1024677 – SELinux prevents dspam from using port tcp/24

Bug 1024677 - SELinux prevents dspam from using port tcp/24

Summary: SELinux prevents dspam from using port tcp/24

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Eduard Benes
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-30 08:46 UTC by Michal Trunecka
Modified:	2014-10-14 07:57 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-14 07:57:29 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1568	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2014-10-14 01:27:37 UTC

Description Michal Trunecka 2013-10-30 08:46:02 UTC

Description of problem:

Despite the fact, that we set ServerPort to 10026 in the test, dspam tries to connect to port 24, which was denied by selinux, see the AVC below. Dspam didn't behave this way before, it seems to be new in dspam version 3.10.2-4. However, this is not deterministic, it happens only about 1 of 3 cases of running this test.

In the /etc/dspam.conf file is the port 24 given as preset commented settings so I guess we can expect users to use this port:

#ClientHost     127.0.0.1
#ClientPort     24
#ServerHost             127.0.0.1
#ServerPort             24


time->Fri Oct 25 15:45:40 2013
type=SOCKADDR msg=audit(1382730340.128:153): saddr=02000018000000000000000000000000
type=SYSCALL msg=audit(1382730340.128:153): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fff1ddad1f0 a2=10 a3=7fff1ddacd70 items=0 ppid=1 pid=13247 auid=4294967295 uid=493 gid=491 euid=493 suid=493 fsuid=493 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="dspam" exe="/usr/bin/dspam" subj=unconfined_u:system_r:dspam_t:s0 key=(null)
type=AVC msg=audit(1382730340.128:153): avc:  denied  { name_bind } for  pid=13247 comm="dspam" src=24 scontext=unconfined_u:system_r:dspam_t:s0 tcontext=system_u:object_r:lmtp_port_t:s0 tclass=tcp_socket


Version-Release number of selected component (if applicable):
dspam-3.10.2-4.el6.x86_64
selinux-policy-3.7.19-228.el6.noarch

Comment 1 Daniel Walsh 2013-11-04 16:45:05 UTC

f167ebb83da447d5a12215549d7c88175b0c0f20 fixes this in git.

Although I wonder why this package was not rolled up into spamassassin policy?

Comment 6 errata-xmlrpc 2014-10-14 07:57:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html

Note You need to log in before you can comment on or make changes to this bug.