This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1024677 - SELinux prevents dspam from using port tcp/24
SELinux prevents dspam from using port tcp/24
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Eduard Benes
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-30 04:46 EDT by Michal Trunecka
Modified: 2014-10-14 03:57 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-14 03:57:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Trunecka 2013-10-30 04:46:02 EDT
Description of problem:

Despite the fact, that we set ServerPort to 10026 in the test, dspam tries to connect to port 24, which was denied by selinux, see the AVC below. Dspam didn't behave this way before, it seems to be new in dspam version 3.10.2-4. However, this is not deterministic, it happens only about 1 of 3 cases of running this test.

In the /etc/dspam.conf file is the port 24 given as preset commented settings so I guess we can expect users to use this port:

#ClientHost     127.0.0.1
#ClientPort     24
#ServerHost             127.0.0.1
#ServerPort             24


time->Fri Oct 25 15:45:40 2013
type=SOCKADDR msg=audit(1382730340.128:153): saddr=02000018000000000000000000000000
type=SYSCALL msg=audit(1382730340.128:153): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff1ddad1f0 a2=10 a3=7fff1ddacd70 items=0 ppid=1 pid=13247 auid=4294967295 uid=493 gid=491 euid=493 suid=493 fsuid=493 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="dspam" exe="/usr/bin/dspam" subj=unconfined_u:system_r:dspam_t:s0 key=(null)
type=AVC msg=audit(1382730340.128:153): avc:  denied  { name_bind } for  pid=13247 comm="dspam" src=24 scontext=unconfined_u:system_r:dspam_t:s0 tcontext=system_u:object_r:lmtp_port_t:s0 tclass=tcp_socket


Version-Release number of selected component (if applicable):
dspam-3.10.2-4.el6.x86_64
selinux-policy-3.7.19-228.el6.noarch
Comment 1 Daniel Walsh 2013-11-04 11:45:05 EST
f167ebb83da447d5a12215549d7c88175b0c0f20 fixes this in git.

Although I wonder why this package was not rolled up into spamassassin policy?
Comment 6 errata-xmlrpc 2014-10-14 03:57:29 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html

Note You need to log in before you can comment on or make changes to this bug.