[CentOS] Spamassassin vs. SELinux trouble

Tue Dec 12 13:02:59 UTC 2017
Peter Kjellström <cap at nsc.liu.se>

On Tue, 12 Dec 2017 13:37:30 +0100
Nicolas Kovacs <info at microlinux.fr> wrote:

> Hi,
> 
> Spamassassin has been working nicely on my main server running CentOS
> 7 and Postfix. SELinux is activated (Enforcing).
> 
> Since the most recent update (don't know if it's related to it though)
> I'm getting the following SELinux error.
> 
> --8<-----------------------------------------------------------------
> SELinux is preventing /usr/bin/perl from 'read, write' accesses on the
> file /var/log/spamassassin/.spamassassin/bayes_toks.
...
> Additional Information:
> Source Context                system_u:system_r:spamd_t:s0
> Target Context                system_u:object_r:var_log_t:s0

This seems like it should have been denied. You probably don't want
system_r:spamd_t to write to var_log_t.

I don't have access to a c7 with spamassasin right now but would guess
that /var/log/spamassassin/.spamassassin/bayes_toks should have been a
different context (something like spam_log_t).

You can use "ls -Z" on /var/log/spamassassin to find out what context
the top level dir has. Then use restorcon (if the policy has the
correct data but the real world file/dir is wrong). chcon can be used
to test a change but for a permanent fix you'll have to add it to the
policy (file context listing).

/Peter K