Bug 171903 - (selinux) spamassassin startup fails on boot
(selinux) spamassassin startup fails on boot
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: FC5Target
  Show dependency treegraph
 
Reported: 2005-10-27 13:12 EDT by Nicolas Mailhot
Modified: 2007-11-30 17:11 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-17 05:21:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Nicolas Mailhot 2005-10-27 13:12:02 EDT
spamassassin complains about being unable to create a dnsresolver socket

When I restart it later with security enforcing disabled it works

(sorry about the vague message, I don't seem able to find it in /var/log even
thougspamassassin-3.1.0-1.fc5h the problem is reproduceable at every boot)

spamassassin-3.1.0-1.fc5 on up-to-date FC devel system, with
perl-Mail-SPF-Query-1.997-5.fc5 installed
Comment 1 Nicolas Mailhot 2005-10-27 13:14:13 EDT
Found the error message :

Error creating a DNS resolver socket: Permission non accordée at
/usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/DnsResolver.pm line 202.

(seems selinux problem, it says it is not allowed to create the socket)
Comment 2 Nicolas Mailhot 2005-10-27 14:46:43 EDT
probably selinux-related -> adding dwalsh@redhat.com in CCs
Comment 3 Jason Vas Dias 2005-10-27 15:46:13 EDT
RE:
>  seems selinux problem, it says it is not allowed to create the socket
...
>  When I restart it later with security enforcing disabled it works

Yes, this sounds like an SELinux problem - reassigning to 
selinux-policy-targeted package.

I hope that when you say 'restart it later with security enforcing disabled'
that you did 'setenforce 0' or booted with 'enforcing=0', and did NOT disable
selinux entirely by booting with 'selinux=0' - otherwise you'll have to relabel.
Comment 4 Nicolas Mailhot 2005-10-27 16:35:15 EDT
I use setenforce. I'm trying very hard not to boot with 'selinux=0' or selinux
disabled via sysconfig, because I know the day I do it the easy way I'll never
go back
Comment 5 Jason Vas Dias 2005-10-27 16:48:16 EDT
OK, well please try this to gather the information required to determine the
cause of this bug :

1. start out with an empty audit log -
   either empty it:
   #>/var/log/audit/audit.log
 or move it:
   # mv /var/log/audit/audit.log /var/log/audit/audit.log.bak

2. start spamassassin
   # service spamassassin start 2>&1 | tee /tmp/spastart.log

When the spamassassin start fails - is that what's happening here ? -
Please append the output of this command:
   # audit2allow </var/log/audit/audit.log | tee /tmp/spaudit.log
and gather the log files:
   # tar -cpf /tmp/spabug.tar /var/log/audit/audit.log  \
                              /tmp/spastart.log /tmp/spaudit.log
and attach the complete /tmp/spabug.tar file to this bug report.

Thank You!
Comment 6 Nicolas Mailhot 2005-10-27 17:08:42 EDT
I'll put the results inline since there is far too little to justify a tar

1. in spastart.log
Starting spamd:                                            [ÉCHOUÉ]

2. in maillog
spamd[4407]: Error creating a DNS resolver socket: Permission non accordée at
/usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/DnsResolver.pm line 202.

3. in spaudit.log
allow spamd_t port_t:udp_socket name_bind;
allow spamd_t user_home_t:dir { getattr search };

Stangely the result were not consistent. When started from the CLI the service
succeeded more often than it failed. On boot it's always failing
Comment 7 Daniel Walsh 2005-10-27 17:18:13 EDT
Fixed in selinux-policy-targeted-1.27.2-7
Comment 8 Nicolas Mailhot 2005-10-28 09:51:22 EDT
Unfortunately, rebooting with selinux-policy-targeted-1.27.2-7 shows the problem
still exist (no manual relabel is needed nowadays right ?)

audit2allow </var/log/audit/audit.log just after bootup shows theses spamd lines:

allow spamd_t devpts_t:chr_file ioctl;
allow spamd_t port_t:udp_socket name_bind;
allow spamd_t user_home_t:dir { add_name getattr remove_name search write };
allow spamd_t user_home_t:file append create getattr ioctl link read rename
setattr unlink write;

It's a bit more complex than when doing spamassassin tests on an already running
system
Comment 9 Nicolas Mailhot 2005-10-28 09:54:24 EDT
BTW looking at /var/log/audit/audit.log I see a lot of accesses to .spamassassin
and .pyzor blocked - I wonder if that's why pyzor has not been running well
there lately
Comment 10 Daniel Walsh 2005-10-28 10:07:20 EDT
Could you try selinux-policy-targeted-1.27.2-11 (Available in fedora-test)
or 
ftp://people.redhat.com/dwalsh/SELinux/FC4/
What port is it trying to bind to?
Comment 11 Nicolas Mailhot 2005-10-28 10:16:01 EDT
Will it work of with a rawhide system ?

For the port I haven't got hte faintest idea. I'm just reporting the error. But
the following snippet taken from the file referenced in the maillog error may be
enlightening:

  dbg("dns: name server: $ns, family: $family, ipv6: $ipv6");

  # find next available unprivileged port (1024 - 65535)
  # starting at a random value to spread out use of ports
  my $port_offset = int(rand(64511));  # 65535 - 1024
  for (my $i = 0; $i<64511; $i++) {
    my $lport = 1024 + (($port_offset + $i) % 64511);

    my %args = (
        PeerAddr => $ns,
        PeerPort => $self->{res}->{port},
        Proto => 'udp',
        LocalPort => $lport,
        Type => SOCK_DGRAM,
        Domain => $family,
    );

    if (HAS_SOCKET_INET6) {
      $sock = IO::Socket::INET6->new(%args);
    } else {
      $sock = IO::Socket::INET->new(%args);
    }
    $errno = $!;
    if (defined $sock) {  # ok, got it
      last;
    } elsif ($! == EADDRINUSE) {  # in use, let's try another source port
      dbg("dns: UDP port $lport already in use, trying another port");
    } else {
      # did we fail due to the attempted use of an IPv6 nameserver?
      $self->_ipv6_ns_warning()  if (!$ipv6 && $errno==EINVAL);
      die "Error creating a DNS resolver socket: $errno"; <-- Error that ends in
the logs
    }
  }
  defined $sock or die "Can't create a DNS resolver socket: $errno";
Comment 12 Nicolas Mailhot 2005-10-28 10:21:45 EDT
[root@rousalka tmp]# rpm -Uvh selinux-policy-targeted-1.27.1-2.11.noarch.rpm 
--force
attention: selinux-policy-targeted-1.27.1-2.11.noarch.rpm: Entête V3 DSA
signature: NOKEY, key ID 30c9ecf8
Préparation...              ########################################### [100%]
   1:selinux-policy-targeted########################################### [100%]
/usr/sbin/load_policy:  Warning!  Policy file argument
(/etc/selinux/targeted/policy/policy.20) is no longer supported, installed
policy is always loaded.  Continuing...
/sbin/restorecon reset /bin/su context
system_u:object_r:su_exec_t->system_u:object_r:bin_t
/sbin/restorecon reset /usr/bin/newrole context
system_u:object_r:newrole_exec_t->system_u:object_r:bin_t
/sbin/restorecon reset /usr/bin/spamc context
system_u:object_r:spamc_exec_t->system_u:object_r:bin_t
/var/lib is already defined in /etc/selinux/targeted/contexts/files/file_contexts,
/usr/sbin/genhomedircon will not create a new context.

Will reboot now
Comment 13 Nicolas Mailhot 2005-10-28 10:42:07 EDT
1. After reboot, no relabel is triggered, most services fail (including network)
2. -> reboot in non enforcing mode (which shows that spamassassin succeeds
without selinux BTW)
3. reinstall rawhide policy, reboot, autorelabel, reboot just to make sure, back
to square 1.
Comment 14 Daniel Walsh 2005-10-28 10:56:19 EDT
Sorry I thought you were on FC4.

Try selinux-policy-targeted-1.27.2-8.noarch.rpm

Available on ftp://people.redhat.com/dwalsh/SELinux/Fedora
Comment 15 Nicolas Mailhot 2005-10-28 11:19:06 EDT
This one works, thank you. I can't believe I've actually booted a system in
enforcing mode without any service failing :)

I'll go test squirrelmail now. I seem to remember it had selinux problems too
Comment 16 Nicolas Mailhot 2005-12-04 08:54:41 EST
And this got broken a few days afterwards with the selinux policy 2 changes.
With selinux-policy-targeted-2.0.8-1 spamassassin can not create its dnsresolver
socket (it does not make the service fail on startup like before but it's a
serious problem still)

Dec  4 14:24:55 rousalka postfix/master[2356]: daemon started -- version 2.2.5,
configuration /etc/postfix
Dec  4 14:24:56 rousalka spamd[2363]: Error creating a DNS resolver socket:
Permission non accordée at
/usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/DnsResolver.pm line 202.


# audit2allow < /var/log/audit/audit.log | sort
allow cupsd_config_t cupsd_log_t:file { read write };
allow dovecot_auth_t dovecot_var_run_t:dir search;
allow dovecot_auth_t tmp_t:dir getattr;
allow dovecot_auth_t usr_t:lnk_file read;
allow dovecot_t etc_runtime_t:file read;
allow saslauthd_t self:capability setuid;
allow saslauthd_t tmp_t:dir getattr;
allow saslauthd_t usr_t:lnk_file read;
allow spamd_t port_t:udp_socket name_bind;
allow sysadm_su_t etc_runtime_t:file read;
allow sysadm_su_t tmp_t:dir getattr;
allow sysadm_su_t usr_t:lnk_file read;
allow system_chkpwd_t devpts_t:chr_file { read write };
allow system_dbusd_t self:process setcap;
allow updfstab_t tmpfs_t:dir getattr;
Comment 17 Nicolas Mailhot 2005-12-04 12:24:59 EST
Well I was wrong - the resolver problem crashes spamassassin like before
Comment 18 Daniel Walsh 2005-12-12 23:15:29 EST
New fixes for this in selinux-policy-targeted-2.1.4-1
Comment 19 Nicolas Mailhot 2005-12-17 05:21:42 EST
Seems fixed again

Note You need to log in before you can comment on or make changes to this bug.