Bug 1891003 - default configuration example for ORIGINATING related to ports is blocked by SELinux
Summary: default configuration example for ORIGINATING related to ports is blocked by ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: amavis
Version: epel8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Juan Orti
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-23 14:10 UTC by Peter Bieringer
Modified: 2020-12-03 02:09 UTC (History)
3 users (show)

Fixed In Version: amavis-2.12.1-3.el8
Clone Of:
Environment:
Last Closed: 2020-12-03 02:09:34 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Peter Bieringer 2020-10-23 14:10:13 UTC
Description of problem:
there is an SELinux issue with default ports provided in default configuration related to policy bank "ORIGINATING"

Version-Release number of selected component (if applicable):
amavis-2.12.0-9.el8.noarch

How reproducible:
always

Steps to Reproduce:
1. enable ORIGINATING by changing:

$inet_socket_port = 10024;   # listen on this local TCP port(s)
# $inet_socket_port = [10024,10026];  # listen on multiple TCP ports

to

#$inet_socket_port = 10024;   # listen on this local TCP port(s)
$inet_socket_port = [10024,10026];  # listen on multiple TCP ports

2. restart amavisd

Actual results:
will not start


Expected results:
starting

Additional info:
Issue is caused by SELinux port labeling of configured ports 10026 and 10027

egrep '(10026|10027)' /etc/amavisd/amavisd.conf
# $inet_socket_port = [10024,10026];  # listen on multiple TCP ports
# from internal hosts to a dedicated TCP port (such as 10026) for filtering
$interface_policy{'10026'} = 'ORIGINATING';
  forward_method => 'smtp:[127.0.0.1]:10027',


they have a different type "spamd_port_t"

semanage port -l | egrep '(10026|10027)'                          
spamd_port_t                   tcp      783, 10026, 10027


compared to the default ones for simple amavisd operations:

semanage port -l | egrep '(10024|10025)' 
amavisd_recv_port_t            tcp      10024
amavisd_send_port_t            tcp      10025


changing the port label is imho not a good idea...can break something else

-> workaround/suggestion instead of using 10026/10027 use the current unlabeled ports  10022/10023 by changing default config (working here quite well) and apply proper port labels in SELinux, final result should be:

semanage port -l | egrep ^amavis         
amavisd_recv_port_t            tcp      10022, 10024
amavisd_send_port_t            tcp      10023, 10025

As this change should be only done on fresh configurations, potentially a hint/warning should be applied in postinstall (or in the default config like "in case facing issues with 10026/10027 use 10022/10023).

Background: related postfix master configuration needs to be tweaked also for
- amavis reinjection
- amavis feed

Comment 1 Juan Orti 2020-11-17 10:23:15 UTC
The amavis SELinux policy is provided by the selinux-policy-targeted package in RHEL and not by amavis itself.

The commented out ports is an example and the administrators can choose whatever they want, so I consider normal that you have to adjust the SELinux policy. I can agree on adding an example in the config file though.

Comment 2 Fedora Update System 2020-11-17 19:13:50 UTC
FEDORA-EPEL-2020-ca1ac5519e has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-ca1ac5519e

Comment 3 Fedora Update System 2020-11-18 03:15:20 UTC
FEDORA-EPEL-2020-ca1ac5519e has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-ca1ac5519e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2020-12-03 02:09:34 UTC
FEDORA-EPEL-2020-ca1ac5519e has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.