spamassassin transition

[Scott Radvan]

Hi,


Working on the Postfix chapter in my SELinux managing confined services
book [0] and am having trouble with Postfix/spamassassin. 

I have got email traversing back and forth just fine, but I am trying to
invoke a denial or a problem for which I can document the work-around.
spamassassin_can_network seems to be a good Boolean to explain, show
the denial and then show the work-around for. 

This Boolean is off by default, which as far as I can tell would stop
spamassassin from launching as a daemon listening on the machine's
actual IP/interface.

But my problem is that it is launching without a problem and listening
on the machine's interface without error. I am assuming that it is
working fine because the spamassassin processes are only launching as
initrc_t, when it should be transitioning to something else..?

# ps -eZ | grep spamd
unconfined_u:system_r:initrc_t:s0 3085 ?       00:00:01 spamd
unconfined_u:system_r:initrc_t:s0 3087 ?       00:00:00 spamd
unconfined_u:system_r:initrc_t:s0 3088 ?       00:00:00 spamd

# ls -lZ /etc/init.d/spamassassin 
-rwxr-xr-x.
rootrootsystem_u:object_r:initrc_exec_t:s0 /etc/init.d/spamassassin

(I tried labelling this differently to this default setting, to
spamd_initrc_exec_t, but to no avail.)

# getsebool -a  | grep spam
spamassassin_can_network --> off
spamd_enable_home_dirs --> on

Basically I need to make sure spamassassin is starting normally so that
the Boolean mentioned will block access. So any help is appreciated,
should spamassassin as a daemon transition to something other than
initrc_t? And how do I get it to do so? 

Or am I going down the wrong track to get this Boolean which is off by
default to do something which I can demonstrate and fix?

Thank you,

-- 
Scott Radvan
Content Author, Platform (Installation and Deployment)
Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com