Description of problem: I check incoming email for spam using spamassassin: cat email_message | spamassassin spamassasssing is typically configured to query various external services. Hence I have seen this SELinux alert pop up. SELinux is preventing spamassassin from 'name_bind' accesses on the udp_socket port 13086. ***** Plugin bind_ports (85.9 confidence) suggests ************************ If you want to allow spamassassin to bind to network port 13086 Then you need to modify the port type. Do # semanage port -a -t -p udp 13086 ***** Plugin catchall_boolean (7.33 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. You can read 'None' man page for more details. Do setsebool -P nis_enabled 1 ***** Plugin catchall_boolean (7.33 confidence) suggests ****************** If you want to allow spamassassin to can network Then you must tell SELinux about this by enabling the 'spamassassin_can_network' boolean. You can read 'None' man page for more details. Do setsebool -P spamassassin_can_network 1 ***** Plugin catchall (1.35 confidence) suggests ************************** If you believe that spamassassin should be allowed name_bind access on the port 13086 udp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'spamassassin' --raw | audit2allow -M my-spamassassin # semodule -X 300 -i my-spamassassin.pp Additional Information: Source Context system_u:system_r:spamc_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects port 13086 [ udp_socket ] Source spamassassin Source Path spamassassin Port 13086 Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-225.6.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.9.5-200.fc25.x86_64 #1 SMP Fri Jan 20 12:24:16 UTC 2017 x86_64 x86_64 Alert Count 276 First Seen 2017-01-28 18:13:43 CET Last Seen 2017-01-31 16:03:40 CET Local ID 2334809f-d065-42e0-901d-fc0a6f6fe2d5 Raw Audit Messages type=AVC msg=audit(1485875020.439:58477): avc: denied { name_bind } for pid=18378 comm="spamassassin" src=13086 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 Hash: spamassassin,spamc_t,unreserved_port_t,udp_socket,name_bind Version-Release number of selected component: selinux-policy-3.13.1-225.6.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.5-200.fc25.x86_64 type: libreport Potential duplicate: bug 904655
Looks like the alert gave you many options to choose from. Pick one.
You are missing the point here. This is not about me asking you for configuration advice. This is about the default configuration of the spamassassin package clashing with the default configuration of selinux. Your reply implies that it's fine by design that default configurations of packages to require the users to manually resolve their conflicts. This looks strange given that selinux used to ask the users for potential configuration issues. Perhaps this request is no longer valid, or whatever... Not my business anyway. Have a nice day.
Mihai, so you are saying out of the box spamassassin package used the network?
That's my asspumption. I have: [root@mtl ~]# rpm -qa spamassassin\* spamassassin-3.4.1-9.fc25.x86_64 spamassassin-iXhash2-2.05-9.fc24.noarch spamassassin-FuzzyOcr-3.6.0-14.fc24.noarch for which I do not recall changing the configuration. In fact: [root@mtl ~]# rpm -V spamassassin-3.4.1-9.fc25.x86_64 [root@mtl ~]# rpm -V spamassassin-iXhash2-2.05-9.fc24.noarch [root@mtl ~]# rpm -V spamassassin-FuzzyOcr-3.6.0-14.fc24.noarch do not report any change. The only difference from stock can be due to my (skinny) ~/.spamassassin/user_prefs: rewrite_header subject bayes_auto_learn no use_bayes yes dns_available yes skip_rbl_checks no The last two options may push spamassassin to use the network. But looking at the docs I see that even their default values would imply network use all the same: https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html So yes, I guess that spamassassin was pretty much in its default configuration when I got the SElinux report violation report.
The AVC indicates that spamassassin" is attempting to listen on UDP port 13086