Bug 445009 - SELinux is preventing spamassassin (procmail_t) "name_connect" to <Unknown> (razor_port_t).
SELinux is preventing spamassassin (procmail_t) "name_connect" to <Unknown> (...
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-02 14:33 EDT by Jeff Layton
Modified: 2014-06-18 03:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-06 15:55:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Layton 2008-05-02 14:33:34 EDT
Recently turned SELinux back on my mailserver running postfix and spamassassin,
and am getting the following AVC message (looks like selinux doesn't allow for
connections to the Razor spam DB):

SELinux is preventing spamassassin (procmail_t) "name_connect" to <Unknown>
(razor_port_t). 

...here's the alert:



Summary:



SELinux is preventing spamassassin (procmail_t) "name_connect" to <Unknown>

(razor_port_t).



Detailed Description:



[SELinux is in permissive mode, the operation would have been denied but was

permitted due to permissive mode.]



SELinux denied access requested by spamassassin. It is not expected that this

access is required by spamassassin and this access may signal an intrusion

attempt. It is also possible that the specific version or configuration of the

application is causing it to require additional access.



Allowing Access:



You can generate a local policy module to allow this access - see FAQ

(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable

SELinux protection altogether. Disabling SELinux protection is not recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)

against this package.



Additional Information:



Source Context                system_u:system_r:procmail_t

Target Context                system_u:object_r:razor_port_t

Target Objects                None [ tcp_socket ]

Source                        spamassassin

Source Path                   /usr/bin/perl

Port                          2703

Host                          salusa.poochiereds.net

Source RPM Packages           perl-5.8.8-39.fc8

Target RPM Packages           

Policy RPM                    selinux-policy-3.0.8-98.fc8

Selinux Enabled               True

Policy Type                   targeted

MLS Enabled                   True

Enforcing Mode                Permissive

Plugin Name                   catchall

Host Name                     salusa.poochiereds.net

Platform                      Linux salusa.poochiereds.net 2.6.24.5-85.fc8 #1

                              SMP Sat Apr 19 11:18:09 EDT 2008 x86_64 x86_64

Alert Count                   10

First Seen                    Fri 02 May 2008 10:32:33 AM EDT

Last Seen                     Fri 02 May 2008 02:27:06 PM EDT

Local ID                      2f1991ab-918d-49ec-bf3f-1efe4bcad410

Line Numbers                  



Raw Audit Messages            



host=salusa.poochiereds.net type=AVC msg=audit(1209752826.320:322): avc:  denied
 { name_connect } for  pid=7427 comm="spamassassin" dest=2703
scontext=system_u:system_r:procmail_t:s0
tcontext=system_u:object_r:razor_port_t:s0 tclass=tcp_socket



host=salusa.poochiereds.net type=SYSCALL msg=audit(1209752826.320:322):
arch=c000003e syscall=42 success=no exit=-115 a0=6 a1=16cf450 a2=10 a3=0 items=0
ppid=7426 pid=7427 auid=4294967295 uid=1002 gid=1002 euid=1002 suid=1002
fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=(none) comm="spamassassin"
exe="/usr/bin/perl" subj=system_u:system_r:procmail_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-05-06 15:55:59 EDT
The easiest thing for you to do is execute 

# grep procmail /var/log/audit/audit.log | audit2allow -M myprocmail
# semodule -i myprocmail.pp

In Fedora 9 there is a transition from procmail to spamassassin_t, but this
might be a little dangerous for Fedora 8.

So I am going to close this and mark it as fixed in the next release.

Note You need to log in before you can comment on or make changes to this bug.