Description of problem: since upgrading EL7 system strange DCC messages are occuring. Version-Release number of selected component (if applicable): amavisd-new-2.11.0-1 How reproducible: always Steps to Reproduce: 1. have amavisd+spamassassin+DCC installed Actual results: Jul 19 22:29:57 *** dccproc[29496]: open(/etc/dcc/map): Permission denied Jul 19 22:29:57 *** dccproc[29496]: lock_open(/etc/dcc/whiteclnt.dccx): Permission denied; file not writeable for locking Expected results: Working as before the update Additional info: related systemd unit file changed, 2.11.0-1 added: ProtectSystem=full This prevents dccproc from writing to /etc/dcc "Workaround": reduce restriction to ProtectSystem=true Looks like systemd.exec is missing a feature, because ReadWritePaths=-/etc/dcc is not supported on ProtectSystem=full, only on ProtectSystem=strict (which is even more hard...) Imho "full" should already honor ReadWritePaths
I don't know DCC, but it shouldn't be writing in /etc, should it? can't you configure it to write its data to /var/dcc or similar?
I'm currently using DCC-1.3.145-25.el7.x86_64 from ATrpms It contains $ rpm -ql DCC | grep ^/etc /etc/dcc /etc/dcc/dcc_conf /etc/dcc/flod /etc/dcc/grey_flod /etc/dcc/grey_whitelist /etc/dcc/ids /etc/dcc/log /etc/dcc/map /etc/dcc/map.txt /etc/dcc/whiteclnt /etc/dcc/whitecommon /etc/dcc/whitelist and is used by amavis via spamassassin /usr/share/perl5/vendor_perl/Mail/SpamAssassin/Plugin/DCC.pm spamassassin-3.4.0-2.el7.x86_64 which get it's configuration from /etc/mail/spamassassin/local.cf which contains currently: use_dcc 1 dcc_home /etc/dcc dcc_timeout 10 dcc_add_header 1 => in principle a change would be possible by changing RPM packaging of DCC to move at least files which are candidates to be modified to /var (and perhaps softlink static files from /etc) and then changing spamassassin's config.
btw. RPM packaging layout is the same using dcc from here: https://updates.atomicorp.com/channels/atomic/centos/7/x86_64/RPMS/ dcc-1.3.158-5.el7.art.x86_64.rpm
IMHO is wrong to configure dcc with /etc as its data dir. I disagree to change the current ProtectSystem value. I think it's a good default and the administrator always can override this behaviour.
Just for reference, to change dcc_home to a different location, SpamAssassin/Plugin/DCC.pm need to be extended first: https://bugzilla.redhat.com/show_bug.cgi?id=1532139