Sammanfattning: SELinux is preventing /usr/bin/perl from binding to port 23796. Detaljerad beskrivning: [SELinux är i tillåtande läge. Denna åtkomst nekades inte.] SELinux has denied the spamassassin from binding to a network port 23796 which does not have an SELinux type associated with it. If spamassassin should be allowed to listen on 23796, use the semanage command to assign 23796 to a port type that spamc_t can bind to (). If spamassassin is not supposed to bind to 23796, this could signal an intrusion attempt. Att tillåta åtkomst: If you want to allow spamassassin to bind to port 23796, you can execute # semanage port -a -t PORT_TYPE -p udp 23796 where PORT_TYPE is one of the following: . If this system is running as an NIS Client, turning on the allow_ypbind boolean may fix the problem. setsebool -P allow_ypbind=1. Ytterligare information: Källkontext system_u:system_r:spamc_t:s0 Målkontext system_u:object_r:port_t:s0 Målobjekt None [ udp_socket ] Källa spamassassin Källsökväg /usr/bin/perl Port 23796 Värd (removed) Käll-RPM-paket perl-5.10.0-82.fc12 Mål-RPM-paket Policy-RPM selinux-policy-3.6.32-46.fc12 SELinux aktiverat True Policytyp targeted Verkställande läge Permissive Insticksmodulnamn bind_ports Värdnamn (removed) Plattform Linux (removed) 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 Antal larm 5 Först sedd tis 24 nov 2009 20.07.00 Senast sedd tis 24 nov 2009 21.04.42 Lokalt ID 73272872-e2cf-4f04-8abb-7622d2763a93 Radnummer Råa granskningsmeddelanden node=(removed) type=AVC msg=audit(1259093082.964:91): avc: denied { name_bind } for pid=3856 comm="spamassassin" src=23796 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket node=(removed) type=SYSCALL msg=audit(1259093082.964:91): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=2b75968 a2=10 a3=0 items=0 ppid=3855 pid=3856 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-46.fc12,bind_ports,spamassassin,spamc_t,port_t,udp_socket,name_bind audit2allow suggests: #============= spamc_t ============== allow spamc_t port_t:udp_socket name_bind;
Why is spamassassin trying to bind to port 23796? Is this a local customization?
(In reply to comment #1) > Why is spamassassin trying to bind to port 23796? > > Is this a local customization? I might have done something wrong when I configured spamassasin but nothing on purpose. I keep getting a lot of alerts, but if it's only me I need to look in to it an learn some more. Now I have already 10 of this SE-alert: ------------------------------------------------------ SELinux has denied the spamassassin from binding to a network port 64851 which does not have an SELinux type associated with it. If spamassassin should be allowed to listen on 64851, use the semanage command to assign 64851 to a port type that spamc_t can bind to (). If spamassassin is not supposed to bind to 64851, this could signal an intrusion attempt. ------------------------------------------------------ Seems like my spamassassin daemon chooses high ports at random!?
Are you using nis?
Just got one more port: SELinux has denied the spamassassin from binding to a network port 26909..... fixing it suggests udp: # semanage port -a -t PORT_TYPE -p udp 26909
No you need something more powerful then this. It looks like policy allows spamd to bind to any udp port, but not spamassassin. I wonder if this is something new. If you set the boolean getsebool -a | grep spamassassin_can_network spamassassin_can_network --> off on does it work. setsebool -P spamassassin_can_network 1
No, no nis. I might have some unnecessary services running but not nis (I think, never used it) $] service ypbind status reports "not running"
I've tried to set it on and it was now when I got the reports. Do I need to reboot first to be sure?
Fixed in selinux-policy-3.6.32-50.fc12.noarch Added corenet_udp_bind_generic_port(spamc_t) You can build a custom policy module with this line until you get the update. I am building -50 in koji now.
OK, fine. Thanks!
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12
selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
As far as I can tell right now, it remains the same. But now: 'setsebool -P allow_ypbind=1' stops all alerts from spamassassin. (I'm not running a NIS Client tough, not that I know of anyway) So I'm happy with that. I'll do some more testing and get back if I find anything.
What avc's were you seeing before you turned the boolean on?
Avc's? I make a guess that its a SE-alert. With boolean 0 I got this message but with differnt ports every time. ------- SELinux is preventing /usr/bin/perl from binding to port 9143. SELinux has denied the spamassassin from binding to a network port 9143 which does not have an SELinux type associated with it. If spamassassin should be allowed to listen on 9143, use the semanage command to assign 9143 to a port type that spamc_t can bind to (). If spamassassin is not supposed to bind to 9143, this could signal an intrusion attempt. If you want to allow spamassassin to bind to port 9143, you can execute # semanage port -a -t PORT_TYPE -p udp 9143 where PORT_TYPE is one of the following: . If this system is running as an NIS Client, turning on the allow_ypbind boolean may fix the problem. setsebool -P allow_ypbind=1. -------
I was actually looking for the content in /var/log/audit/audit.log This gives me all the info I need.
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.