Hide Forgot
Description of problem: there is an SELinux issue with default ports provided in default configuration related to policy bank "ORIGINATING" Version-Release number of selected component (if applicable): amavis-2.12.0-9.el8.noarch How reproducible: always Steps to Reproduce: 1. enable ORIGINATING by changing: $inet_socket_port = 10024; # listen on this local TCP port(s) # $inet_socket_port = [10024,10026]; # listen on multiple TCP ports to #$inet_socket_port = 10024; # listen on this local TCP port(s) $inet_socket_port = [10024,10026]; # listen on multiple TCP ports 2. restart amavisd Actual results: will not start Expected results: starting Additional info: Issue is caused by SELinux port labeling of configured ports 10026 and 10027 egrep '(10026|10027)' /etc/amavisd/amavisd.conf # $inet_socket_port = [10024,10026]; # listen on multiple TCP ports # from internal hosts to a dedicated TCP port (such as 10026) for filtering $interface_policy{'10026'} = 'ORIGINATING'; forward_method => 'smtp:[127.0.0.1]:10027', they have a different type "spamd_port_t" semanage port -l | egrep '(10026|10027)' spamd_port_t tcp 783, 10026, 10027 compared to the default ones for simple amavisd operations: semanage port -l | egrep '(10024|10025)' amavisd_recv_port_t tcp 10024 amavisd_send_port_t tcp 10025 changing the port label is imho not a good idea...can break something else -> workaround/suggestion instead of using 10026/10027 use the current unlabeled ports 10022/10023 by changing default config (working here quite well) and apply proper port labels in SELinux, final result should be: semanage port -l | egrep ^amavis amavisd_recv_port_t tcp 10022, 10024 amavisd_send_port_t tcp 10023, 10025 As this change should be only done on fresh configurations, potentially a hint/warning should be applied in postinstall (or in the default config like "in case facing issues with 10026/10027 use 10022/10023). Background: related postfix master configuration needs to be tweaked also for - amavis reinjection - amavis feed
The amavis SELinux policy is provided by the selinux-policy-targeted package in RHEL and not by amavis itself. The commented out ports is an example and the administrators can choose whatever they want, so I consider normal that you have to adjust the SELinux policy. I can agree on adding an example in the config file though.
FEDORA-EPEL-2020-ca1ac5519e has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-ca1ac5519e
FEDORA-EPEL-2020-ca1ac5519e has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-ca1ac5519e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2020-ca1ac5519e has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.