Bug 1418031 - SELinux is preventing spamassassin from 'name_bind' accesses on the udp_socket port 13086.
Summary: SELinux is preventing spamassassin from 'name_bind' accesses on the udp_socke...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:f6acf9132d4833379e2d2dff39c...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-31 16:25 UTC by Mihai Lazarescu
Modified: 2017-02-08 00:18 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-06 23:02:03 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Mihai Lazarescu 2017-01-31 16:25:19 UTC 
Description of problem:
I check incoming email for spam using spamassassin:

	cat email_message | spamassassin

spamassasssing is typically configured to query various external services.
Hence I have seen this SELinux alert pop up.
SELinux is preventing spamassassin from 'name_bind' accesses on the udp_socket port 13086.

*****  Plugin bind_ports (85.9 confidence) suggests   ************************

If you want to allow spamassassin to bind to network port 13086
Then you need to modify the port type.
Do
# semanage port -a -t  -p udp 13086

*****  Plugin catchall_boolean (7.33 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall_boolean (7.33 confidence) suggests   ******************

If you want to allow spamassassin to can network
Then you must tell SELinux about this by enabling the 'spamassassin_can_network' boolean.
You can read 'None' man page for more details.
Do
setsebool -P spamassassin_can_network 1

*****  Plugin catchall (1.35 confidence) suggests   **************************

If you believe that spamassassin should be allowed name_bind access on the port 13086 udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'spamassassin' --raw | audit2allow -M my-spamassassin
# semodule -X 300 -i my-spamassassin.pp

Additional Information:
Source Context                system_u:system_r:spamc_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                port 13086 [ udp_socket ]
Source                        spamassassin
Source Path                   spamassassin
Port                          13086
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-225.6.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.9.5-200.fc25.x86_64 #1 SMP Fri
                              Jan 20 12:24:16 UTC 2017 x86_64 x86_64
Alert Count                   276
First Seen                    2017-01-28 18:13:43 CET
Last Seen                     2017-01-31 16:03:40 CET
Local ID                      2334809f-d065-42e0-901d-fc0a6f6fe2d5

Raw Audit Messages
type=AVC msg=audit(1485875020.439:58477): avc:  denied  { name_bind } for  pid=18378 comm="spamassassin" src=13086 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0


Hash: spamassassin,spamc_t,unreserved_port_t,udp_socket,name_bind

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.5-200.fc25.x86_64
type:           libreport

Potential duplicate: bug 904655
Comment 1 Daniel Walsh 2017-02-06 23:02:03 UTC 
Looks like the alert gave you many options to choose from.  Pick one.
Comment 2 Mihai Lazarescu 2017-02-06 23:26:26 UTC 
You are missing the point here.

This is not about me asking you for configuration advice.

This is about the default configuration of the spamassassin package clashing with the default configuration of selinux.

Your reply implies that it's fine by design that default configurations of packages to require the users to manually resolve their conflicts. This looks strange given that selinux used to ask the users for potential configuration issues.

Perhaps this request is no longer valid, or whatever...
Not my business anyway.
Have a nice day.
Comment 3 Daniel Walsh 2017-02-07 21:47:55 UTC 
Mihai, so you are saying out of the box spamassassin package used the network?
Comment 4 Mihai Lazarescu 2017-02-07 22:12:24 UTC 
That's my asspumption.  I have:

[root@mtl ~]# rpm -qa spamassassin\*
spamassassin-3.4.1-9.fc25.x86_64
spamassassin-iXhash2-2.05-9.fc24.noarch
spamassassin-FuzzyOcr-3.6.0-14.fc24.noarch

for which I do not recall changing the configuration.  In fact:

[root@mtl ~]# rpm -V spamassassin-3.4.1-9.fc25.x86_64
[root@mtl ~]# rpm -V spamassassin-iXhash2-2.05-9.fc24.noarch
[root@mtl ~]# rpm -V spamassassin-FuzzyOcr-3.6.0-14.fc24.noarch

do not report any change.

The only difference from stock can be due to my (skinny) ~/.spamassassin/user_prefs:

rewrite_header subject
bayes_auto_learn no
use_bayes yes
dns_available yes
skip_rbl_checks no

The last two options may push spamassassin to use the network. But looking at the docs I see that even their default values would imply network use all the same:

https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html

So yes, I guess that spamassassin was pretty much in its default configuration when I got the SElinux report violation report.
Comment 5 Daniel Walsh 2017-02-08 00:18:03 UTC 
The AVC indicates that spamassassin" is attempting to listen on UDP port 13086
Note You need to log in before you can comment on or make changes to this bug.