Bug 1367848 - razor2 check failed, invalid argument since upgrade to FC24
Summary: razor2 check failed, invalid argument since upgrade to FC24
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: perl-Razor-Agent
Version: 25
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Robert Scheck
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-17 16:00 UTC by dan
Modified: 2016-12-07 14:00 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-07 14:00:24 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description dan 2016-08-17 16:00:10 UTC 
Description of problem:

After a recent upgrade to FC24, I have started seeing many of the following in the journal:

spamd[1708]: razor2: razor2 check failed: Invalid argument razor2: razor2 had unknown error during get_server_info at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/Razor2.pm line 187. at /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/Razor2.pm line 330.


Occurs on all inbound email to sendmail.  Email is then further processed and ends up at its destination mailbox.

Razor home directory exists at /var/spool/spamassassin/.razor.

razor-admin -v
Razor Agents 2.84, protocol version 3
Comment 1 dan 2016-08-17 17:44:39 UTC 
In investigating further, I noticed that the pacakage which installed razor did not perform the registration step.  So I performed the following:

sudo razor-admin -home /var/spool/spamassassin/.razor -create
sudo razor-admin -home /var/spool/spamassassin/.razor -discover
sudo razor-admin -home /var/spool/spamassassin/.razor -register

Next, I sent a test email to my system.  Email was received but the follwoing was observed:

Aug 17 13:27:09 zzzz.private setroubleshoot[7986]: failed to retrieve rpm info for /var/spool/spamassassin/.razor/identity
Aug 17 13:27:10 zzzz.private setroubleshoot[7986]: SELinux is preventing 7370616D64206368696C64 from getattr access on the lnk_file /var/spool/spamassassin/.razor/identity. For complete SELinux messages. run sealert -l 18943e08-7857-4327-9740-838113738d5f
Aug 17 13:27:10 zzzz.private python3[7986]: SELinux is preventing 7370616D64206368696C64 from getattr access on the lnk_file /var/spool/spamassassin/.razor/identity.
                                            
                                            *****  Plugin catchall (100. confidence) suggests   **************************
                                            
                                            If you believe that 7370616D64206368696C64 should be allowed getattr access on the identity lnk_file by default.
                                            Then you should report this as a bug.
                                            You can generate a local policy module to allow this access.
                                            Do
                                            allow this access for now by executing:
                                            # ausearch -c '7370616D64206368696C64' --raw | audit2allow -M my-7370616D64206368696C64
                                            # semodule -X 300 -i my-7370616D64206368696C64.pp
Comment 2 dan 2016-08-31 11:42:07 UTC 
When I attempt to execute the above recommended work around, there are no matches.

ausearch -c '7370616D64206368696C64' --raw | audit2allow -M my-7370616D64206368696C64
Nothing to do

ausearch -c '7370616D64206368696C64'
<no matches>
Comment 3 dan 2016-11-05 00:48:19 UTC 
Any hope of moving this forward?
Comment 4 Adam Williamson 2016-11-24 22:34:33 UTC 
I've filed a bug on the SELinux part of this, as I ran into it too. I didn't see the other thing you saw.
Comment 5 Robert Scheck 2016-11-29 07:09:30 UTC 
(In reply to dan from comment #0)
> spamd[1708]: razor2: razor2 check failed: Invalid argument razor2: razor2
> had unknown error during get_server_info at
> /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/Razor2.pm line 187. at
> /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/Razor2.pm line 330.

This just reads a bit like a local firewall issue.

(In reply to Adam Williamson from comment #4)
> I've filed a bug on the SELinux part of this, as I ran into it too. I didn't
> see the other thing you saw.

That's bug #1398437, right? I'm not sure if /var/spool/mail is really a great
location for a user home directory...where does it come from? Spamd does not
seem to drop privileges by default, but this is "mail" user's home directory.
Comment 6 Adam Williamson 2016-11-29 07:31:09 UTC 
mail is a system user. /var/spool/mail has been kinda the traditional location for mail drops on Linux since, well, ever, so far as I remember. it's in the FHS.

mail is actually one of the *very* few system users considered so core that it's right in the copy of /etc/passwd shipped with the 'setup' package:

https://git.fedorahosted.org/cgit/setup.git/tree/passwd

mail:*:8:12:mail:/var/spool/mail:/sbin/nologin

I just checked and that same line is present in the setup package from FC2:

https://dl.fedoraproject.org/pub/archive/fedora/linux/core/2/x86_64/os/SRPMS/setup-2.5.33-1.src.rpm

(I'd check FC1, but large chunks of FC1 seem to be missing). So, uh, you're probably not going to have a lot of luck arguing that that should be changed, is what I'm saying. :)
Comment 7 dan 2016-11-29 21:54:47 UTC 
Re "reads a bit like a local firewall issue", port 783 is answering, so I'm not certain what else to be looking for.
Comment 8 dan 2016-12-06 19:46:01 UTC 
Exists in FC25.
Comment 9 Adam Williamson 2016-12-06 19:52:30 UTC 
razor seems to work fine on F25 with selinux-policy from updates-testing, for me. maillog shows lots of RAZOR2_* checks.
Comment 10 dan 2016-12-07 14:00:24 UTC 
Working fine as of policy 13.1-225.1.  Ran overnight with no issues, can be closed.  Thank you.
Note You need to log in before you can comment on or make changes to this bug.