Bug 360041 - SELinux prevents spamassassin from creating files in /var/lib/spamassassin and NFS home dirs
SELinux prevents spamassassin from creating files in /var/lib/spamassassin an...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-31 08:18 EDT by Leonid Zeitlin
Modified: 2007-12-10 16:06 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-10 16:06:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Leonid Zeitlin 2007-10-31 08:18:13 EDT
Description of problem:
1. Spamassassin can store its Bayes database and auto-whitelist either in user 
home directories or in a shared location. In the latter case the shared 
location usually is in /var/lib/spamassassin. However, SELinux prevents 
Spamassassin from creating files in this directory. As the result Spamassassin 
can't create/update its auto-whitelist and create/update Bayes database, which 
limits its functionality.

Example of error message logged by spamassassin:

spamd[2972]: auto-whitelist: open of auto-whitelist file failed: locker: 
safe_lock: cannot create tmp lockfile /var/lib/spamassassin/auto-
whitelist.lock.hostname.2972 for /var/lib/spamassassin/auto-whitelist.lock: 
Permission denied

By trial and error the following rules were found to allow the necessary access 
to /var/lib/spamassassin:

allow spamd_t spamd_var_lib_t:dir { write remove_name add_name };
allow spamd_t spamd_var_lib_t:file { write rename create unlink link append 
setattr };

2. Spamassassin automatically creates .spamassassin directory in user's home 
directory. However, if the home directory is mounted via NFS, SELinux prevents 
Spamassassin from creating this directory. 

The following error messages are logged by spamd:
Oct 30 14:24:19 hostname spamd[10324]: spamd: creating default_prefs: /home/lz/.
spamassassin/user_prefs
Oct 30 14:24:19 hostname spamd[10324]: config: cannot write to /home/lz/.spamass
assin/user_prefs: No such file or directory
Oct 30 14:24:19 hostname spamd[10324]: spamd: failed to create readable default_
prefs: /home/lz/.spamassassin/user_prefs

The following rule was found to help:

allow spamd_t nfs_t:dir create;

Version-Release number of selected component (if applicable):
spamassassin-3.2.2-2.fc7
selinux-policy-2.6.4-48.fc7
selinux-policy-targeted-2.6.4-48.fc7


How reproducible:
Always

Steps to Reproduce:
1. Set up spamassasin to store auto-whitelist and Bayes database in a shared 
location, i.e. have the followig in /etc/mail/spamassassin/local.cf:

auto_whitelist_path /var/lib/spamassassin/auto-whitelist
bayes_path /var/lib/spamassassin/bayes

2. Start spamd service
  
Actual results:
Auto-whitelist is not created. Error is logged by spamd (see "Description of 
problem" above)

Expected results:
Auto-whitelist is created.

Additional info:
When all audit messages are enabled (with semodule -b enableaudit.pp), spamd 
also complains that it wants to "name_bind" to a "hi_reserved_port_t". Don't 
know if this is a problem or not, since no visible problems were observed.
Comment 1 Daniel Walsh 2007-10-31 09:40:47 EDT
Is the use_nfs_home_dirs boolean turned on?

getsebool use_nfs_home_dirs

Turn it on with the following command

setsebool -P use_nfs_home_dirs 1

I will fix the auto-whitelist problem in the next update

Fixed in selinux-policy-2.6.4-52
Comment 2 Leonid Zeitlin 2007-10-31 13:08:54 EDT
Thank you, but use_nfs_home_dirs is actually on. I think fs_manage_nfs_files 
doesn't allow to create directories.
Comment 3 Daniel Walsh 2007-11-01 13:45:41 EDT
Your right,  sorry about that I will add this ability in 

Fixed in selinux-policy-2.6.4-53
Comment 4 Leonid Zeitlin 2007-12-10 09:55:47 EST
Sorry for delay in testing. Now I am running selinux-policy-2.6.4-59.fc7. The 
issue is fixed

Note You need to log in before you can comment on or make changes to this bug.