Bug 1848125

Summary: amavisd fails to start in multiple port config
Product: [Fedora] Fedora Reporter: dan
Component: amavisd-newAssignee: Juan Orti <jorti>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 32CC: janfrode, jorti, perl-devel, steve, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-19 13:36:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dan 2020-06-17 17:46:50 UTC 
amavisd fails to start using recommend 2 port configuration:

$inet_socket_port = [10024,10026];  # listen on multiple TCP ports

The failure occurs because the selinux-policy has labelled port 10026 as for use by spamd.

[root]# semanage port -l | grep spamd
spamd_port_t                   tcp      783, 10026, 10027

Another port could be used as a workaround but it would be helpful for the amavisd and selinux team to identify another recommended port for the 2nd instance which would be properly labeled in the selinux policy.
Comment 1 dan 2020-06-18 04:07:08 UTC 
This is a bit more complex that I thought.  In trying to move the receive/send functions from 10026/10027 to 10036/10037 I was still being blocked by policy until I added:

semanage port -a -t amavisd_recv_port_t  -p tcp 10036
semanage port -a -t amavisd_send_port_t  -p tcp 10037
Comment 2 Juan Orti 2020-09-19 13:36:20 UTC 
(In reply to dan from comment #0)
> $inet_socket_port = [10024,10026];  # listen on multiple TCP ports

This is commented out and is an example. The default port is 10024 which is allowed in the SELinux policy.

It's expected that you have to tag any other port with the correct SELinux label.