> On Feb 13, 2017, at 10:26 AM, Philip Prindeville > <philipp_s...@redfish-solutions.com> wrote: > > [Putting Robert on Bcc…] > > I upgraded recently to F25 from F24. I had configured my MDF service in > systemd as stock. > > No changes were made to MDF concurrent to the upgrade. > > Now I’m seeing a bunch of: > > type=AVC msg=audit(1487004730.889:2463): avc: denied { read } for > pid=24701 comm="mimedefang.pl" name="razor-agent.log" dev="sda6" ino=9306726 > scontext=system_u:system_r:spamd_t:s0 > tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=lnk_file permissive=0 > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow > this access. > > There’s a symlink with that path on my system: > > lrwxrwxrwx. 1 defang defang system_u:object_r:spamd_var_run_t:s0 9 Dec 14 > 2011 /var/spool/MIMEDefang/.razor/razor-agent.log -> /dev/null > > and I see it being created via the temp files at startup: > > /usr/lib/tmpfiles.d/mimedefang.conf:d /var/spool/MIMEDefang/.razor 0750 > defang defang - - > /usr/lib/tmpfiles.d/mimedefang.conf:L+ > /var/spool/MIMEDefang/.razor/razor-agent.log - - - - /dev/null > > > The file is accessed in Razor2::Client::Config, which is pulled into MDF via > SpamAssassin which has: > > loadplugin Mail::SpamAssassin::Plugin::Razor2 > > in it. > > So, not really sure what the point of a log file pointing at /dev/null would > be or why MDF is responsible for creating it given that it’s SpamAssassin > that ends up scribbling on it, etc. Why not skip creating the file, and not > write at all if you can’t open it because it doesn’t exist... > > Anyone know what the fix for this is? > > Thanks, > > -Philip
Well, I took a shot at fixing this: https://github.com/toddr/Razor2-Client-Agent/pull/2 and we’ll see if it gets accepted. If it is, then the fix might be to have a file /etc/razor/razor-agent.conf containing: logfile none where ‘none’ is a keyword telling Razor2::Client::Logger to open /dev/null as the destination. Hopefully this is as SElinux friendly as possible. Skoll: any thoughts? Scheck? in mimedefang-2.79 the file redhat/mimedefang-init.in contains the block: if [ ! -L @SPOOLDIR@/.razor/razor-agent.log ]; then # The Razor2 log is mostly useless, and we can't change its location. # In order to prevent it from filling up the spool, we just link it to # /dev/null. ln -sf /dev/null @SPOOLDIR@/.razor/razor-agent.log chown -h defang:defang @SPOOLDIR@/.razor/razor-agent.log fi but I’m not sure I understand it. Why can’t we change it’s location? On my system, Razor2::Agent::Client only ever gets invoked via Mail::SpamAssassin which only ever gets invoked by Mimedefang. From my perspective, Mimedefang rules the roost and can pretty much do whatever it wants. -Philip _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang