880421 – sa-update cron job can't write to /root/.spamassassin

Bug 880421 - sa-update cron job can't write to /root/.spamassassin

Summary: sa-update cron job can't write to /root/.spamassassin

Keywords:
Status:	CLOSED DUPLICATE of bug 864501
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	17
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-11-27 00:02 UTC by Dave Jones
Modified:	2015-01-04 22:31 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-01-16 20:54:49 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dave Jones 2012-11-27 00:02:00 UTC

Every morning I get this mail..

From: Cron Daemon
Subject: Cron <root@gelk> /usr/share/spamassassin/sa-update.cron 2>&1 | tee -a /var/log/sa-update.log

config: path "/root/.spamassassin" is inaccessible: Permission denied
config: path "/root/.spamassassin" is inaccessible: Permission denied
config: path "/root/.spamassassin" is inaccessible: Permission denied


Looking in audit.log, I see a bunch of selinux denials.

type=AVC msg=audit(1353402602.230:1163): avc:  denied  { dac_read_search } for  pid=20691 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353402602.289:1164): avc:  denied  { dac_read_search } for  pid=20691 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353402602.946:1165): avc:  denied  { dac_read_search } for  pid=20699 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353402602.966:1166): avc:  denied  { dac_read_search } for  pid=20699 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353407808.496:1173): avc:  denied  { dac_read_search } for  pid=25938 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353407808.517:1174): avc:  denied  { dac_read_search } for  pid=25938 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353407808.702:1175): avc:  denied  { dac_read_search } for  pid=25938 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353407810.923:1176): avc:  denied  { dac_read_search } for  pid=25938 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353407811.112:1177): avc:  denied  { create } for  pid=25938 comm="sa-update" name="sought_rules_yerp_org" scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:object_r:spamd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1353575402.663:515): avc:  denied  { dac_read_search } for  pid=17104 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575402.692:516): avc:  denied  { dac_read_search } for  pid=17104 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575403.335:517): avc:  denied  { dac_read_search } for  pid=17109 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575403.359:518): avc:  denied  { dac_read_search } for  pid=17109 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575636.904:519): avc:  denied  { dac_read_search } for  pid=17362 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575636.926:520): avc:  denied  { dac_read_search } for  pid=17362 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575637.200:521): avc:  denied  { dac_read_search } for  pid=17362 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575638.027:522): avc:  denied  { dac_read_search } for  pid=17362 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353575638.847:523): avc:  denied  { dac_read_search } for  pid=17362 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353661802.391:917): avc:  denied  { dac_read_search } for  pid=13427 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353661802.421:918): avc:  denied  { dac_read_search } for  pid=13427 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353661802.989:919): avc:  denied  { dac_read_search } for  pid=13433 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353661803.011:920): avc:  denied  { dac_read_search } for  pid=13433 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353665958.550:927): avc:  denied  { dac_read_search } for  pid=15954 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353665958.572:928): avc:  denied  { dac_read_search } for  pid=15954 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353665958.776:929): avc:  denied  { dac_read_search } for  pid=15954 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353665959.678:930): avc:  denied  { dac_read_search } for  pid=15954 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353665960.662:931): avc:  denied  { dac_read_search } for  pid=15954 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353748202.245:1154): avc:  denied  { dac_read_search } for  pid=24176 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353748202.277:1155): avc:  denied  { dac_read_search } for  pid=24176 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353748202.880:1156): avc:  denied  { dac_read_search } for  pid=24183 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353748202.902:1157): avc:  denied  { dac_read_search } for  pid=24183 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353751934.435:1164): avc:  denied  { dac_read_search } for  pid=26183 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353751934.457:1165): avc:  denied  { dac_read_search } for  pid=26183 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353751934.726:1166): avc:  denied  { dac_read_search } for  pid=26183 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353751935.691:1167): avc:  denied  { dac_read_search } for  pid=26183 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353751936.613:1168): avc:  denied  { dac_read_search } for  pid=26183 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353834602.605:1594): avc:  denied  { dac_read_search } for  pid=20446 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353834602.633:1595): avc:  denied  { dac_read_search } for  pid=20446 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353834603.197:1596): avc:  denied  { dac_read_search } for  pid=20452 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353834603.219:1597): avc:  denied  { dac_read_search } for  pid=20452 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353836979.756:1598): avc:  denied  { dac_read_search } for  pid=21045 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353836979.777:1599): avc:  denied  { dac_read_search } for  pid=21045 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353836980.012:1600): avc:  denied  { dac_read_search } for  pid=21045 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353836981.019:1601): avc:  denied  { dac_read_search } for  pid=21045 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921002.498:3799): avc:  denied  { dac_read_search } for  pid=17039 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921002.542:3800): avc:  denied  { dac_read_search } for  pid=17039 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921003.237:3801): avc:  denied  { dac_read_search } for  pid=17048 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921003.259:3802): avc:  denied  { dac_read_search } for  pid=17048 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921810.803:3827): avc:  denied  { dac_read_search } for  pid=18279 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921810.824:3828): avc:  denied  { dac_read_search } for  pid=18279 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921811.015:3830): avc:  denied  { dac_read_search } for  pid=18279 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921811.921:3831): avc:  denied  { dac_read_search } for  pid=18279 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1353921813.010:3832): avc:  denied  { dac_read_search } for  pid=18279 comm="sa-update" capability=2  scontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tcontext=system_u:system_r:spamd_update_t:s0-s0:c0.c1023 tclass=capability


strangely, if I run it by hand from the shell I don't get these.

I'm not sure why spamassassin chose to use /root/ as a location for its temporary files during update. Maybe that should be fixed to be somewhere else instead ?

Comment 1 Daniel Walsh 2012-11-27 15:30:34 UTC

That might be a good solution.  What is the ownership  of /root/.spamassassin

ls -l /root/.spamassassin

Comment 2 Dave Jones 2012-11-27 17:53:24 UTC

drwx------. 1 root root     0 Apr  6  2012 .spamassassin/

I changed it to 777 and it made no difference which is what led me to suspect selinux

Comment 3 Daniel Walsh 2012-11-27 20:55:31 UTC

How about /root?

Is spamassassin running as a different user then root?

Can it search through the /root directory?

Comment 4 Dave Jones 2012-11-27 23:03:08 UTC

dr-xr-x---.   1 root root  418 Nov 27 00:26 root/

The mail comes from root@, which is what I'm assuming cron is running under.

Comment 6 Daniel Walsh 2012-11-28 16:43:22 UTC

I just gave spamd_update the dac_read_search for a different path. No reason a root process would not be allowed to search through /root/.spamassassin, so spamd_update would have to be running as spamd user?

Comment 7 Dave Jones 2012-11-28 17:06:30 UTC

I'm really starting to think we should reassign this to spamassassin and think about moving its update directory somewhere more sensible.

Comment 8 Eric Paris 2012-11-28 20:28:43 UTC

Do we have full audit logs?  Hopefully including the SYSCALL record?  It would tell us what the user was in question (obviously it wasn't root)

But this looks like a spamassassin default configuration bug to me...

Comment 11 John Griffiths 2013-01-16 16:25:28 UTC

This is still happening. Any progress? Was it turned over to spamassassin? There are only two bugs that come up in the search for "config: path "/root/.spamassassin" is inaccessible: Permission denied". This one and bug 864501.

Comment 12 Daniel Walsh 2013-01-16 20:54:49 UTC


*** This bug has been marked as a duplicate of bug 864501 ***

Note You need to log in before you can comment on or make changes to this bug.