Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 880421 - sa-update cron job can't write to /root/.spamassassin
Summary: sa-update cron job can't write to /root/.spamassassin
Keywords:
Status: CLOSED DUPLICATE of bug 864501
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-27 00:02 UTC by Dave Jones
Modified: 2015-01-04 22:31 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-16 20:54:49 UTC
Type: Bug


Attachments (Terms of Use)

Description Dave Jones 2012-11-27 00:02:00 UTC
Every morning I get this mail..

From: Cron Daemon
Subject: Cron <root@gelk> /usr/share/spamassassin/sa-update.cron 2>&1 | tee -a /var/log/sa-update.log

config: path "/root/.spamassassin" is inaccessible: Permission denied
config: path "/root/.spamassassin" is inaccessible: Permission denied
config: path "/root/.spamassassin" is inaccessible: Permission denied


Looking in audit.log, I see a bunch of selinux denials.

type=AVC msg=audit(1353402602.230:1163): avc:  denied  { dac_read_search } for  pid=20691 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353402602.289:1164): avc:  denied  { dac_read_search } for  pid=20691 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353402602.946:1165): avc:  denied  { dac_read_search } for  pid=20699 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353402602.966:1166): avc:  denied  { dac_read_search } for  pid=20699 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353407808.496:1173): avc:  denied  { dac_read_search } for  pid=25938 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353407808.517:1174): avc:  denied  { dac_read_search } for  pid=25938 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353407808.702:1175): avc:  denied  { dac_read_search } for  pid=25938 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353407810.923:1176): avc:  denied  { dac_read_search } for  pid=25938 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353407811.112:1177): avc:  denied  { create } for  pid=25938 comm="sa-update" name="sought_rules_yerp_org" scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:object_r:spamd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1353575402.663:515): avc:  denied  { dac_read_search } for  pid=17104 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575402.692:516): avc:  denied  { dac_read_search } for  pid=17104 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575403.335:517): avc:  denied  { dac_read_search } for  pid=17109 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575403.359:518): avc:  denied  { dac_read_search } for  pid=17109 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575636.904:519): avc:  denied  { dac_read_search } for  pid=17362 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575636.926:520): avc:  denied  { dac_read_search } for  pid=17362 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575637.200:521): avc:  denied  { dac_read_search } for  pid=17362 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575638.027:522): avc:  denied  { dac_read_search } for  pid=17362 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575638.847:523): avc:  denied  { dac_read_search } for  pid=17362 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353661802.391:917): avc:  denied  { dac_read_search } for  pid=13427 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353661802.421:918): avc:  denied  { dac_read_search } for  pid=13427 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353661802.989:919): avc:  denied  { dac_read_search } for  pid=13433 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353661803.011:920): avc:  denied  { dac_read_search } for  pid=13433 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353665958.550:927): avc:  denied  { dac_read_search } for  pid=15954 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353665958.572:928): avc:  denied  { dac_read_search } for  pid=15954 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353665958.776:929): avc:  denied  { dac_read_search } for  pid=15954 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353665959.678:930): avc:  denied  { dac_read_search } for  pid=15954 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353665960.662:931): avc:  denied  { dac_read_search } for  pid=15954 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353748202.245:1154): avc:  denied  { dac_read_search } for  pid=24176 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353748202.277:1155): avc:  denied  { dac_read_search } for  pid=24176 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353748202.880:1156): avc:  denied  { dac_read_search } for  pid=24183 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353748202.902:1157): avc:  denied  { dac_read_search } for  pid=24183 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353751934.435:1164): avc:  denied  { dac_read_search } for  pid=26183 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353751934.457:1165): avc:  denied  { dac_read_search } for  pid=26183 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353751934.726:1166): avc:  denied  { dac_read_search } for  pid=26183 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353751935.691:1167): avc:  denied  { dac_read_search } for  pid=26183 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353751936.613:1168): avc:  denied  { dac_read_search } for  pid=26183 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353834602.605:1594): avc:  denied  { dac_read_search } for  pid=20446 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353834602.633:1595): avc:  denied  { dac_read_search } for  pid=20446 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353834603.197:1596): avc:  denied  { dac_read_search } for  pid=20452 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353834603.219:1597): avc:  denied  { dac_read_search } for  pid=20452 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353836979.756:1598): avc:  denied  { dac_read_search } for  pid=21045 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353836979.777:1599): avc:  denied  { dac_read_search } for  pid=21045 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353836980.012:1600): avc:  denied  { dac_read_search } for  pid=21045 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353836981.019:1601): avc:  denied  { dac_read_search } for  pid=21045 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921002.498:3799): avc:  denied  { dac_read_search } for  pid=17039 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921002.542:3800): avc:  denied  { dac_read_search } for  pid=17039 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921003.237:3801): avc:  denied  { dac_read_search } for  pid=17048 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921003.259:3802): avc:  denied  { dac_read_search } for  pid=17048 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921810.803:3827): avc:  denied  { dac_read_search } for  pid=18279 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921810.824:3828): avc:  denied  { dac_read_search } for  pid=18279 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921811.015:3830): avc:  denied  { dac_read_search } for  pid=18279 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921811.921:3831): avc:  denied  { dac_read_search } for  pid=18279 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921813.010:3832): avc:  denied  { dac_read_search } for  pid=18279 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability


strangely, if I run it by hand from the shell I don't get these.

I'm not sure why spamassassin chose to use /root/ as a location for its temporary files during update. Maybe that should be fixed to be somewhere else instead ?

Comment 1 Daniel Walsh 2012-11-27 15:30:34 UTC
That might be a good solution.  What is the ownership  of /root/.spamassassin

ls -l /root/.spamassassin

Comment 2 Dave Jones 2012-11-27 17:53:24 UTC
drwx------. 1 root root     0 Apr  6  2012 .spamassassin/

I changed it to 777 and it made no difference which is what led me to suspect selinux

Comment 3 Daniel Walsh 2012-11-27 20:55:31 UTC
How about /root?

Is spamassassin running as a different user then root?

Can it search through the /root directory?

Comment 4 Dave Jones 2012-11-27 23:03:08 UTC
dr-xr-x---.   1 root root  418 Nov 27 00:26 root/

The mail comes from root@, which is what I'm assuming cron is running under.

Comment 6 Daniel Walsh 2012-11-28 16:43:22 UTC
I just gave spamd_update the dac_read_search for a different path. No reason a root process would not be allowed to search through /root/.spamassassin, so spamd_update would have to be running as spamd user?

Comment 7 Dave Jones 2012-11-28 17:06:30 UTC
I'm really starting to think we should reassign this to spamassassin and think about moving its update directory somewhere more sensible.

Comment 8 Eric Paris 2012-11-28 20:28:43 UTC
Do we have full audit logs?  Hopefully including the SYSCALL record?  It would tell us what the user was in question (obviously it wasn't root)

But this looks like a spamassassin default configuration bug to me...

Comment 11 John Griffiths 2013-01-16 16:25:28 UTC
This is still happening. Any progress? Was it turned over to spamassassin? There are only two bugs that come up in the search for "config: path "/root/.spamassassin" is inaccessible: Permission denied". This one and bug 864501.

Comment 12 Daniel Walsh 2013-01-16 20:54:49 UTC

*** This bug has been marked as a duplicate of bug 864501 ***


Note You need to log in before you can comment on or make changes to this bug.