The following was filed automatically by setroubleshoot: Résumé: SELinux is preventing spamd (spamd_t) "append" etc_runtime_t. Description détaillée: SELinux denied access requested by spamd. It is not expected that this access is required by spamd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Autoriser l'accès: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Informations complémentaires: Contexte source unconfined_u:system_r:spamd_t:s0 Contexte cible system_u:object_r:etc_runtime_t:s0 Objets du contexte /razor-agent.log [ file ] source spamd Chemin de la source /usr/bin/perl Port <Inconnu> Hôte (removed) Paquetages RPM source perl-5.10.0-77.fc12 Paquetages RPM cible Politique RPM selinux-policy-3.6.26-2.fc12 Selinux activé True Type de politique targeted MLS activé True Mode strict Enforcing Nom du plugin catchall Nom de l'hôte (removed) Plateforme Linux (removed) 2.6.31-0.112.rc4.git3.fc12.x86_64 #1 SMP Thu Jul 30 15:29:28 EDT 2009 x86_64 x86_64 Compteur d'alertes 4 Première alerte sam. 25 juil. 2009 16:19:31 CEST Dernière alerte ven. 31 juil. 2009 20:14:55 CEST ID local cdf7266b-4302-458b-96a8-228386ce57fe Numéros des lignes Messages d'audit bruts node=(removed) type=AVC msg=audit(1249064095.864:50): avc: denied { append } for pid=2438 comm="spamd" name="razor-agent.log" dev=dm-3 ino=21809 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1249064095.864:50): arch=c000003e syscall=2 success=no exit=-13 a0=5520288 a1=441 a2=1b6 a3=7f4c8a1428e0 items=0 ppid=2436 pid=2438 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="spamd" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null) audit2allow suggests: #============= spamd_t ============== allow spamd_t etc_runtime_t:file append;
Why do you have the razor-agent.log file in the / directory? This log file should be in /var/log and then the tools will work.
(In reply to comment #1) > Why do you have the razor-agent.log file in the / directory? > > This log file should be in /var/log and then the tools will work. That's probably a problem in the way spamassassin calls razor
It's a problem with how you are calling spamassassin. ;) Whats your setup there? How are you calling spamc? What arguments? If you run spamc as root and don't pass it -u username it will run the check as root, and save your razor log in ~/razor-agent.log.
Even if it was run as root (and I don't think that's the case, need to check local scripts a bit more), why would in write in / and not /root ?
Good question. ;) Perhaps it was running as nobody or some user that has / as a homedir?
After suspecting several custom spamassassin cron scripts it turns out the origin is much simpler > SELinux is preventing /usr/bin/perl "append" access on /razor-agent.log. is triggered by a simple /etc/init.d/spamassassin restart So the problem is in our own spamassassin or pyzor package
(this system was reinstalled from scratch after the glibc prelink debacle of a few months ago, so I'm 95% sure there are no local customization involved)
Looks like it's pyzor: if log: sys.stderr = open(homedir + "/pyzor.log", 'a') sys.stderr.write("\npyzor[" + repr (os.getpid()) + "]:\n") It should probibly start with --log set to /var/log/pyzor.log or something. Switching over to pyzor package for the maintainer to look at.
So it should default homedir to /var/log or something.
This really should be in homedirs. These are logging mail events personal to the user.
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
*** Bug 580691 has been marked as a duplicate of this bug. ***
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This is still happening in Fedora 14. Bug needs to be updated to 14.
This is still happening in Fedora 15. Bug needs to be updated to 15.
And this is on i686 as well.
This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Hello, I found this bugreport as I am observing same issue on RHEL 6.5. Once I have installed spamassassin on SELinux-enabled server, the razor component is writing its own logs in /razor-agent.log instead of home-directory of the user which executed spamd (spamd "-H" parameter without value - root by default). The behavior is following: 1. "/etc/sysconfig/spamassassin": SPAMDOPTIONS="-d -c -m5 -H" (i.e. without defining specific home-directory) and with _enforcing_ selinux mode, razor is using /razor-agent.log as the log file. 2. "/etc/sysconfig/spamassassin": SPAMDOPTIONS="-d -c -m5 -H" (i.e. without defining specific home-directory) and with _permissive_ selinux mode, razor is using /root/.razor/razor-agent.log as the log file. 3. "/etc/sysconfig/spamassassin": SPAMDOPTIONS="-d -c -m5 -H /etc/mail/spamassassin/home-dir/" and with _enforcing_ selinux mode, razor is using /etc/mail/spamassassin/home-dir/.razor/razor-agent.log as the log file. I have to use "spamd_spool_t" context for "/etc/mail/spamassassin/home-dir(/.*)". 3. "/etc/sysconfig/spamassassin": SPAMDOPTIONS="-d -c -m5 -H " and with _enforcing_ selinux mode, razor is using /razor-agent.log as the log file even if I have used "spamd_spool_t" context for "/root/.razor(/.*)". Maybe the whole spamd directory have to be writable by spamd in order to be used for other component like razor and so on. But because it is not writable (as SELinux disallows to write to /root/ for spamd, it decides to not provide homedir for components). Currently the most acceptable choice is to have its own spamd explicit home directory where the razor log will be included as well on selinux enforcing system. Having razor-agent.log in the "/" directory is really not desirable state.
Could you open a new bug for it?
it is done -> BZ#1058772