Bug 767837

Summary: sendmail can't connect to mimedefang socket
Product: [Fedora] Fedora Reporter: Philip Prindeville <philipp>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dwalsh, philipp
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-15 18:37:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Philip Prindeville 2011-12-15 00:11:29 UTC 
Description of problem:

I'm running sendmail using:

+INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m;E:5m')

in my sendmail.mc. I had to uninstall and reinstall mimedefang to correct some corruption.

After doing so, I started seeing:

type=AVC msg=audit(1323904762.038:42942): avc:  denied  { connectto } for  pid=805 comm="sendmail" path="/var/spool/MIMEDefang/mimedefang.sock" scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

which "audit2allow" tells me that I'm missing:

allow sendmail_t unconfined_t:unix_stream_socket connectto;

Not sure why the context has gone away on the socket... I'm thinking it should be:

allow sendmail_t spamd_t:unix_stream_socket connectto;


Version-Release number of selected component (if applicable):

3.10.0-64

How reproducible:

As per above.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Miroslav Grepl 2011-12-15 08:26:09 UTC 
How did you start spamd? It happens, if you start a service without using systemctl.
Comment 2 Daniel Walsh 2011-12-15 18:36:57 UTC 
This looks like you ran spamd as unconfined_t rather then through the service or sysctl command.
Comment 3 Philip Prindeville 2012-01-01 02:05:01 UTC 
(In reply to comment #2)
> This looks like you ran spamd as unconfined_t rather then through the service
> or sysctl command.

Acknowledged... still, should /etc/rc.d/init.d/functions handle that correctly when running with SYSTEMCTL_SKIP_REDIRECT set?
Comment 4 Miroslav Grepl 2012-01-02 08:59:24 UTC 
How exactly did you start it?
Comment 5 Philip Prindeville 2012-01-02 09:14:56 UTC 
SYSTEMCTL_SKIP_REDIRECT=yes /etc/init.d/spamassassin start