Bug 474180

Summary: selinux warnings with spamassassin
Product: [Fedora] Fedora Reporter: Jeff Layton <jlayton>
Component: spamassassinAssignee: Warren Togami <wtogami>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: dwalsh, kevin, steved, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-11 16:40:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Layton 2008-12-02 17:34:41 UTC 
Since updating my main server to F10, I've started seeing some SELinux warnings with spamassassin. The warnings follow -- let me know if you need other info:

--------------------[snip]----------------------


Summary:

SELinux is preventing spamassassin (spamc_t) "node_bind" unspec_node_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by spamassassin. It is not expected that this
access is required by spamassassin and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:spamc_t
Target Context                system_u:object_r:unspec_node_t
Target Objects                None [ udp_socket ]
Source                        spamassassin
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          salusa.poochiereds.net
Source RPM Packages           perl-5.10.0-49.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     salusa.poochiereds.net
Platform                      Linux salusa.poochiereds.net
                              2.6.27.5-117.fc10.x86_64 #1 SMP Tue Nov 18
                              11:58:53 EST 2008 x86_64 x86_64
Alert Count                   93
First Seen                    Sun 30 Nov 2008 07:45:57 AM EST
Last Seen                     Tue 02 Dec 2008 12:33:09 PM EST
Local ID                      7d52da32-76ad-435d-8acc-7041284cb1b4
Line Numbers                  

Raw Audit Messages            

node=salusa.poochiereds.net type=AVC msg=audit(1228239189.124:1668): avc:  denied  { node_bind } for  pid=25407 comm="spamassassin" scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:unspec_node_t:s0 tclass=udp_socket

node=salusa.poochiereds.net type=SYSCALL msg=audit(1228239189.124:1668): arch=c000003e syscall=49 success=yes exit=0 a0=3 a1=2fe2518 a2=1c a3=0 items=0 ppid=25406 pid=25407 auid=4294967295 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)


---------------------------------------------------------------------------


Summary:

SELinux is preventing spamassassin (spamc_t) "node_bind" inaddr_any_node_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by spamassassin. It is not expected that this
access is required by spamassassin and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:spamc_t
Target Context                system_u:object_r:inaddr_any_node_t
Target Objects                None [ udp_socket ]
Source                        spamassassin
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          salusa.poochiereds.net
Source RPM Packages           perl-5.10.0-49.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     salusa.poochiereds.net
Platform                      Linux salusa.poochiereds.net
                              2.6.27.5-117.fc10.x86_64 #1 SMP Tue Nov 18
                              11:58:53 EST 2008 x86_64 x86_64
Alert Count                   88
First Seen                    Sun 30 Nov 2008 07:45:57 AM EST
Last Seen                     Tue 02 Dec 2008 12:33:09 PM EST
Local ID                      e32d98c4-e03d-462f-a6e2-e3c9b0e6067f
Line Numbers                  

Raw Audit Messages            

node=salusa.poochiereds.net type=AVC msg=audit(1228239189.189:1669): avc:  denied  { node_bind } for  pid=25407 comm="spamassassin" scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=udp_socket

node=salusa.poochiereds.net type=SYSCALL msg=audit(1228239189.189:1669): arch=c000003e syscall=49 success=yes exit=0 a0=3 a1=2fe2518 a2=10 a3=0 items=0 ppid=25406 pid=25407 auid=4294967295 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null)
Comment 1 Kevin Fenzi 2008-12-02 20:51:01 UTC 
Adding dwalsh here for input...
Comment 2 Daniel Walsh 2008-12-03 14:05:38 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-30.fc10