In amavisd-new, current version 2.11.0-r3 (and older versions probably), the systemd-unit prohibits write-access to config-files when spamassassin with DCC-Plugin (mail-filter/dcc-1.3.158) is enabled. Reproducible: Always Steps to Reproduce: 1.every time a mail is filtered with amavisd-new/spamassassin/dcc 2. 3. Actual Results: error: Apr 12 15:38:49 colin dccproc[1484]: open(/var/dcc/map): Read-only file system Expected Results: No error. Log-error: Apr 12 15:38:49 colin dccproc[1484]: open(/var/dcc/map): Read-only file system colin ~ # ll /var/dcc/map lrwxrwxrwx 1 amavis amavis 12 19. Mär 09:36 /var/dcc/map -> /etc/dcc/map mail-filter/dcc-1.3.158 installs its config in /etc/dcc, see ebuild: https://gitweb.gentoo.org/repo/gentoo.git/tree/mail-filter/dcc/dcc-1.3.158.ebuild moveconf() { local into=/etc/dcc/ for i in $@; do mv "${D}${dcc_homedir}/${i}" "${D}${into}" dosym "${into}${i}" "${dcc_homedir}/${i}" done } /usr/lib/systemd/system/amavisd.service includes 'ProtectSystem=full' which disables write-access on /etc by design. # /etc/systemd/system/amavisd.service.d/override.conf [Service] ReadWritePaths=-/etc/dcc will remove the error. Possible solution: mail-filter/dcc should place config in /var/dcc/etc or amavisd's systemd-unit could be changed as above. bug-report on redhat on this topic: https://bugzilla.redhat.com/show_bug.cgi?id=1532139 for the first solution, this patch might be needed. https://bugzilla.redhat.com/show_bug.cgi?id=1532139
I believe we already have the fix for SpamAssassin in place. Reading the source code for "dccproc", it's clear that the map file in question is *not* a configuration file. It's persistent, writable, program data: i.e. the stuff that goes under /var. So I think the right fix for this is to leave the map file (and anything else that needs to be written at runtime) where it is. (/var/lib/dcc would be even better IMO)