SELinux doesn't understand sendmail<->spamassassin interactions

G.Wolfe Woodbury ggw at wolves.durham.nc.us
Thu Feb 19 00:25:12 UTC 2009


Paul Howarth wrote:
> On Wed, 18 Feb 2009 17:53:41 -0500
> "G.Wolfe Woodbury" <ggw at wolves.durham.nc.us> wrote:
> 
>> Similar to the mailman problem, SELinux doesn't understand the 
>> interactions between sendmail and spamassassin.  In this case,
>> however, the spamassassin stuff quits working completely.
>>
>> This installation of spamassassin uses the "spamc" daemon, and mails
>> are passed to that daemon from user's .procmailrc files. (This allows
>> the user to opt-in/opt-out of spam detection on their own by altering
>> their own .procmailrc file.)
>>
>> SELinux complains a lot because every message passwd from the user 
>> delivery chain gets a denial because "sendmail" (actually procmail)
>> has no permissions to write the spamassassin spamc socket:
>>
>> type=AVC msg=audit(1234094494.975:3163): avc:  denied  { read write }
>> for  pid=612 comm="spamc" path="socket:[2166561]" dev=sockfs
>> ino=2166561 scontext=system_u:system_r:spamc_t:s0 
>> context=system_u:system_r:sendmail_t:s0
>> tclass=unix_stream_socket
> 
> This is actually spamc failing to read/write a sendmail socket and is
> most likely to be a leaked file descriptor in the sendmail local
> delivery process, as per Bug #485426. Do you have *any* milters in your
> sendmail config?

Well, there is a clamav-milter in place to check incoming mail for 
viruses as some users read mail via OE and Windows Thunderbird.  This 
has never been a problem on this system.

My point is that spamc is doing operations in a sendmail context because 
sendmail is calling procmail to do local delivery and the first entry in 
most user .procmailrc filter lists is a pipe to/from spamc.  The context 
is two execs removed from sendmail itself.  The policy simply doesn't 
recognize that a sendmail context is calling spamc several hundred times 
a day.

> 
>> I don't fully understand some of the concepts used in SELinux, and am 
>> running F10+updates in "permissive" mode so that things work but I
>> get notified of "abnormal" events.
>>
>> Additionally, other aspects of the sendmail/spamassassin interaction 
>> attract SELinux complaints. (getattr of spamc socket, etc) but I geet 
>> thousands of complaints about the read/write of the spamc socket.
>> (about 8 active e-mail accounts, several of which are spam traps.)
>>
>> Thanks for your attention and patience.
> 
> Can you post examples of the other denials you get?
> 
> Paul.

On closer examination, there are no other spamassassin/sendmail AVCs.
I have a few clamav-sendmail context AVCs, but that are 6 a day vs. 1200 
a day for the spamc AVCs.

Actually reading through the selinux trapper messages is making some 
things clearer.  I'm now more convinced that this is a policy issue 
rather than a bug.

-- 
G.Wolfe Woodbury




More information about the fedora-selinux-list mailing list