Bug 451631

Summary: Problem with Spamassassin triggered by procmail
Product: [Fedora] Fedora Reporter: Adam Huffman <bloch>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 9CC: jkubin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-24 10:04:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Alert text from sealert none

Description Adam Huffman 2008-06-16 10:52:54 UTC 
Description of problem:
Since upgrading to F9 I've been seeing selinux errors with SpamAssassin, which
is triggered by my .procmailrc.

This causes thousands of AVC messages, meaning I have to shutdown
setroubleshootd in order to make the system usable.

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-64.fc9.noarch

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Adam Huffman 2008-06-16 10:52:54 UTC 
Created attachment 309477 [details]
Alert text from sealert
Comment 2 Daniel Walsh 2008-06-22 12:38:20 UTC 
This avc shows spamassassin tryint to bind to a udp socket 32230?

Is this expected behaviour?
Comment 3 Daniel Walsh 2008-06-22 12:40:22 UTC 
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp
Comment 4 Adam Huffman 2008-06-24 09:52:41 UTC 
I'm assuming it's expected behaviour as I'm using SpamAssassin's defaults. 
Here's how it's triggered in .procmailrc:

INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc

and here's the content of that file:

# send mail through spamassassin
:0fw
| /usr/bin/spamassassin

Here's the content of /etc/sysconfig/spamassassin:

# Options to spamd
SPAMDOPTIONS="-d -c -m5 -H"
Comment 5 Daniel Walsh 2008-06-24 10:04:26 UTC 
Turn on the spamassassin_can_network boolean.

If you run your AVC though audit2why it shows


 audit2why -i /tmp/t
host=saintloup.smith.man.ac.uk type=AVC msg=audit(1213613494.259:1224): avc: 
denied  { name_bind } for  pid=5705 comm="spamassassin" src=32230
scontext=system_u:system_r:spamassassin_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

	Was caused by:
	One of the following booleans was set incorrectly.
	Description:
	Allow user spamassassin clients to use the network.

	Allow access by executing:
	# setsebool -P spamassassin_can_network 1
	Description:
	Allow system to run with NIS

	Allow access by executing:
	# setsebool -P allow_ypbind 1