Red Hat Bugzilla – Bug 450568
spamassassin selinux policy issue
Last modified: 2008-11-17 17:04:31 EST
Description of problem:
The selinux policy on Fedora 9 does not allow spamassassin to bind to any
local network ports, creating excessive processor load whenever an email comes
into the system. The load is expedited somewhat if setroubleshootd is not
running, though having spamd running or not appears to make no difference.
Version-Release number of selected component (if applicable):
Fedora 9 after using preupgrade from Fedora 8.
Steps to Reproduce:
1. Start setroubleshootd and spamd.
2. Send a test email or wait for one to arrive.
3. Watch /var/log/messages for a large number of setroubleshoot exceptions.
Excessive system load and a large number of setroubleshoot exceptions produced.
Email does still go through, however.
Email going through without any setroubleshoot exceptions.
Tried changing the sebool spamassassin_can_network to 1; made no difference.
Results of a typical sealert are attached.
Created attachment 308733 [details]
Results of one of the sealerts generated by this issue.
You can allow this for now.
# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp
Fixed in selinux-policy-3.3.1-67.fc9.noarch
Thank you, that resolved most of the issue; there were still a few postfix
exceptions, but I was able to generate a policy to handle those and everything
is working properly now.
Could you submit the te file you generated or even better the avc messages used
to create it.
Created attachment 309511 [details]
AVC messages and te file
Does spamassassin talk directly to postfix? IE Does postfix exec spamassassin?
Or this could be a leaked file descriptor.
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.