Bug 360041 - SELinux prevents spamassassin from creating files in /var/lib/spamassassin and NFS home dirs
Summary: SELinux prevents spamassassin from creating files in /var/lib/spamassassin an...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 7
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-10-31 12:18 UTC by Leonid Zeitlin
Modified: 2007-12-10 21:06 UTC (History)
0 users

Clone Of:
Last Closed: 2007-12-10 21:06:24 UTC

Attachments (Terms of Use)

Description Leonid Zeitlin 2007-10-31 12:18:13 UTC
Description of problem:
1. Spamassassin can store its Bayes database and auto-whitelist either in user 
home directories or in a shared location. In the latter case the shared 
location usually is in /var/lib/spamassassin. However, SELinux prevents 
Spamassassin from creating files in this directory. As the result Spamassassin 
can't create/update its auto-whitelist and create/update Bayes database, which 
limits its functionality.

Example of error message logged by spamassassin:

spamd[2972]: auto-whitelist: open of auto-whitelist file failed: locker: 
safe_lock: cannot create tmp lockfile /var/lib/spamassassin/auto-
whitelist.lock.hostname.2972 for /var/lib/spamassassin/auto-whitelist.lock: 
Permission denied

By trial and error the following rules were found to allow the necessary access 
to /var/lib/spamassassin:

allow spamd_t spamd_var_lib_t:dir { write remove_name add_name };
allow spamd_t spamd_var_lib_t:file { write rename create unlink link append 
setattr };

2. Spamassassin automatically creates .spamassassin directory in user's home 
directory. However, if the home directory is mounted via NFS, SELinux prevents 
Spamassassin from creating this directory. 

The following error messages are logged by spamd:
Oct 30 14:24:19 hostname spamd[10324]: spamd: creating default_prefs: /home/lz/.
Oct 30 14:24:19 hostname spamd[10324]: config: cannot write to /home/lz/.spamass
assin/user_prefs: No such file or directory
Oct 30 14:24:19 hostname spamd[10324]: spamd: failed to create readable default_
prefs: /home/lz/.spamassassin/user_prefs

The following rule was found to help:

allow spamd_t nfs_t:dir create;

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Set up spamassasin to store auto-whitelist and Bayes database in a shared 
location, i.e. have the followig in /etc/mail/spamassassin/local.cf:

auto_whitelist_path /var/lib/spamassassin/auto-whitelist
bayes_path /var/lib/spamassassin/bayes

2. Start spamd service
Actual results:
Auto-whitelist is not created. Error is logged by spamd (see "Description of 
problem" above)

Expected results:
Auto-whitelist is created.

Additional info:
When all audit messages are enabled (with semodule -b enableaudit.pp), spamd 
also complains that it wants to "name_bind" to a "hi_reserved_port_t". Don't 
know if this is a problem or not, since no visible problems were observed.

Comment 1 Daniel Walsh 2007-10-31 13:40:47 UTC
Is the use_nfs_home_dirs boolean turned on?

getsebool use_nfs_home_dirs

Turn it on with the following command

setsebool -P use_nfs_home_dirs 1

I will fix the auto-whitelist problem in the next update

Fixed in selinux-policy-2.6.4-52

Comment 2 Leonid Zeitlin 2007-10-31 17:08:54 UTC
Thank you, but use_nfs_home_dirs is actually on. I think fs_manage_nfs_files 
doesn't allow to create directories.

Comment 3 Daniel Walsh 2007-11-01 17:45:41 UTC
Your right,  sorry about that I will add this ability in 

Fixed in selinux-policy-2.6.4-53

Comment 4 Leonid Zeitlin 2007-12-10 14:55:47 UTC
Sorry for delay in testing. Now I am running selinux-policy-2.6.4-59.fc7. The 
issue is fixed

Note You need to log in before you can comment on or make changes to this bug.