Description of problem: The selinux policy on Fedora 9 does not allow spamassassin to bind to any local network ports, creating excessive processor load whenever an email comes into the system. The load is expedited somewhat if setroubleshootd is not running, though having spamd running or not appears to make no difference. Version-Release number of selected component (if applicable): Fedora 9 after using preupgrade from Fedora 8. How reproducible: Consistently reproducible. Steps to Reproduce: 1. Start setroubleshootd and spamd. 2. Send a test email or wait for one to arrive. 3. Watch /var/log/messages for a large number of setroubleshoot exceptions. Actual results: Excessive system load and a large number of setroubleshoot exceptions produced. Email does still go through, however. Expected results: Email going through without any setroubleshoot exceptions. Additional info: Tried changing the sebool spamassassin_can_network to 1; made no difference. Results of a typical sealert are attached.
Created attachment 308733 [details] Results of one of the sealerts generated by this issue.
You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-67.fc9.noarch
Thank you, that resolved most of the issue; there were still a few postfix exceptions, but I was able to generate a policy to handle those and everything is working properly now.
Could you submit the te file you generated or even better the avc messages used to create it.
Created attachment 309511 [details] AVC messages and te file
Does spamassassin talk directly to postfix? IE Does postfix exec spamassassin? Or this could be a leaked file descriptor.
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.