Bug 616182
Summary: | I use spamassassin with settingsd stored in a postgresql db and I get the following selinux warning | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gabriel Ramirez <gabriello.ramirez> |
Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 13 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-39.fc13 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-07-23 02:27:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gabriel Ramirez
2010-07-19 19:37:48 UTC
I use spamassassin-3.3.1-2.fc13.x86_64 and it store settings in a postgresql-8.4.4-1.fc13.x86_64 database by following instructions http://svn.apache.org/repos/asf/spamassassin/tags/spamassassin_current_release_3.3.x/sql/README but I get the following security alert (I set the spamd_t domain to permissive): Summary: SELinux is preventing /usr/bin/perl "name_connect" access . Detailed Description: [spamd has a permissive type (spamd_t). This access was not denied.] SELinux denied access requested by spamd. It is not expected that this access is required by spamd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. . Additional Information: Source Context unconfined_u:system_r:spamd_t:s0 Target Context system_u:object_r:postgresql_port_t:s0 Target Objects None [ tcp_socket ] Source spamd Source Path /usr/bin/perl Port 5432 Host stargate.zn9.acapulco.ag Source RPM Packages perl-5.10.1-114.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-33.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name localhost Platform Linuxlocalhost 2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Mon 19 Jul 2010 02:21:22 PM CDT Last Seen Mon 19 Jul 2010 02:36:05 PM CDT Local ID 90f684f8-d152-4903-a35e-9ef26572e142 Line Numbers Raw Audit Messages node=localhost type=AVC msg=audit(1279568165.441:25221): avc: denied { name_connect } for pid=18577 comm="spamd" dest=5432 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket node=localhost type=SYSCALL msg=audit(1279568165.441:25221): arch=c000003e syscall=42 success=yes exit=128 a0=6 a1=375cf90 a2=10 a3=7fffb2a34c70 items=0 ppid=18575 pid=18577 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="spamd" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null) I made a selinux module spamdlocal.pp via audit2allow but a selinux boolean with a default of disabled ( I will enabled because I need it) will be great Thanks, Gabriel We have ptional_policy(` corenet_tcp_connect_postgresql_port(spamd_t) corenet_sendrecv_postgresql_client_packets(spamd_t) postgresql_stream_connect(spamd_t) ') In Rawhide policy. Fixed in selinux-policy-3.7.19-39.fc13.noarch selinux-policy-3.7.19-39.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-39.fc13 selinux-policy-3.7.19-39.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |