Bug 450568

Summary: spamassassin selinux policy issue
Product: [Fedora] Fedora Reporter: tgeier
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 9CC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-17 22:04:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Results of one of the sealerts generated by this issue.
none
AVC messages and te file none

Description tgeier 2008-06-09 17:58:37 UTC 
Description of problem:
The selinux policy on Fedora 9 does not allow spamassassin to bind to any
local network ports, creating excessive processor load whenever an email comes
into the system.  The load is expedited somewhat if setroubleshootd is not
running, though having spamd running or not appears to make no difference.

Version-Release number of selected component (if applicable):
Fedora 9 after using preupgrade from Fedora 8.

How reproducible:
Consistently reproducible.

Steps to Reproduce:
1. Start setroubleshootd and spamd.
2. Send a test email or wait for one to arrive.
3. Watch /var/log/messages for a large number of setroubleshoot exceptions.
  
Actual results:
Excessive system load and a large number of setroubleshoot exceptions produced.
Email does still go through, however.

Expected results:
Email going through without any setroubleshoot exceptions.

Additional info:
Tried changing the sebool spamassassin_can_network to 1; made no difference.
Results of a typical sealert are attached.
Comment 1 tgeier 2008-06-09 17:58:37 UTC 
Created attachment 308733 [details]
Results of one of the sealerts generated by this issue.
Comment 2 Daniel Walsh 2008-06-10 18:59:32 UTC 
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-67.fc9.noarch
Comment 3 tgeier 2008-06-10 21:39:57 UTC 
Thank you, that resolved most of the issue; there were still a few postfix
exceptions, but I was able to generate a policy to handle those and everything
is working properly now.
Comment 4 Daniel Walsh 2008-06-14 10:42:21 UTC 
Could you submit the te file you generated or even better the avc messages used
to create it.
Comment 5 tgeier 2008-06-16 15:23:20 UTC 
Created attachment 309511 [details]
AVC messages and te file
Comment 6 Daniel Walsh 2008-06-22 12:47:57 UTC 
Does spamassassin talk directly to postfix?  IE Does postfix exec spamassassin?
 Or this could be a leaked file descriptor.
Comment 7 Daniel Walsh 2008-11-17 22:04:31 UTC 
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.