Description of problem: Spampd is not allowed by SELinux policy to connect back to Postfix for mail delivery. Version-Release number of selected component (if applicable): spampd-2.30-16.fc20.noarch selinux-policy-targeted-3.12.1-119.fc20.noarch How reproducible: 100% Steps to Reproduce: 1. Install spampd 2. Configure spampd to listen on 127.0.0.1:10026 and connect to 127.0.0.1:10027, which is suggested by Fedora documentation 3. Run spampd 4. Connection denied by SELinux Actual results: type=AVC msg=audit(1391087514.778:5806): avc: denied { name_connect } for pid=3078 comm="spampd" dest=10027 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket Additional info: Apparently there is no SELinux policy for spampd. Instead, spampd is handled the same way as spamd, which is part of the spamassassin package. The spamd rules are part of the spamassassin policy. Spamd doesn't need to connect to tcp/10027 because it doesn't work as a proxy, the way spampd does. As a result, spampd isn't allowed that connection either, and so it doesn't work. By the way, I noticed that in fact for Fedora 16 a spampd policy was introduced, see bug #844784. I don't know what happened to that policy.
Can selinux maintainer create a policy or confirm if this is a new bug?
commit 3f320ce98cf23193a9f65ea56478ca2dfeef259d Author: Miroslav Grepl <mgrepl> Date: Tue Feb 11 19:41:30 2014 +0100 Allow spamd to connect to spamd port
Hi Miroslav, Thanks for fixing this issue. Maybe a bit of a noob question, but where can I find the contents of commit 3f320ce98cf23193a9f65ea56478ca2dfeef259d ? And is there already a package available in koji that I can test? Thanks, Erik.
https://git.fedorahosted.org/git/selinux-policy.git A new build is coming today.