Bug 1891003
| Summary: | default configuration example for ORIGINATING related to ports is blocked by SELinux | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Peter Bieringer <pb> |
| Component: | amavis | Assignee: | Juan Orti <jorti> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel8 | CC: | jorti, steve, vanmeeuwen+fedora |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | amavis-2.12.1-3.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-12-03 02:09:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The amavis SELinux policy is provided by the selinux-policy-targeted package in RHEL and not by amavis itself. The commented out ports is an example and the administrators can choose whatever they want, so I consider normal that you have to adjust the SELinux policy. I can agree on adding an example in the config file though. FEDORA-EPEL-2020-ca1ac5519e has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-ca1ac5519e FEDORA-EPEL-2020-ca1ac5519e has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-ca1ac5519e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-EPEL-2020-ca1ac5519e has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: there is an SELinux issue with default ports provided in default configuration related to policy bank "ORIGINATING" Version-Release number of selected component (if applicable): amavis-2.12.0-9.el8.noarch How reproducible: always Steps to Reproduce: 1. enable ORIGINATING by changing: $inet_socket_port = 10024; # listen on this local TCP port(s) # $inet_socket_port = [10024,10026]; # listen on multiple TCP ports to #$inet_socket_port = 10024; # listen on this local TCP port(s) $inet_socket_port = [10024,10026]; # listen on multiple TCP ports 2. restart amavisd Actual results: will not start Expected results: starting Additional info: Issue is caused by SELinux port labeling of configured ports 10026 and 10027 egrep '(10026|10027)' /etc/amavisd/amavisd.conf # $inet_socket_port = [10024,10026]; # listen on multiple TCP ports # from internal hosts to a dedicated TCP port (such as 10026) for filtering $interface_policy{'10026'} = 'ORIGINATING'; forward_method => 'smtp:[127.0.0.1]:10027', they have a different type "spamd_port_t" semanage port -l | egrep '(10026|10027)' spamd_port_t tcp 783, 10026, 10027 compared to the default ones for simple amavisd operations: semanage port -l | egrep '(10024|10025)' amavisd_recv_port_t tcp 10024 amavisd_send_port_t tcp 10025 changing the port label is imho not a good idea...can break something else -> workaround/suggestion instead of using 10026/10027 use the current unlabeled ports 10022/10023 by changing default config (working here quite well) and apply proper port labels in SELinux, final result should be: semanage port -l | egrep ^amavis amavisd_recv_port_t tcp 10022, 10024 amavisd_send_port_t tcp 10023, 10025 As this change should be only done on fresh configurations, potentially a hint/warning should be applied in postinstall (or in the default config like "in case facing issues with 10026/10027 use 10022/10023). Background: related postfix master configuration needs to be tweaked also for - amavis reinjection - amavis feed