bill which is strange because when running with the sa-learn -D option sa-learn shows it has already loaded some modules from the plugin directory: Jul 26 03:06:54.935 [30440] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC Jul 26 03:06:54.940 [30440] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC Jul 26 03:06:54.945 [30440] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC Jul 26 03:06:54.948 [30440] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC Jul 26 03:06:54.951 [30440] dbg: pyzor: network tests on, attempting Pyzor Jul 26 03:06:54.951 [30440] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC Jul 26 03:06:54.953 [30440] dbg: razor2: razor2 is not available Jul 26 03:06:54.953 [30440] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/SpamCop.pm: lib/Mail/SpamAssassin/Plugin/SpamCop.pm: Permission denied at (eval 32) line 1. Jul 26 03:06:54.953 [30440] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm: lib/Mail/SpamAssassin/Plugin/AutoLearnThreshold.pm: Permission denied at (eval 33) line 1. However, still running as root, this works with no errors: su -c 'sa-learn --dbpath /home/bill/.spamassassin -p /home/bill/.spamassassin/user_prefs --spam /home/bill/Maildir/.SystemFolders.Spam/cur' - bill NOTICE the dash before the username (bill). It's choking on the leftover environment of root which is eliminated by su if the dash is included. Note, my bash script ran without errors on Fedora 17. I suspect it's because /etc/sudoers has these lines in Fedora 17 which aren't in Fedora 22: Defaults requiretty Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin Bill
well, su doesn't read/care about sudoers config that I know of. ;) So, if the same invocation (without -) worked in previous releases, perhaps this is a change in su behavior?
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
I had this problem on Fedora 23 as well. I worked out what was causing it. sa-learn will fail if cwd is not readable. When started using su (and not su -) then it will keep the cwd which is likely to be /root, and it cannot read /root as that is not world readable and gives permission denied for non-root users. Changing the cwd to any other directory which is readable, such as /, or by using su - which will change to the home directory, results in it working fine. This certainly used to work in older releases. I don't know what changed to break it. I don't think su is implicated, I see that . is on the search path with perl -V and maybe that is a change, or some other behaviour change where perhaps it used to ignore entries on the path which were permission denied and now it is a hard failure. Ideally sa-learn would work properly even if . is not readable, or would at the very least give some useful error message.