Description of problem: Since upgrading to F9 I've been seeing selinux errors with SpamAssassin, which is triggered by my .procmailrc. This causes thousands of AVC messages, meaning I have to shutdown setroubleshootd in order to make the system usable. Version-Release number of selected component (if applicable): selinux-policy-3.3.1-64.fc9.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 309477 [details] Alert text from sealert
This avc shows spamassassin tryint to bind to a udp socket 32230? Is this expected behaviour?
You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp
I'm assuming it's expected behaviour as I'm using SpamAssassin's defaults. Here's how it's triggered in .procmailrc: INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc and here's the content of that file: # send mail through spamassassin :0fw | /usr/bin/spamassassin Here's the content of /etc/sysconfig/spamassassin: # Options to spamd SPAMDOPTIONS="-d -c -m5 -H"
Turn on the spamassassin_can_network boolean. If you run your AVC though audit2why it shows audit2why -i /tmp/t host=saintloup.smith.man.ac.uk type=AVC msg=audit(1213613494.259:1224): avc: denied { name_bind } for pid=5705 comm="spamassassin" src=32230 scontext=system_u:system_r:spamassassin_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket Was caused by: One of the following booleans was set incorrectly. Description: Allow user spamassassin clients to use the network. Allow access by executing: # setsebool -P spamassassin_can_network 1 Description: Allow system to run with NIS Allow access by executing: # setsebool -P allow_ypbind 1