Bug 445009 - SELinux is preventing spamassassin (procmail_t) "name_connect" to <Unknown> (razor_port_t).
Summary: SELinux is preventing spamassassin (procmail_t) "name_connect" to <Unknown> (...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2008-05-02 18:33 UTC by Jeff Layton
Modified: 2014-06-18 07:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-05-06 19:55:59 UTC
Type: ---

Attachments (Terms of Use)

Description Jeff Layton 2008-05-02 18:33:34 UTC
Recently turned SELinux back on my mailserver running postfix and spamassassin,
and am getting the following AVC message (looks like selinux doesn't allow for
connections to the Razor spam DB):

SELinux is preventing spamassassin (procmail_t) "name_connect" to <Unknown>

...here's the alert:


SELinux is preventing spamassassin (procmail_t) "name_connect" to <Unknown>


Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was

permitted due to permissive mode.]

SELinux denied access requested by spamassassin. It is not expected that this

access is required by spamassassin and this access may signal an intrusion

attempt. It is also possible that the specific version or configuration of the

application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ

(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable

SELinux protection altogether. Disabling SELinux protection is not recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)

against this package.

Additional Information:

Source Context                system_u:system_r:procmail_t

Target Context                system_u:object_r:razor_port_t

Target Objects                None [ tcp_socket ]

Source                        spamassassin

Source Path                   /usr/bin/perl

Port                          2703

Host                          salusa.poochiereds.net

Source RPM Packages           perl-5.8.8-39.fc8

Target RPM Packages           

Policy RPM                    selinux-policy-3.0.8-98.fc8

Selinux Enabled               True

Policy Type                   targeted

MLS Enabled                   True

Enforcing Mode                Permissive

Plugin Name                   catchall

Host Name                     salusa.poochiereds.net

Platform                      Linux salusa.poochiereds.net #1

                              SMP Sat Apr 19 11:18:09 EDT 2008 x86_64 x86_64

Alert Count                   10

First Seen                    Fri 02 May 2008 10:32:33 AM EDT

Last Seen                     Fri 02 May 2008 02:27:06 PM EDT

Local ID                      2f1991ab-918d-49ec-bf3f-1efe4bcad410

Line Numbers                  

Raw Audit Messages            

host=salusa.poochiereds.net type=AVC msg=audit(1209752826.320:322): avc:  denied
 { name_connect } for  pid=7427 comm="spamassassin" dest=2703
tcontext=system_u:object_r:razor_port_t:s0 tclass=tcp_socket

host=salusa.poochiereds.net type=SYSCALL msg=audit(1209752826.320:322):
arch=c000003e syscall=42 success=no exit=-115 a0=6 a1=16cf450 a2=10 a3=0 items=0
ppid=7426 pid=7427 auid=4294967295 uid=1002 gid=1002 euid=1002 suid=1002
fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) comm="spamassassin"
exe="/usr/bin/perl" subj=system_u:system_r:procmail_t:s0 key=(null)

Comment 1 Daniel Walsh 2008-05-06 19:55:59 UTC
The easiest thing for you to do is execute 

# grep procmail /var/log/audit/audit.log | audit2allow -M myprocmail
# semodule -i myprocmail.pp

In Fedora 9 there is a transition from procmail to spamassassin_t, but this
might be a little dangerous for Fedora 8.

So I am going to close this and mark it as fixed in the next release.

Note You need to log in before you can comment on or make changes to this bug.