Red Hat Bugzilla – Bug 1473017
amavisd-new-2.11.0-1 has issue with DCC, can't write to /etc/dcc
Last modified: 2017-08-07 06:25:31 EDT
Description of problem:
since upgrading EL7 system strange DCC messages are occuring.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. have amavisd+spamassassin+DCC installed
Jul 19 22:29:57 *** dccproc: open(/etc/dcc/map): Permission denied
Jul 19 22:29:57 *** dccproc: lock_open(/etc/dcc/whiteclnt.dccx): Permission denied; file not writeable for locking
Working as before the update
related systemd unit file changed,
This prevents dccproc from writing to /etc/dcc
"Workaround": reduce restriction to
Looks like systemd.exec is missing a feature, because
is not supported on ProtectSystem=full, only on ProtectSystem=strict (which is even more hard...)
Imho "full" should already honor ReadWritePaths
I don't know DCC, but it shouldn't be writing in /etc, should it? can't you configure it to write its data to /var/dcc or similar?
I'm currently using DCC-1.3.145-25.el7.x86_64 from ATrpms
$ rpm -ql DCC | grep ^/etc
and is used by amavis via spamassassin
which get it's configuration from
which contains currently:
=> in principle a change would be possible by changing RPM packaging of DCC to move at least files which are candidates to be modified to /var (and perhaps softlink static files from /etc) and then changing spamassassin's config.
btw. RPM packaging layout is the same using dcc from here:
IMHO is wrong to configure dcc with /etc as its data dir.
I disagree to change the current ProtectSystem value. I think it's a good default and the administrator always can override this behaviour.