Spamassassin emails have wrong perms -- CC'ed to selinux list

Justin Willmert justin at jdjlab.com
Mon Jan 30 22:39:55 UTC 2006 

Paul Howarth wrote:
> On Sun, 2006-01-29 at 22:52 -0600, Justin Willmert wrote:
>> Ivan Gyurdiev wrote:
>>>> I'm cc-ing this to the fedora-selinux-list. I think some of the 
>>>> problems may be applicable there.
>>>>
>>>> OK, after some more testing, when I disable SELinux, many of the 
>>>> errors go away. First of all, I get rid of the error message saying 
>>>> user can not be found and with it the 'still running as root' error. 
>>>> Second, it is able to access the bayes_journal file (as long as 
>>>> normal unix permissions are right, which I've figured out). So I 
>>>> guess the problem is an SELinux issue which I can't solve. I'd attach 
>>>> some avc error messages, but I can't seem to find any. I've looked in 
>>>> maillog, secure, and messages, but nothing.
>>> Have you looked in the audit log, where all such messages are usually 
>>> found ?
>>> /var/log/audit.log
>>>
>> Below is what showed up in audit/audit.log when I sent a message through
>> spamassassin. I'm _*really*_ rusty on SELinux...it's the one thing I
>> have to deal with quite often that I haven't been able to learn how to
>> use...it's so foreign to me. I've never looked in audit.log before: the
>> avc messages used to show up in messages, but now as far back as my logs
>> go, I don't have a single avc message. This all looks like jibberish to
>> me, so I need your guy's help.
>>
>> Thanks,
>> Justin
>>
>>     type=AVC msg=audit(1138596151.681:104174): avc:  denied  {
>>     name_connect } for  pid=23796 comm="spamd" dest=389
>>     scontext=root:system_r:spamd_t
>>     tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
>>     type=SYSCALL msg=audit(1138596151.681:104174): arch=40000003
>>     syscall=102 success=no exit=-13 a0=3 a1=bfb2dc20 a2=1229cb8 a3=7
>>     items=0 pid=23796 auid=600 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>     sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/perl"
>>     type=SOCKADDR msg=audit(1138596151.681:104174):
>>     saddr=02000185C0A801940000000000000000
>>     type=SOCKETCALL msg=audit(1138596151.681:104174): nargs=3 a0=7
>>     a1=9b1fe80 a2=10
>>     type=AVC msg=audit(1138596153.220:104175): avc:  denied  {
>>     name_connect } for  pid=23796 comm="spamd" dest=389
>>     scontext=root:system_r:spamd_t
>>     tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
>>     type=SYSCALL msg=audit(1138596153.220:104175): arch=40000003
>>     syscall=102 success=no exit=-13 a0=3 a1=bfb2dc20 a2=1229cb8 a3=7
>>     items=0 pid=23796 auid=600 uid=0 gid=0 euid=99 suid=0 fsuid=99
>>     egid=99 sgid=0 fsgid=99 comm="spamd" exe="/usr/bin/perl"
>>     type=SOCKADDR msg=audit(1138596153.220:104175):
>>     saddr=02000185C0A801940000000000000000
>>     type=SOCKETCALL msg=audit(1138596153.220:104175): nargs=3 a0=7
>>     a1=9b6a6f0 a2=10
>>     type=AVC msg=audit(1138596160.388:104176): avc:  denied  {
>>     name_connect } for  pid=23797 comm="spamd" dest=389
>>     scontext=root:system_r:spamd_t
>>     tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
>>     type=SYSCALL msg=audit(1138596160.388:104176): arch=40000003
>>     syscall=102 success=no exit=-13 a0=3 a1=bfb2dc20 a2=1229cb8 a3=7
>>     items=0 pid=23797 auid=600 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>     sgid=0 fsgid=0 comm="spamd" exe="/usr/bin/perl"
>>     type=SOCKADDR msg=audit(1138596160.388:104176):
>>     saddr=02000185C0A801940000000000000000
>>     type=SOCKETCALL msg=audit(1138596160.388:104176): nargs=3 a0=7
>>     a1=9b20050 a2=10
>>     type=AVC msg=audit(1138596164.032:104177): avc:  denied  {
>>     name_connect } for  pid=23797 comm="spamd" dest=389
>>     scontext=root:system_r:spamd_t
>>     tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
>>     type=SYSCALL msg=audit(1138596164.032:104177): arch=40000003
>>     syscall=102 success=no exit=-13 a0=3 a1=bfb2dc20 a2=1229cb8 a3=7
>>     items=0 pid=23797 auid=600 uid=0 gid=0 euid=99 suid=0 fsuid=99
>>     egid=99 sgid=0 fsgid=99 comm="spamd" exe="/usr/bin/perl"
>>     type=SOCKADDR msg=audit(1138596164.032:104177):
>>     saddr=02000185C0A801940000000000000000
>>     type=SOCKETCALL msg=audit(1138596164.032:104177): nargs=3 a0=7
>>     a1=9b84af0 a2=10
>
> Are you using LDAP for authentication or to handle mail accounts?
>
> Paul.
No, I am not using LDAP in spamassassin itself (there are ldap arguments 
to spamd and I'm not using those), but my system uses LDAP 
authentication through nsswitch/pam (whatever the distinction is). Does 
spamd need to know my ldap server's information?

I believe I found a temporary work around for the bayes files: I put 
them in a non-standard location (/etc/mail/bayes/) because I wanted a 
system-wide database (some users don't get enough spam to warrant their 
own database). I found if I set /etc/mail/bayes/ to user_home_dir_t and 
/etc/mail/bayes/* to user_home_t that the denied messages for files are 
gone (if I'm reading the logs right). I don't see the file denial 
messages in the log output I put above, but they are in audit.log and in 
the latest test, they aren't there so I'm hoping I'm looking into all of 
this right. If you want me to confirm all of this, I can reset the 
directory context and do some tests, then set up the directory context 
again and compare that result, somebody just has to ask.
Now I've just got to solve the LDAP messages. I'll try to look into this 
a bit, but I'm probably going to need the help, so thanks to all those 
who take time to reply.

Justin

More information about the fedora-selinux-list mailing list