You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2009/01/28 01:16:36 UTC
[Bug 6052] New: SELINUX blocks spamc access to port 7500
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6052
Summary: SELINUX blocks spamc access to port 7500
Product: Spamassassin
Version: 3.2.5
Platform: Other
OS/Version: Linux
Status: NEW
Severity: major
Priority: P5
Component: spamc/spamd
AssignedTo: dev@spamassassin.apache.org
ReportedBy: kevinsemailaddie@yahoo.com
My message log is filled with selinux messages. When I log into X I found this
SELinux error. I do not even have spamd running or use spamc, but I call
spamassassin via procmail to scan email. I use Fedora Core 10, postfix, and
procmail. I have spamassassin 3.2.5. I am including the error I found from
selinux here.
SELinux is preventing the spamassassin (spamc_t) from binding to port 7500.
Detailed Description:
SELinux has denied the spamassassin from binding to a network port 7500 which
does not have an SELinux type associated with it. If spamassassin is supposed
to
be allowed to listen on this port, you can use the semanage command to add this
port to a port type that spamc_t can bind to. semanage port -l will list all
port types. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If spamassassin is not supposed to bind to this port, this could
signal
a intrusion attempt. If this system is running as an NIS Client, turning on the
allow_ypbind boolean, may fix the problem. setsebool -P allow_ypbind=1.
Allowing Access:
If you want to allow spamassassin to bind to this port semanage port -a -t
PORT_TYPE -p PROTOCOL 7500 Where PORT_TYPE is a type that spamc_t can bind and
PROTOCOL is udp or tcp.
Additional Information:
Source Context system_u:system_r:spamc_t:s0
Target Context system_u:object_rort_t:s0
Target Objects None [ udp_socket ]
Source spamassassin
Source Path /usr/bin/perl
Port 7500
Host wild-missouri.dyndns.org
Source RPM Packages perl-5.10.0-52.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-38.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name bind_ports
Host Name wild-missouri.dyndns.org
Platform Linux wild-missouri.dyndns.org
2.6.27.9-159.fc10.i686 #1 SMP Tue Dec 16 15:12:04
EST 2008 i686 i686
Alert Count 53268
First Seen Sat 24 Jan 2009 10:07:33 PM EST
Last Seen Mon 26 Jan 2009 01:25:14 PM EST
Local ID 4976cbb7-0595-4362-ad5f-7f401b4b5255
Line Numbers
Raw Audit Messages
node=wild-missouri.dyndns.org type=AVC msg=audit(1232994314.37:64514): avc:
denied { name_bind } for pid=3158 comm="spamassassin" src=7500
scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_rort_t:s0
tclass=udp_socket
node=wild-missouri.dyndns.org type=SYSCALL msg=audit(1232994314.37:64514):
arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfc6c770 a2=dea5ec a3=10
items=0 ppid=3157 pid=3158 auid=4294967295 uid=500 gid=500 euid=500 suid=500
fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0
key=(null)
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6052] SELINUX blocks spamc access to port 7500
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6052
--- Comment #9 from Kevin Jones <ke...@yahoo.com> 2009-01-30 15:48:10 PST ---
Red Hat's response (Bug 482971):
===========================================================================
Comment #3 From Daniel Walsh (dwalsh@redhat.com) 2009-01-30 08:28:54 EDT (-)
[reply] ------- This looks like either a leaked file descriptor or a
redirection of
stdout/stderr.
I don't see a problem with allowing it, Looks like postfix processes are all
using each others fifo_files.
=============================================================================
I don't know where this leaves us? Hopefully there is nothing going on that
will adversely effect the system's performance and security, which is all I
care about. Selinux can be told to stop gripping if there is no real issue I
think?
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6052] SELINUX blocks spamc access to port 7500
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6052
--- Comment #3 from Karsten Bräckelmann <gu...@rudersport.de> 2009-01-28 13:55:56 PST ---
(In reply to comment #2)
> SpamAssassin developers: I hope you don't mind me using Bugzilla in this way
> until it's clear there isn't a SpamAssassin bug.
Nah, that's cool. :) Even though bugzilla isn't the best place for discussion,
since this bug has been filed already, anything to find out the real cause is
much appreciated. Thanks, James.
FWIW, I also suspected an SELinux issue. My googling just didn't turn up much
late yesterday night. Good spot about the Perl != C. ;)
Kevin, if you file a bug with RH, please add a link and any result here.
Thanks.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6052] SELINUX blocks spamc access to port 7500
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6052
--- Comment #8 from Kevin Jones <ke...@yahoo.com> 2009-01-29 18:50:05 PST ---
This is kind of cool. I decided to switch to spamc -L because I didn't see in
the man page is spamassassin supported that switch but spamc definitely did.
However after loading spamd at bootup and running spamc -L I still get the same
error from selinux.
Summary:
SELinux is preventing spamc (spamc_t) "write" postfix_local_t.
Detailed Description:
SELinux denied access requested by spamc. It is not expected that this access
is
required by spamc and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:spamc_t:s0
Target Context system_u:system_r:postfix_local_t:s0
Target Objects pipe [ fifo_file ]
Source spamc
Source Path /usr/bin/spamc
Port <Unknown>
Host wild-missouri.dyndns.org
Source RPM Packages spamassassin-3.2.5-2.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-40.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name wild-missouri.dyndns.org
Platform Linux wild-missouri.dyndns.org
2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed Jan 21
02:09:37 EST 2009 i686 i686
Alert Count 1
First Seen Thu 29 Jan 2009 04:51:35 PM EST
Last Seen Thu 29 Jan 2009 04:51:35 PM EST
Local ID 6c8588bd-f839-4abd-91c0-e1ce86541f32
Line Numbers
Raw Audit Messages
node=wild-missouri.dyndns.org type=AVC msg=audit(1233265895.797:13): avc:
denied { write } for pid=2722 comm="spamc" path="pipe:[13047]" dev=pipefs
ino=13047 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
node=wild-missouri.dyndns.org type=SYSCALL msg=audit(1233265895.797:13):
arch=40000003 syscall=11 success=yes exit=0 a0=9fb7db8 a1=9fb7008 a2=9fb9ba0
a3=2 items=0 ppid=2721 pid=2722 auid=4294967295 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295
comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6052] SELINUX blocks spamc access to port 7500
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6052
--- Comment #4 from Kevin Jones <ke...@yahoo.com> 2009-01-28 19:50:03 PST ---
Yea you guys are right this has nada to do with spamc. I send an email through
the system and then the selinux error comes up. I think selinux just needs to
be updated to ignore this, unless there is some reason why I shouldn't be
sending my mail through spamassassin in /etc/procmailrc? I don't bother to load
spamd because my system only receives a tiny amount of email right now.
Contents of /etc/procmailrc
:0fw spamassassin.lock
* < 256000
| /usr/bin/spamassassin
I did create an alias for root to a user and ran the tool to update the alias
database. Hmmmm I'll see what happens with a selinux bug report. thanks for the
help
Summary:
SELinux is preventing spamassassin (spamc_t) "write" postfix_local_t.
Detailed Description:
SELinux denied access requested by spamassassin. It is not expected that this
access is required by spamassassin and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:spamc_t:s0
Target Context unconfined_u:system_r:postfix_local_t:s0
Target Objects pipe [ fifo_file ]
Source spamassassin
Source Path /usr/bin/perl
Port <Unknown>
Host wild-missouri.dyndns.org
Source RPM Packages perl-5.10.0-53.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-40.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name wild-missouri.dyndns.org
Platform Linux wild-missouri.dyndns.org
2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed Jan 21
02:09:37 EST 2009 i686 i686
Alert Count 7
First Seen Sat 24 Jan 2009 10:42:44 PM EST
Last Seen Tue 27 Jan 2009 12:39:58 PM EST
Local ID 1757aec7-125c-471c-81af-64bc96349033
Line Numbers
Raw Audit Messages
node=wild-missouri.dyndns.org type=AVC msg=audit(1233077998.752:64): avc:
denied { write } for pid=3561 comm="spamassassin" path="pipe:[18009]"
dev=pipefs ino=18009 scontext=unconfined_u:system_r:spamc_t:s0
tcontext=unconfined_u:system_r:postfix_local_t:s0 tclass=fifo_file
node=wild-missouri.dyndns.org type=SYSCALL msg=audit(1233077998.752:64):
arch=40000003 syscall=11 success=yes exit=0 a0=964cdb8 a1=964c008 a2=964eba0
a3=1 items=0 ppid=3560 pid=3561 auid=4294967295 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamc_t:s0
key=(null)
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6052] SELINUX blocks spamc access to port 7500
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6052
--- Comment #7 from Kevin Jones <ke...@yahoo.com> 2009-01-29 17:21:41 PST ---
(In reply to comment #6)
> Fedora Bug report is filed. I will update this with the results as well as the
> results from adding the aforementioned local command switch.
>
Ammended procmailrc to contain
spamassassin -L
Rebooted just to make sure it was loaded, but still receving se linux error. I
didn't see a port mentioned in this one, see below
Summary:
SELinux is preventing spamassassin (spamc_t) "write" postfix_local_t.
Detailed Description:
SELinux denied access requested by spamassassin. It is not expected that this
access is required by spamassassin and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:spamc_t:s0
Target Context system_u:system_r:postfix_local_t:s0
Target Objects pipe [ fifo_file ]
Source spamassassin
Source Path /usr/bin/perl
Port <Unknown>
Host wild-missouri.dyndns.org
Source RPM Packages perl-5.10.0-53.fc10
Target RPM Packages
Policy RPM selinux-policy-3.5.13-40.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name wild-missouri.dyndns.org
Platform Linux wild-missouri.dyndns.org
2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed Jan 21
02:09:37 EST 2009 i686 i686
Alert Count 1
First Seen Thu 29 Jan 2009 03:20:29 PM EST
Last Seen Thu 29 Jan 2009 03:23:52 PM EST
Local ID 4d8bd25b-7e15-4d44-bd14-be030b29bc33
Line Numbers
Raw Audit Messages
node=wild-missouri.dyndns.org type=AVC msg=audit(1233260632.911:24): avc:
denied { write } for pid=3097 comm="spamassassin" path="pipe:[15854]"
dev=pipefs ino=15854 scontext=system_u:system_r:spamc_t:s0
tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
node=wild-missouri.dyndns.org type=SYSCALL msg=audit(1233260632.911:24):
arch=40000003 syscall=11 success=yes exit=0 a0=8fe1db8 a1=8fe1008 a2=8fe3f98
a3=2 items=0 ppid=3096 pid=3097 auid=4294967295 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295
comm="spamassassin" exe="/usr/bin/perl" subj=system_u:system_r:spamc_t:s0
key=(null)
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6052] SELINUX blocks spamc access to port 7500
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6052
--- Comment #5 from Karsten Bräckelmann <gu...@rudersport.de> 2009-01-29 07:46:01 PST ---
(In reply to comment #4)
> Yea you guys are right this has nada to do with spamc. I send an email through
> the system and then the selinux error comes up. I think selinux just needs to
Kevin, did you already file a bug with RH?
> be updated to ignore this, unless there is some reason why I shouldn't be
> sending my mail through spamassassin in /etc/procmailrc? I don't bother to
> load spamd because my system only receives a tiny amount of email right now.
Frankly, IMHO, using spamc/d is worth it in almost all cases, no matter how low
the traffic might be. If you feel the need for SA in the first place...
After some quick discussion, I believe James is correct about DNS. Kevin, you
can test this. While this warning still is present, try scanning a mail with
local tests only.
spamassassin -L < message
Does this come out clan, no SELinux warning?
Also, since SELinux prevented this: Your SA is most likely performing rather
poor. Even with network tests enabled, it won't get any results.
Not closing for now, until we get some more facts.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6052] SELINUX blocks spamc access to port 7500
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6052
--- Comment #6 from Kevin Jones <ke...@yahoo.com> 2009-01-29 16:57:24 PST ---
Fedora Bug report is filed. I will update this with the results as well as the
results from adding the aforementioned local command switch.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6052] SELINUX blocks spamc access to port 7500
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6052
--- Comment #1 from Kevin Jones <ke...@yahoo.com> 2009-01-27 16:29:03 PST ---
Also in messages logs exists the following information
Jan 27 12:15:13 wild-missouri setroubleshoot: SELinux is preventing
spamassassin (spamc_t) "write" postfix_local_t. For complete SELinux messages.
run sealert -l 1757aec7-125c-471c-81af-64bc96349033
Jan 27 12:15:23 wild-missouri setroubleshoot: SELinux is preventing
spamassassin (spamc_t) "write" postfix_local_t. For complete SELinux messages.
run sealert -l 1757aec7-125c-471c-81af-64bc96349033
Jan 27 12:19:45 wild-missouri setroubleshoot: SELinux is preventing
spamassassin (spamc_t) "write" postfix_local_t. For complete SELinux messages.
run sealert -l 1757aec7-125c-471c-81af-64bc96349033
Jan 27 12:31:54 wild-missouri setroubleshoot: SELinux is preventing
spamassassin (spamc_t) "write" postfix_local_t. For complete SELinux messages.
run sealert -l 1757aec7-125c-471c-81af-64bc96349033
Jan 27 12:39:59 wild-missouri setroubleshoot: SELinux is preventing
spamassassin (spamc_t) "write" postfix_local_t. For complete SELinux messages.
run sealert -l 1757aec7-125c-471c-81af-64bc96349033
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
[Bug 6052] SELINUX blocks spamc access to port 7500
Posted by bu...@bugzilla.spamassassin.org.
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6052
--- Comment #2 from James Wilkinson <Ja...@sparex.co.uk> 2009-01-28 12:31:26 PST ---
This probably isn't a SpamAssassin bug. The SpamAssassin SELinux policy isn't
distributed with SpamAssassin, even on Fedora.
The question, as I see it, is why is SpamAssassin trying to use UDP port 7500?
(Is it always port 7500? If not, I'd suspect that this is just SpamAssassin
trying to do DNS-based network tests, and opening port 7500 to listen for
replies).
I suspect you're being confused by the "spamc_t", which is a SELinux type,
IIRC. I'd expect it to apply whether you're running spamassassin directly or
spamc. Note the exe="/usr/bin/perl": spamc is written in C.
In the meantime, you might want to look at system-config-selinux (from a root
terminal in X: it's also Gnome System menu -> Administration -> SELinux
Management). On the Boolean tab, look for the SpamAssassin module, check that
"allow user spamassassin clients to use the network" is enabled. You may want
to review the rest of the settings in this program.
If that doesn't help, then you might want to do what the SELinux message says,
and file a Fedora bug. The SELinux maintainers have a reputation for being very
quick off the mark.
SpamAssassin developers: I hope you don't mind me using Bugzilla in this way
until it's clear there isn't a SpamAssassin bug.
--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.