postfix, procmail and SELinux - No Go

[Marc Schwartz]

Nicolas Mailhot wrote:
> Paul Howarth a écrit :
>> On Sat, 2006-06-24 at 17:40 -0500, Marc Schwartz wrote:
> 
>>> 'pyzor discover' updates the pyzor server list.
>>>
>>> 'razor-admin -discover' does the same for the razor servers.
>> Can these be made to write files somewhere other than /.razor etc?
>>
>> Are the files written there just like the ones for regular users, e.g.
>> default preference settings?
> 
> actually razor discover and pyzor discover should just write
> system-wide files in /var/cache in an ideal word, instead of having
> every user re-download the list all by itself
> 
> Don't know if it's possible and if it is not, how difficult it would
> be to fix.

Guys, let me propose something here, at least as one possibility.

In reviewing the docs for razor and pyzor, it would seem that there are 
some default file locations as we are experiencing. By default, these 
appear to be user specific (ie. ~/.pyzor and ~/.razor), where the user 
could be me, root or the "system". This includes the server updating 
process.

It occurs to me that one potential confounding variable here is that I 
am running these processes as a local user on a single user system, 
rather than a system-wide approach as one might do with a central server 
processing incoming e-mail for multiple user accounts. That includes my 
use of ~/.procmailrc as the primary means to process both virus (via 
clamassassin/clamav) and spam (via SA + these additional tools).

Presumably a SysAdmin on a multi-user system would take a different 
approach and perhaps would use other means to integrate the processing 
of viri and spam (such as Amavis as Nicolas has mentioned). This would 
afford other approaches to the default configuration of these other tools.

To Nicolas' points below, there are some issues with these things moving 
in a non-GPL mode, if they are not already there.  I do note however 
that both razor and pyzor are still in Extras for FC5 and are present in 
Extras for devel (http://fedoraproject.org/extras/development/i386/). I 
also whole heartedly support his contention that these tools 
dramatically improve the processing of spam.

In either case, one option for me here within the notion of this being a 
single user process, is to move the cron jobs that update razor and 
pyzor from the system /etc/crontab to my user cron file vie "crontab -e" 
(/var/spool/cron/marcs). I already have fetchmail and some backup 
scripts running there anyway.

The dcc update process would need to stay in /etc/crontab since it 
downloads, compiles and installs the system-wide dcc client.

In this way, the files that are getting updated would be limited to my 
local user files (and perhaps still root's files), rather than the 
system files in /.razor and /.pyzor.

Thoughts?

Another option, perhaps, would be for the FE razor and pyzor maintainers 
to adjust the respective app defaults for FE with an eye towards SELinux 
policy issues in future updates. In that way, perhaps the default 
locations could be in /etc or /var as Nicolas notes above. That might 
provide for a means to handle both single user and multi user 
configurations, though the impact on other tools would need to be 
considered as may be appropriate.

Paul, I will respond to your follow up shortly, as soon as I have 
installed the updated policy files.

Regards,

Marc


> BTW
> 
> - dcc is closed software, will never make it in FC or FE
> 
> - razor used to be FOSS but acquired some "not for commercial use"
> features recently, so it's on the way out (dunno if it's still in FE
> repos)
> 
> - pyzor is completely FOSS but seems to be going the sleeping beauty
> way. What's worse the central pyzor server is on the sdsl setup of the
> main developper and drops from the net every other week for long periods
> 
> It's all a shame because anyone who has run sa with and without
> razor/pyzor will attest they improve sa efficentcy dramatically.
> 
> Since pyzor is in python maybe the Fedora project could setup a
> central pyzor server for its users ?