Using spamassassin with selinux

Daniel J Walsh dwalsh at redhat.com
Sat Dec 17 13:04:28 UTC 2005 

Nicolas Mailhot wrote:
> Hi,
>
> I'm still trying to get spamassassin to work properly with procmail 
> selinux (this is bug #172088, been open almost 50 days, still not 
> closed). I'm getting a bit tired of watching my spam system fail and 
> will probably revert to no selinux testing at all (selinux=0, like 
> almost everyone else) if this continues. 50 days is more than enough 
> to fix a reported problem.
>
> I have the following entry in my procmail :
>
> :0fw: .spamc.lock
> * < 256000
> | spamc
>
> Now maildir logs show spamassassin is denied access to its own files 
> when selinux is enabled :
>
> Dec 17 11:30:05 rousalka spamd[2681]: spamd: connection from 
> localhost.localdomain [127.0.0.1] at port 50637
> Dec 17 11:30:05 rousalka spamd[2681]: spamd: setuid to nim succeeded
>
> (yes spamd does setuids)
>
> Dec 17 11:30:05 rousalka spamd[2681]: spamd: creating default_prefs: 
> /home/nim/.spamassassin/user_prefs
>
> (spamd didn't see the pref files already existed - probably because of 
> selinux - so it tries to create it)
>
> Dec 17 11:30:05 rousalka spamd[2681]: mkdir /home/nim: Le fichier 
> existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line 
> 1467
>
> (the system tells it to get lost, the file already exists)
>
> Dec 17 11:30:05 rousalka spamd[2681]: config: cannot write to 
> /home/nim/.spamassassin/user_prefs: Permission non accordée
>
> (and spamd is not allowed to write it)
>
> Dec 17 11:30:05 rousalka spamd[2681]: spamd: failed to create readable 
> default_prefs: /home/nim/.spamassassin/user_prefs
>
> likewise pyzor is dead
>
> Dec 17 11:30:05 rousalka spamd[2681]: internal error
> Dec 17 11:30:05 rousalka spamd[2681]: pyzor: check failed: internal error
>
> and the autowhitelist can not be modified, because spamd can not 
> create a lockfile
>
> Dec 17 11:30:05 rousalka spamd[2681]: locker: safe_lock: cannot create 
> tmp lockfile 
> /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2681 
> for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée
> Dec 17 11:30:05 rousalka spamd[2681]: auto-whitelist: open of 
> auto-whitelist file failed: locker: safe_lock: cannot create tmp 
> lockfile 
> /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2681 
> for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée
> Dec 17 11:30:05 rousalka spamd[2681]: Can't call method "finish" on an 
> undefined value at 
> /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/Plugin/AWL.pm line 
> 397.
>
> This on a fully relabeled selinux-policy-targeted-2.1.6-8 rawhide system
>
Funny this bug was just closed for FC4.  What avc messages are you seeing?


Current policy has
    userdom_manage_generic_user_home_dirs(spamd_t)
    userdom_manage_generic_user_home_files(spamd_t)

Which should allow spamd_t to write to the users home directories.

Dan

--

More information about the fedora-selinux-list mailing list