F9: Problems with Spamassassin

Daniel B. Thurman dant at cdkkt.com
Mon Dec 22 22:08:34 UTC 2008 

I am getting bombed Spamassassin for which SELinux is complaining:

Dec 22 14:03:01 gold setroubleshoot: SELinux is preventing the 
spamassassin (spamassassin_t) from binding to port 31120. For complete 
SELinux messages. run sealert -l d55ced24-a79c-4712-9ed3-854874f886e3

Please note, this is message one of *many* reports for which the port 
numbers
are running up and down the port numbers in the thousands... and failing...

Did I mis-configure Spamassassin or is this an SELinux issue?

=========================================================
# sealert -l d55ced24-a79c-4712-9ed3-854874f886e3:


Summary:

SELinux is preventing the spamassassin (spamassassin_t) from binding to port
32733.

Detailed Description:

SELinux has denied the spamassassin from binding to a network port 32733 
which
does not have an SELinux type associated with it. If spamassassin is 
supposed to
be allowed to listen on this port, you can use the semanage command to 
add this
port to a port type that spamassassin_t can bind to. semanage port -l 
will list
all port types. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the 
selinux-policy
package. If spamassassin is not supposed to bind to this port, this 
could signal
a intrusion attempt. If this system is running as an NIS Client, turning 
on the
allow_ypbind boolean, may fix the problem. setsebool -P allow_ypbind=1.

Allowing Access:

If you want to allow spamassassin to bind to this port semanage port -a -t
PORT_TYPE -p PROTOCOL 32733 Where PORT_TYPE is a type that 
spamassassin_t can
bind and PROTOCOL is udp or tcp.

Additional Information:

Source Context                system_u:system_r:spamassassin_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ udp_socket ]
Source                        spamassassin
Source Path                   /usr/bin/perl
Port                          32733
Host                          gold.cdkkt.com
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.3.1-111.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   bind_ports
Host Name                     gold.cdkkt.com
Platform                      Linux gold.cdkkt.com 2.6.27.7-53.fc9.i686 
#1 SMP
                              Thu Nov 27 02:29:03 EST 2008 i686 i686
Alert Count                   3378
First Seen                    Mon Dec 22 14:00:08 2008
Last Seen                     Mon Dec 22 14:00:20 2008
Local ID                      d55ced24-a79c-4712-9ed3-854874f886e3
Line Numbers                 

Raw Audit Messages           

node=gold.cdkkt.com type=AVC msg=audit(1229983220.80:14243): avc:  
denied  { name_bind } for  pid=6493 comm="spamassassin" src=32733 
scontext=system_u:system_r:spamassassin_t:s0 
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
=========================================================

Thanks!
Dan

More information about the fedora-selinux-list mailing list