Bug 1891003

Summary: default configuration example for ORIGINATING related to ports is blocked by SELinux
Product: [Fedora] Fedora EPEL Reporter: Peter Bieringer <pb>
Component: amavisAssignee: Juan Orti <jorti>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel8CC: jorti, steve, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: amavis-2.12.1-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-03 02:09:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Peter Bieringer 2020-10-23 14:10:13 UTC
Description of problem:
there is an SELinux issue with default ports provided in default configuration related to policy bank "ORIGINATING"

Version-Release number of selected component (if applicable):
amavis-2.12.0-9.el8.noarch

How reproducible:
always

Steps to Reproduce:
1. enable ORIGINATING by changing:

$inet_socket_port = 10024;   # listen on this local TCP port(s)
# $inet_socket_port = [10024,10026];  # listen on multiple TCP ports

to

#$inet_socket_port = 10024;   # listen on this local TCP port(s)
$inet_socket_port = [10024,10026];  # listen on multiple TCP ports

2. restart amavisd

Actual results:
will not start


Expected results:
starting

Additional info:
Issue is caused by SELinux port labeling of configured ports 10026 and 10027

egrep '(10026|10027)' /etc/amavisd/amavisd.conf
# $inet_socket_port = [10024,10026];  # listen on multiple TCP ports
# from internal hosts to a dedicated TCP port (such as 10026) for filtering
$interface_policy{'10026'} = 'ORIGINATING';
  forward_method => 'smtp:[127.0.0.1]:10027',


they have a different type "spamd_port_t"

semanage port -l | egrep '(10026|10027)'                          
spamd_port_t                   tcp      783, 10026, 10027


compared to the default ones for simple amavisd operations:

semanage port -l | egrep '(10024|10025)' 
amavisd_recv_port_t            tcp      10024
amavisd_send_port_t            tcp      10025


changing the port label is imho not a good idea...can break something else

-> workaround/suggestion instead of using 10026/10027 use the current unlabeled ports  10022/10023 by changing default config (working here quite well) and apply proper port labels in SELinux, final result should be:

semanage port -l | egrep ^amavis         
amavisd_recv_port_t            tcp      10022, 10024
amavisd_send_port_t            tcp      10023, 10025

As this change should be only done on fresh configurations, potentially a hint/warning should be applied in postinstall (or in the default config like "in case facing issues with 10026/10027 use 10022/10023).

Background: related postfix master configuration needs to be tweaked also for
- amavis reinjection
- amavis feed

Comment 1 Juan Orti 2020-11-17 10:23:15 UTC
The amavis SELinux policy is provided by the selinux-policy-targeted package in RHEL and not by amavis itself.

The commented out ports is an example and the administrators can choose whatever they want, so I consider normal that you have to adjust the SELinux policy. I can agree on adding an example in the config file though.

Comment 2 Fedora Update System 2020-11-17 19:13:50 UTC
FEDORA-EPEL-2020-ca1ac5519e has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-ca1ac5519e

Comment 3 Fedora Update System 2020-11-18 03:15:20 UTC
FEDORA-EPEL-2020-ca1ac5519e has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-ca1ac5519e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2020-12-03 02:09:34 UTC
FEDORA-EPEL-2020-ca1ac5519e has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.