> On Feb 13, 2017, at 10:26 AM, Philip Prindeville
> <philipp_s...@redfish-solutions.com> wrote:
>
> [Putting Robert on Bcc…]
>
> I upgraded recently to F25 from F24. I had configured my MDF service in
> systemd as stock.
>
> No changes were made to MDF concurrent to the upgrade.
>
> Now I’m seeing a bunch of:
>
> type=AVC msg=audit(1487004730.889:2463): avc: denied { read } for
> pid=24701 comm="mimedefang.pl" name="razor-agent.log" dev="sda6" ino=9306726
> scontext=system_u:system_r:spamd_t:s0
> tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=lnk_file permissive=0
>
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this access.
>
> There’s a symlink with that path on my system:
>
> lrwxrwxrwx. 1 defang defang system_u:object_r:spamd_var_run_t:s0 9 Dec 14
> 2011 /var/spool/MIMEDefang/.razor/razor-agent.log -> /dev/null
>
> and I see it being created via the temp files at startup:
>
> /usr/lib/tmpfiles.d/mimedefang.conf:d /var/spool/MIMEDefang/.razor 0750
> defang defang - -
> /usr/lib/tmpfiles.d/mimedefang.conf:L+
> /var/spool/MIMEDefang/.razor/razor-agent.log - - - - /dev/null
>
>
> The file is accessed in Razor2::Client::Config, which is pulled into MDF via
> SpamAssassin which has:
>
> loadplugin Mail::SpamAssassin::Plugin::Razor2
>
> in it.
>
> So, not really sure what the point of a log file pointing at /dev/null would
> be or why MDF is responsible for creating it given that it’s SpamAssassin
> that ends up scribbling on it, etc. Why not skip creating the file, and not
> write at all if you can’t open it because it doesn’t exist...
>
> Anyone know what the fix for this is?
>
> Thanks,
>
> -Philip
Well, I took a shot at fixing this:
https://github.com/toddr/Razor2-Client-Agent/pull/2
and we’ll see if it gets accepted.
If it is, then the fix might be to have a file /etc/razor/razor-agent.conf
containing:
logfile none
where ‘none’ is a keyword telling Razor2::Client::Logger to open /dev/null as
the destination.
Hopefully this is as SElinux friendly as possible.
Skoll: any thoughts? Scheck?
in mimedefang-2.79 the file redhat/mimedefang-init.in contains the block:
if [ ! -L @SPOOLDIR@/.razor/razor-agent.log ]; then
# The Razor2 log is mostly useless, and we can't change its location.
# In order to prevent it from filling up the spool, we just link it to
# /dev/null.
ln -sf /dev/null @SPOOLDIR@/.razor/razor-agent.log
chown -h defang:defang @SPOOLDIR@/.razor/razor-agent.log
fi
but I’m not sure I understand it. Why can’t we change it’s location? On my
system, Razor2::Agent::Client only ever gets invoked via Mail::SpamAssassin
which only ever gets invoked by Mimedefang.
From my perspective, Mimedefang rules the roost and can pretty much do whatever
it wants.
-Philip
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
