Bug 450568 - spamassassin selinux policy issue
spamassassin selinux policy issue
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-06-09 13:58 EDT by tgeier
Modified: 2008-11-17 17:04 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-17 17:04:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Results of one of the sealerts generated by this issue. (2.67 KB, application/octet-stream)
2008-06-09 13:58 EDT, tgeier
no flags Details
AVC messages and te file (2.23 KB, application/octet-stream)
2008-06-16 11:23 EDT, tgeier
no flags Details

  None (edit)
Description tgeier 2008-06-09 13:58:37 EDT
Description of problem:
The selinux policy on Fedora 9 does not allow spamassassin to bind to any
local network ports, creating excessive processor load whenever an email comes
into the system.  The load is expedited somewhat if setroubleshootd is not
running, though having spamd running or not appears to make no difference.

Version-Release number of selected component (if applicable):
Fedora 9 after using preupgrade from Fedora 8.

How reproducible:
Consistently reproducible.

Steps to Reproduce:
1. Start setroubleshootd and spamd.
2. Send a test email or wait for one to arrive.
3. Watch /var/log/messages for a large number of setroubleshoot exceptions.
Actual results:
Excessive system load and a large number of setroubleshoot exceptions produced.
Email does still go through, however.

Expected results:
Email going through without any setroubleshoot exceptions.

Additional info:
Tried changing the sebool spamassassin_can_network to 1; made no difference.
Results of a typical sealert are attached.
Comment 1 tgeier 2008-06-09 13:58:37 EDT
Created attachment 308733 [details]
Results of one of the sealerts generated by this issue.
Comment 2 Daniel Walsh 2008-06-10 14:59:32 EDT
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-67.fc9.noarch
Comment 3 tgeier 2008-06-10 17:39:57 EDT
Thank you, that resolved most of the issue; there were still a few postfix
exceptions, but I was able to generate a policy to handle those and everything
is working properly now.
Comment 4 Daniel Walsh 2008-06-14 06:42:21 EDT
Could you submit the te file you generated or even better the avc messages used
to create it.
Comment 5 tgeier 2008-06-16 11:23:20 EDT
Created attachment 309511 [details]
AVC messages and te file
Comment 6 Daniel Walsh 2008-06-22 08:47:57 EDT
Does spamassassin talk directly to postfix?  IE Does postfix exec spamassassin?
 Or this could be a leaked file descriptor.
Comment 7 Daniel Walsh 2008-11-17 17:04:31 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.