Bug 541065
Summary: | SELinux is preventing /usr/bin/perl from binding to port 23796. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Micko <micko> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 12 | CC: | djuran, dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:f142a98e852e052c700cf662b2bcd4b59938d049db230d0f5193ff0f6457f85f | ||
Fixed In Version: | selinux-policy-3.6.32-120.fc12 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-12-07 22:46:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Micko
2009-11-24 21:26:23 UTC
Why is spamassassin trying to bind to port 23796? Is this a local customization? (In reply to comment #1) > Why is spamassassin trying to bind to port 23796? > > Is this a local customization? I might have done something wrong when I configured spamassasin but nothing on purpose. I keep getting a lot of alerts, but if it's only me I need to look in to it an learn some more. Now I have already 10 of this SE-alert: ------------------------------------------------------ SELinux has denied the spamassassin from binding to a network port 64851 which does not have an SELinux type associated with it. If spamassassin should be allowed to listen on 64851, use the semanage command to assign 64851 to a port type that spamc_t can bind to (). If spamassassin is not supposed to bind to 64851, this could signal an intrusion attempt. ------------------------------------------------------ Seems like my spamassassin daemon chooses high ports at random!? Are you using nis? Just got one more port: SELinux has denied the spamassassin from binding to a network port 26909..... fixing it suggests udp: # semanage port -a -t PORT_TYPE -p udp 26909 No you need something more powerful then this. It looks like policy allows spamd to bind to any udp port, but not spamassassin. I wonder if this is something new. If you set the boolean getsebool -a | grep spamassassin_can_network spamassassin_can_network --> off on does it work. setsebool -P spamassassin_can_network 1 No, no nis. I might have some unnecessary services running but not nis (I think, never used it) $] service ypbind status reports "not running" I've tried to set it on and it was now when I got the reports. Do I need to reboot first to be sure? I've tried to set it on and it was now when I got the reports. Do I need to reboot first to be sure? Fixed in selinux-policy-3.6.32-50.fc12.noarch Added corenet_udp_bind_generic_port(spamc_t) You can build a custom policy module with this line until you get the update. I am building -50 in koji now. OK, fine. Thanks! selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12 selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549 selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12 selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650 selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. As far as I can tell right now, it remains the same. But now: 'setsebool -P allow_ypbind=1' stops all alerts from spamassassin. (I'm not running a NIS Client tough, not that I know of anyway) So I'm happy with that. I'll do some more testing and get back if I find anything. What avc's were you seeing before you turned the boolean on? Avc's? I make a guess that its a SE-alert. With boolean 0 I got this message but with differnt ports every time. ------- SELinux is preventing /usr/bin/perl from binding to port 9143. SELinux has denied the spamassassin from binding to a network port 9143 which does not have an SELinux type associated with it. If spamassassin should be allowed to listen on 9143, use the semanage command to assign 9143 to a port type that spamc_t can bind to (). If spamassassin is not supposed to bind to 9143, this could signal an intrusion attempt. If you want to allow spamassassin to bind to port 9143, you can execute # semanage port -a -t PORT_TYPE -p udp 9143 where PORT_TYPE is one of the following: . If this system is running as an NIS Client, turning on the allow_ypbind boolean may fix the problem. setsebool -P allow_ypbind=1. ------- I was actually looking for the content in /var/log/audit/audit.log This gives me all the info I need. selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12 selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |