F9: Problems with Spamassassin
Daniel J Walsh
dwalsh at redhat.com
Tue Dec 23 16:45:52 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel B. Thurman wrote:
>
> I am getting bombed Spamassassin for which SELinux is complaining:
>
> Dec 22 14:03:01 gold setroubleshoot: SELinux is preventing the
> spamassassin (spamassassin_t) from binding to port 31120. For complete
> SELinux messages. run sealert -l d55ced24-a79c-4712-9ed3-854874f886e3
>
> Please note, this is message one of *many* reports for which the port
> numbers
> are running up and down the port numbers in the thousands... and failing...
>
> Did I mis-configure Spamassassin or is this an SELinux issue?
>
> =========================================================
> # sealert -l d55ced24-a79c-4712-9ed3-854874f886e3:
>
>
> Summary:
>
> SELinux is preventing the spamassassin (spamassassin_t) from binding to
> port
> 32733.
>
> Detailed Description:
>
> SELinux has denied the spamassassin from binding to a network port 32733
> which
> does not have an SELinux type associated with it. If spamassassin is
> supposed to
> be allowed to listen on this port, you can use the semanage command to
> add this
> port to a port type that spamassassin_t can bind to. semanage port -l
> will list
> all port types. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
> selinux-policy
> package. If spamassassin is not supposed to bind to this port, this
> could signal
> a intrusion attempt. If this system is running as an NIS Client, turning
> on the
> allow_ypbind boolean, may fix the problem. setsebool -P allow_ypbind=1.
>
> Allowing Access:
>
> If you want to allow spamassassin to bind to this port semanage port -a -t
> PORT_TYPE -p PROTOCOL 32733 Where PORT_TYPE is a type that
> spamassassin_t can
> bind and PROTOCOL is udp or tcp.
>
> Additional Information:
>
> Source Context system_u:system_r:spamassassin_t:s0
> Target Context system_u:object_r:port_t:s0
> Target Objects None [ udp_socket ]
> Source spamassassin
> Source Path /usr/bin/perl
> Port 32733
> Host gold.cdkkt.com
> Source RPM Packages Target RPM Packages Policy
> RPM selinux-policy-3.3.1-111.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name bind_ports
> Host Name gold.cdkkt.com
> Platform Linux gold.cdkkt.com 2.6.27.7-53.fc9.i686
> #1 SMP
> Thu Nov 27 02:29:03 EST 2008 i686 i686
> Alert Count 3378
> First Seen Mon Dec 22 14:00:08 2008
> Last Seen Mon Dec 22 14:00:20 2008
> Local ID d55ced24-a79c-4712-9ed3-854874f886e3
> Line Numbers
> Raw Audit Messages
> node=gold.cdkkt.com type=AVC msg=audit(1229983220.80:14243): avc:
> denied { name_bind } for pid=6493 comm="spamassassin" src=32733
> scontext=system_u:system_r:spamassassin_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
> =========================================================
>
> Thanks!
> Dan
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Does turning on the boolean
spamassassin_can_network solve your problem.
setsebool -P spamassassin_can_network 1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklRFcAACgkQrlYvE4MpobORbACg1oeeeFUAJJM0PdTuCX8eD+fB
G0UAn3nE7sio3R/ld6dSt2PJINPLo8oe
=UrIM
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list