SELinux is preventing /usr/bin/perl from 'append' accesses on the file /razor-agent.log. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed append access on the razor-agent.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/bin/perl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:spamd_t:s0 Target Context system_u:object_r:etc_runtime_t:s0 Target Objects /razor-agent.log [ file ] Source spamd Source Path /usr/bin/perl Port <Unknown> Host (removed) Source RPM Packages perl-5.12.2-140.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-18.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-72.fc14.i686.PAE #1 SMP Mon Dec 20 21:47:25 UTC 2010 i686 i686 Alert Count 3 First Seen Wed 22 Dec 2010 04:32:40 AM EST Last Seen Fri 24 Dec 2010 05:21:13 AM EST Local ID c380924d-028f-446b-90a1-9ab37ed94592 Raw Audit Messages type=AVC msg=audit(1293186073.579:51589): avc: denied { append } for pid=14479 comm="spamd" name="razor-agent.log" dev=dm-3 ino=14 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file spamd,spamd_t,etc_runtime_t,file,append type=SYSCALL msg=audit(1293186073.579:51589): arch=i386 syscall=open success=no exit=EACCES a0=aded298 a1=8441 a2=1b6 a3=0 items=0 ppid=14477 pid=14479 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=712 comm=spamd exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null) spamd,spamd_t,etc_runtime_t,file,append #============= spamd_t ============== allow spamd_t etc_runtime_t:file append;
Why is the razor log file in /? It should be under /var/log.
I have no idea why. A fresh install of Fedora 14 puts it there.
Is this file created by perl-Razor?
It is created by perl-Razor-Agent. The only reference to the file "razor-agent.log" is in file /usr/share/perl5/Razor2/Client/Config.pm .
/usr/share/perl5/vendor_perl/Razor2/Client/Config.pm: [...] sub default_agent_conf { my $self = shift; # # These get overwritten by whatever's in config file, # which in turn gets overwritten by cmd-line options. # my $defaults = { debuglevel => "3", logfile => "razor-agent.log", listfile_catalogue => "servers.catalogue.lst", listfile_nomination => "servers.nomination.lst", listfile_discovery => "servers.discovery.lst", min_cf => "ac", turn_off_discovery => "0", ignorelist => "0", razordiscovery => "discovery.razor.cloudmark.com", rediscovery_wait => "172800", report_headers => "1", whitelist => "razor-whitelist", use_engines => "4, 8", identity => "identity", logic_method => 4, }; [...] From my point of view, the reporter did simply not configure razor, just installed it. If I'm wrong, please provide e.g. razor-agent.conf and how it is included/enabled in your setup (SpamAssassin maybe)? If related to SpamAssasin, you might want to read e.g. the following: - http://wiki.apache.org/spamassassin/RazorSiteWide - http://linux.die.net/man/5/razor-agent.conf
Never had the problem before Fedora 14.
http://koji.fedoraproject.org/koji/packageinfo?packageID=3205 will show you, that perl-Razor-Agent did not change for nearly ages now. All that happened are some mass-rebuilds, but that didn't affect anything. Please provide your configuration and/or more details.
Pardon my ignorance. I installed Postfix, spamassassin, clamav, spambayes, and perl-Razor-Agent many years ago originally under Suse and then moved to Fedora Core, I think with FC4. I do not remember doing much of anything to configure perl-Razor-Agent directly ever. I had to enable and do some edits in freshclam.conf, amavisd.conf, dovecot.conf. Had to modify and compile the data base files and the master.cf and main.cf files for Postfix. But I never remember doing anything to configure razor. All has seemed to work OK over the years. Guess I must have missed properly configuring razor. It was not until Fedora 14 that selinux started complaining about razor-agent.log. Guess it is lucking it did or I would have gone on thinking all was OK. Thanks. I'll give configuring a try and see how it goes.
Appears that razor-agent.log was created in / on the first install and never appended to after that. Razor-agent home is in /var/spool/amavisd/.razor and there is a log file in there that is being appended to although I never see an actual registration in the beginning of the file. I do see conf files: server.c301.cloudmark.com.conf server.c302.cloudmark.com.conf server.c303.cloudmark.com.conf and these files as well: servers.catalogue.lst servers.discovery.lst servers.nomination.lst So I have no idea how these got installed or configured, but it all seems to work. I deleted the razor-agent.log that was created in / . I'll see if this makes the selinux alert go away.
Since deleting /razor-agent.log the sealert no longer occurs.