| Summary: | SELinux prevents dspam from using port tcp/24 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Michal Trunecka <mtruneck> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Eduard Benes <ebenes> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.5 | CC: | dwalsh, ebenes, lvrabec, mgrepl, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-14 07:57:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
f167ebb83da447d5a12215549d7c88175b0c0f20 fixes this in git. Although I wonder why this package was not rolled up into spamassassin policy? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html |
Description of problem: Despite the fact, that we set ServerPort to 10026 in the test, dspam tries to connect to port 24, which was denied by selinux, see the AVC below. Dspam didn't behave this way before, it seems to be new in dspam version 3.10.2-4. However, this is not deterministic, it happens only about 1 of 3 cases of running this test. In the /etc/dspam.conf file is the port 24 given as preset commented settings so I guess we can expect users to use this port: #ClientHost 127.0.0.1 #ClientPort 24 #ServerHost 127.0.0.1 #ServerPort 24 time->Fri Oct 25 15:45:40 2013 type=SOCKADDR msg=audit(1382730340.128:153): saddr=02000018000000000000000000000000 type=SYSCALL msg=audit(1382730340.128:153): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff1ddad1f0 a2=10 a3=7fff1ddacd70 items=0 ppid=1 pid=13247 auid=4294967295 uid=493 gid=491 euid=493 suid=493 fsuid=493 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="dspam" exe="/usr/bin/dspam" subj=unconfined_u:system_r:dspam_t:s0 key=(null) type=AVC msg=audit(1382730340.128:153): avc: denied { name_bind } for pid=13247 comm="dspam" src=24 scontext=unconfined_u:system_r:dspam_t:s0 tcontext=system_u:object_r:lmtp_port_t:s0 tclass=tcp_socket Version-Release number of selected component (if applicable): dspam-3.10.2-4.el6.x86_64 selinux-policy-3.7.19-228.el6.noarch