SELinux doesn't understand sendmail<->spamassassin interactions
Paul Howarth
paul at city-fan.org
Wed Feb 18 23:02:32 UTC 2009
On Wed, 18 Feb 2009 17:53:41 -0500
"G.Wolfe Woodbury" <ggw at wolves.durham.nc.us> wrote:
> Similar to the mailman problem, SELinux doesn't understand the
> interactions between sendmail and spamassassin. In this case,
> however, the spamassassin stuff quits working completely.
>
> This installation of spamassassin uses the "spamc" daemon, and mails
> are passed to that daemon from user's .procmailrc files. (This allows
> the user to opt-in/opt-out of spam detection on their own by altering
> their own .procmailrc file.)
>
> SELinux complains a lot because every message passwd from the user
> delivery chain gets a denial because "sendmail" (actually procmail)
> has no permissions to write the spamassassin spamc socket:
>
> type=AVC msg=audit(1234094494.975:3163): avc: denied { read write }
> for pid=612 comm="spamc" path="socket:[2166561]" dev=sockfs
> ino=2166561 scontext=system_u:system_r:spamc_t:s0
> context=system_u:system_r:sendmail_t:s0
> tclass=unix_stream_socket
This is actually spamc failing to read/write a sendmail socket and is
most likely to be a leaked file descriptor in the sendmail local
delivery process, as per Bug #485426. Do you have *any* milters in your
sendmail config?
> I don't fully understand some of the concepts used in SELinux, and am
> running F10+updates in "permissive" mode so that things work but I
> get notified of "abnormal" events.
>
> Additionally, other aspects of the sendmail/spamassassin interaction
> attract SELinux complaints. (getattr of spamc socket, etc) but I geet
> thousands of complaints about the read/write of the spamc socket.
> (about 8 active e-mail accounts, several of which are spam traps.)
>
> Thanks for your attention and patience.
Can you post examples of the other denials you get?
Paul.
More information about the fedora-selinux-list
mailing list