postfix, procmail and SELinux - No Go

Mon Jun 26 11:38:44 UTC 2006

Marc Schwartz wrote:
> Nicolas Mailhot wrote:
>> Paul Howarth a écrit :
>>> On Sat, 2006-06-24 at 17:40 -0500, Marc Schwartz wrote:
>>
>>>> 'pyzor discover' updates the pyzor server list.
>>>>
>>>> 'razor-admin -discover' does the same for the razor servers.
>>> Can these be made to write files somewhere other than /.razor etc?
>>>
>>> Are the files written there just like the ones for regular users, e.g.
>>> default preference settings?
>>
>> actually razor discover and pyzor discover should just write
>> system-wide files in /var/cache in an ideal word, instead of having
>> every user re-download the list all by itself
>>
>> Don't know if it's possible and if it is not, how difficult it would
>> be to fix.
> 
> Guys, let me propose something here, at least as one possibility.
> 
> In reviewing the docs for razor and pyzor, it would seem that there are 
> some default file locations as we are experiencing. By default, these 
> appear to be user specific (ie. ~/.pyzor and ~/.razor), where the user 
> could be me, root or the "system". This includes the server updating 
> process.

What I'm wondering is how this could end up creating directories /.razor 
and /.pyzor since the root directory (as opposed to the /root directory) 
is not the home directory of any user, and shouldn't be writable by 
anyone other than root.

> It occurs to me that one potential confounding variable here is that I 
> am running these processes as a local user on a single user system, 
> rather than a system-wide approach as one might do with a central server 
> processing incoming e-mail for multiple user accounts. That includes my 
> use of ~/.procmailrc as the primary means to process both virus (via 
> clamassassin/clamav) and spam (via SA + these additional tools).
> 
> Presumably a SysAdmin on a multi-user system would take a different 
> approach and perhaps would use other means to integrate the processing 
> of viri and spam (such as Amavis as Nicolas has mentioned). This would 
> afford other approaches to the default configuration of these other tools.

The spamassassin wiki has a page on this:

http://wiki.apache.org/spamassassin/UsingPyzor

> To Nicolas' points below, there are some issues with these things moving 
> in a non-GPL mode, if they are not already there.  I do note however 
> that both razor and pyzor are still in Extras for FC5 and are present in 
> Extras for devel (http://fedoraproject.org/extras/development/i386/). I 
> also whole heartedly support his contention that these tools 
> dramatically improve the processing of spam.
> 
> In either case, one option for me here within the notion of this being a 
> single user process, is to move the cron jobs that update razor and 
> pyzor from the system /etc/crontab to my user cron file vie "crontab -e" 
> (/var/spool/cron/marcs). I already have fetchmail and some backup 
> scripts running there anyway.

I think that would be a good move; it should at least prevent the 
creation of directories straight under the root.

> The dcc update process would need to stay in /etc/crontab since it 
> downloads, compiles and installs the system-wide dcc client.

Compiles as root? Ugh!

> Another option, perhaps, would be for the FE razor and pyzor maintainers 
> to adjust the respective app defaults for FE with an eye towards SELinux 
> policy issues in future updates. In that way, perhaps the default 
> locations could be in /etc or /var as Nicolas notes above. That might 
> provide for a means to handle both single user and multi user 
> configurations, though the impact on other tools would need to be 
> considered as may be appropriate.

If we can figure how how to make them work sanely, I'm confident that 
the maintainers would be open to suggestions (preferably with patches).

Paul.