Bug 179643

Summary: spamd denied ldap_port_t
Product: [Fedora] Fedora Reporter: Justin Willmert <justin>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 4Keywords: EasyFix, SELinux
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 1.27.1-2.20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-21 01:43:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Justin Willmert 2006-02-01 20:48:18 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Description of problem:
When the system is set up to use LDAP system authentication, spamd cannot setuid to the user creating many permission problems (spamd downgrades to nobody). When SELinux is changed to permissive mode, spamd works. There are logs of ldap_port_t denial messages (I'll post the exact message later. Right now I'm at school)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.16 and spamassassin-3.0.4-2

How reproducible:
Always

Steps to Reproduce:
1. Set SELinux to enforcing mode (for targeted policy)
2. Start spamd service
3. Send email through `spamc -u USER` (where USER is a user that resides in an LDAP directory
  

Actual Results:  spamd setuid()'s to nobody(99) instead of USER

Expected Results:  Able to setuid to USER

Additional info:

System authentication was setup during install using Fedora's authentication manager (I can't remember the program's name right now...It works through nsswitch.conf)
Comment 1 Justin Willmert 2006-02-01 21:58:55 UTC 
Here is the avc messages I promised to post.

type=AVC msg=audit(1138831213.154:112091): avc:  denied  { name_connect } for 
pid=9014 comm="spamd" dest=389 scontext=root:system_r:spamd_t
tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1138831213.154:112091): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bfc775d0 a2=1171cb8 a3=7 items=0 pid=9014 auid=600
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="spamd"
exe="/usr/bin/perl"
type=SOCKADDR msg=audit(1138831213.154:112091):
saddr=02000185C0A801940000000000000000
type=SOCKETCALL msg=audit(1138831213.154:112091): nargs=3 a0=7 a1=a1d60d0 a2=10
type=AVC msg=audit(1138831213.598:112092): avc:  denied  { name_connect } for 
pid=9014 comm="spamd" dest=389 scontext=root:system_r:spamd_t
tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1138831213.598:112092): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bfc775d0 a2=1171cb8 a3=7 items=0 pid=9014 auid=600
uid=0 gid=0 euid=99 suid=0 fsuid=99 egid=99 sgid=0 fsgid=99 comm="spamd"
exe="/usr/bin/perl"
type=SOCKADDR msg=audit(1138831213.598:112092):
saddr=02000185C0A801940000000000000000
type=SOCKETCALL msg=audit(1138831213.598:112092): nargs=3 a0=7 a1=a219830 a2=10
Comment 2 Daniel Walsh 2006-02-02 18:51:20 UTC 
Fixed in selinux-policy-targeted- 1.27.1-2.20