Bug 179643 - spamd denied ldap_port_t
spamd denied ldap_port_t
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
: EasyFix, SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-01 15:48 EST by Justin Willmert
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.27.1-2.20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-20 20:43:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Justin Willmert 2006-02-01 15:48:18 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Description of problem:
When the system is set up to use LDAP system authentication, spamd cannot setuid to the user creating many permission problems (spamd downgrades to nobody). When SELinux is changed to permissive mode, spamd works. There are logs of ldap_port_t denial messages (I'll post the exact message later. Right now I'm at school)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.27.1-2.16 and spamassassin-3.0.4-2

How reproducible:
Always

Steps to Reproduce:
1. Set SELinux to enforcing mode (for targeted policy)
2. Start spamd service
3. Send email through `spamc -u USER` (where USER is a user that resides in an LDAP directory
  

Actual Results:  spamd setuid()'s to nobody(99) instead of USER

Expected Results:  Able to setuid to USER

Additional info:

System authentication was setup during install using Fedora's authentication manager (I can't remember the program's name right now...It works through nsswitch.conf)
Comment 1 Justin Willmert 2006-02-01 16:58:55 EST
Here is the avc messages I promised to post.

type=AVC msg=audit(1138831213.154:112091): avc:  denied  { name_connect } for 
pid=9014 comm="spamd" dest=389 scontext=root:system_r:spamd_t
tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1138831213.154:112091): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bfc775d0 a2=1171cb8 a3=7 items=0 pid=9014 auid=600
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="spamd"
exe="/usr/bin/perl"
type=SOCKADDR msg=audit(1138831213.154:112091):
saddr=02000185C0A801940000000000000000
type=SOCKETCALL msg=audit(1138831213.154:112091): nargs=3 a0=7 a1=a1d60d0 a2=10
type=AVC msg=audit(1138831213.598:112092): avc:  denied  { name_connect } for 
pid=9014 comm="spamd" dest=389 scontext=root:system_r:spamd_t
tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1138831213.598:112092): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bfc775d0 a2=1171cb8 a3=7 items=0 pid=9014 auid=600
uid=0 gid=0 euid=99 suid=0 fsuid=99 egid=99 sgid=0 fsgid=99 comm="spamd"
exe="/usr/bin/perl"
type=SOCKADDR msg=audit(1138831213.598:112092):
saddr=02000185C0A801940000000000000000
type=SOCKETCALL msg=audit(1138831213.598:112092): nargs=3 a0=7 a1=a219830 a2=10
Comment 2 Daniel Walsh 2006-02-02 13:51:20 EST
Fixed in selinux-policy-targeted- 1.27.1-2.20

Note You need to log in before you can comment on or make changes to this bug.