Every morning I get this mail.. From: Cron Daemon Subject: Cron <root@gelk> /usr/share/spamassassin/sa-update.cron 2>&1 | tee -a /var/log/sa-update.log config: path "/root/.spamassassin" is inaccessible: Permission denied config: path "/root/.spamassassin" is inaccessible: Permission denied config: path "/root/.spamassassin" is inaccessible: Permission denied Looking in audit.log, I see a bunch of selinux denials. type=AVC msg=audit(1353402602.230:1163): avc: denied { dac_read_search } for pid=20691 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353402602.289:1164): avc: denied { dac_read_search } for pid=20691 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353402602.946:1165): avc: denied { dac_read_search } for pid=20699 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353402602.966:1166): avc: denied { dac_read_search } for pid=20699 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353407808.496:1173): avc: denied { dac_read_search } for pid=25938 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353407808.517:1174): avc: denied { dac_read_search } for pid=25938 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353407808.702:1175): avc: denied { dac_read_search } for pid=25938 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353407810.923:1176): avc: denied { dac_read_search } for pid=25938 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353407811.112:1177): avc: denied { create } for pid=25938 comm="sa-update" name="sought_rules_yerp_org" scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:object_r:spamd_var_lib_t:s0 tclass=dir type=AVC msg=audit(1353575402.663:515): avc: denied { dac_read_search } for pid=17104 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353575402.692:516): avc: denied { dac_read_search } for pid=17104 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353575403.335:517): avc: denied { dac_read_search } for pid=17109 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353575403.359:518): avc: denied { dac_read_search } for pid=17109 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353575636.904:519): avc: denied { dac_read_search } for pid=17362 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353575636.926:520): avc: denied { dac_read_search } for pid=17362 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353575637.200:521): avc: denied { dac_read_search } for pid=17362 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353575638.027:522): avc: denied { dac_read_search } for pid=17362 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353575638.847:523): avc: denied { dac_read_search } for pid=17362 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353661802.391:917): avc: denied { dac_read_search } for pid=13427 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353661802.421:918): avc: denied { dac_read_search } for pid=13427 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353661802.989:919): avc: denied { dac_read_search } for pid=13433 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353661803.011:920): avc: denied { dac_read_search } for pid=13433 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353665958.550:927): avc: denied { dac_read_search } for pid=15954 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353665958.572:928): avc: denied { dac_read_search } for pid=15954 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353665958.776:929): avc: denied { dac_read_search } for pid=15954 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353665959.678:930): avc: denied { dac_read_search } for pid=15954 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353665960.662:931): avc: denied { dac_read_search } for pid=15954 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353748202.245:1154): avc: denied { dac_read_search } for pid=24176 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353748202.277:1155): avc: denied { dac_read_search } for pid=24176 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353748202.880:1156): avc: denied { dac_read_search } for pid=24183 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353748202.902:1157): avc: denied { dac_read_search } for pid=24183 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353751934.435:1164): avc: denied { dac_read_search } for pid=26183 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353751934.457:1165): avc: denied { dac_read_search } for pid=26183 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353751934.726:1166): avc: denied { dac_read_search } for pid=26183 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353751935.691:1167): avc: denied { dac_read_search } for pid=26183 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353751936.613:1168): avc: denied { dac_read_search } for pid=26183 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353834602.605:1594): avc: denied { dac_read_search } for pid=20446 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353834602.633:1595): avc: denied { dac_read_search } for pid=20446 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353834603.197:1596): avc: denied { dac_read_search } for pid=20452 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353834603.219:1597): avc: denied { dac_read_search } for pid=20452 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353836979.756:1598): avc: denied { dac_read_search } for pid=21045 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353836979.777:1599): avc: denied { dac_read_search } for pid=21045 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353836980.012:1600): avc: denied { dac_read_search } for pid=21045 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353836981.019:1601): avc: denied { dac_read_search } for pid=21045 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353921002.498:3799): avc: denied { dac_read_search } for pid=17039 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353921002.542:3800): avc: denied { dac_read_search } for pid=17039 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353921003.237:3801): avc: denied { dac_read_search } for pid=17048 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353921003.259:3802): avc: denied { dac_read_search } for pid=17048 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353921810.803:3827): avc: denied { dac_read_search } for pid=18279 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353921810.824:3828): avc: denied { dac_read_search } for pid=18279 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353921811.015:3830): avc: denied { dac_read_search } for pid=18279 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353921811.921:3831): avc: denied { dac_read_search } for pid=18279 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1353921813.010:3832): avc: denied { dac_read_search } for pid=18279 comm="sa-update" capability=2 scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability strangely, if I run it by hand from the shell I don't get these. I'm not sure why spamassassin chose to use /root/ as a location for its temporary files during update. Maybe that should be fixed to be somewhere else instead ?
That might be a good solution. What is the ownership of /root/.spamassassin ls -l /root/.spamassassin
drwx------. 1 root root 0 Apr 6 2012 .spamassassin/ I changed it to 777 and it made no difference which is what led me to suspect selinux
How about /root? Is spamassassin running as a different user then root? Can it search through the /root directory?
dr-xr-x---. 1 root root 418 Nov 27 00:26 root/ The mail comes from root@, which is what I'm assuming cron is running under.
I just gave spamd_update the dac_read_search for a different path. No reason a root process would not be allowed to search through /root/.spamassassin, so spamd_update would have to be running as spamd user?
I'm really starting to think we should reassign this to spamassassin and think about moving its update directory somewhere more sensible.
Do we have full audit logs? Hopefully including the SYSCALL record? It would tell us what the user was in question (obviously it wasn't root) But this looks like a spamassassin default configuration bug to me...
This is still happening. Any progress? Was it turned over to spamassassin? There are only two bugs that come up in the search for "config: path "/root/.spamassassin" is inaccessible: Permission denied". This one and bug 864501.
*** This bug has been marked as a duplicate of bug 864501 ***