Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 171903

Summary: (selinux) spamassassin startup fails on boot
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, felicity, jm, jvdias, parkerm, perl-devel, reg+redhat, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-12-17 10:21:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 150221    

Description Nicolas Mailhot 2005-10-27 17:12:02 UTC
spamassassin complains about being unable to create a dnsresolver socket

When I restart it later with security enforcing disabled it works

(sorry about the vague message, I don't seem able to find it in /var/log even
thougspamassassin-3.1.0-1.fc5h the problem is reproduceable at every boot)

spamassassin-3.1.0-1.fc5 on up-to-date FC devel system, with
perl-Mail-SPF-Query-1.997-5.fc5 installed

Comment 1 Nicolas Mailhot 2005-10-27 17:14:13 UTC
Found the error message :

Error creating a DNS resolver socket: Permission non accordée at
/usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/ line 202.

(seems selinux problem, it says it is not allowed to create the socket)

Comment 2 Nicolas Mailhot 2005-10-27 18:46:43 UTC
probably selinux-related -> adding in CCs

Comment 3 Jason Vas Dias 2005-10-27 19:46:13 UTC
>  seems selinux problem, it says it is not allowed to create the socket
>  When I restart it later with security enforcing disabled it works

Yes, this sounds like an SELinux problem - reassigning to 
selinux-policy-targeted package.

I hope that when you say 'restart it later with security enforcing disabled'
that you did 'setenforce 0' or booted with 'enforcing=0', and did NOT disable
selinux entirely by booting with 'selinux=0' - otherwise you'll have to relabel.

Comment 4 Nicolas Mailhot 2005-10-27 20:35:15 UTC
I use setenforce. I'm trying very hard not to boot with 'selinux=0' or selinux
disabled via sysconfig, because I know the day I do it the easy way I'll never
go back

Comment 5 Jason Vas Dias 2005-10-27 20:48:16 UTC
OK, well please try this to gather the information required to determine the
cause of this bug :

1. start out with an empty audit log -
   either empty it:
 or move it:
   # mv /var/log/audit/audit.log /var/log/audit/audit.log.bak

2. start spamassassin
   # service spamassassin start 2>&1 | tee /tmp/spastart.log

When the spamassassin start fails - is that what's happening here ? -
Please append the output of this command:
   # audit2allow </var/log/audit/audit.log | tee /tmp/spaudit.log
and gather the log files:
   # tar -cpf /tmp/spabug.tar /var/log/audit/audit.log  \
                              /tmp/spastart.log /tmp/spaudit.log
and attach the complete /tmp/spabug.tar file to this bug report.

Thank You!

Comment 6 Nicolas Mailhot 2005-10-27 21:08:42 UTC
I'll put the results inline since there is far too little to justify a tar

1. in spastart.log
Starting spamd:                                            [ÃCHOUÃ]

2. in maillog
spamd[4407]: Error creating a DNS resolver socket: Permission non accordée at
/usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/ line 202.

3. in spaudit.log
allow spamd_t port_t:udp_socket name_bind;
allow spamd_t user_home_t:dir { getattr search };

Stangely the result were not consistent. When started from the CLI the service
succeeded more often than it failed. On boot it's always failing

Comment 7 Daniel Walsh 2005-10-27 21:18:13 UTC
Fixed in selinux-policy-targeted-1.27.2-7

Comment 8 Nicolas Mailhot 2005-10-28 13:51:22 UTC
Unfortunately, rebooting with selinux-policy-targeted-1.27.2-7 shows the problem
still exist (no manual relabel is needed nowadays right ?)

audit2allow </var/log/audit/audit.log just after bootup shows theses spamd lines:

allow spamd_t devpts_t:chr_file ioctl;
allow spamd_t port_t:udp_socket name_bind;
allow spamd_t user_home_t:dir { add_name getattr remove_name search write };
allow spamd_t user_home_t:file append create getattr ioctl link read rename
setattr unlink write;

It's a bit more complex than when doing spamassassin tests on an already running

Comment 9 Nicolas Mailhot 2005-10-28 13:54:24 UTC
BTW looking at /var/log/audit/audit.log I see a lot of accesses to .spamassassin
and .pyzor blocked - I wonder if that's why pyzor has not been running well
there lately

Comment 10 Daniel Walsh 2005-10-28 14:07:20 UTC
Could you try selinux-policy-targeted-1.27.2-11 (Available in fedora-test)
What port is it trying to bind to?

Comment 11 Nicolas Mailhot 2005-10-28 14:16:01 UTC
Will it work of with a rawhide system ?

For the port I haven't got hte faintest idea. I'm just reporting the error. But
the following snippet taken from the file referenced in the maillog error may be

  dbg("dns: name server: $ns, family: $family, ipv6: $ipv6");

  # find next available unprivileged port (1024 - 65535)
  # starting at a random value to spread out use of ports
  my $port_offset = int(rand(64511));  # 65535 - 1024
  for (my $i = 0; $i<64511; $i++) {
    my $lport = 1024 + (($port_offset + $i) % 64511);

    my %args = (
        PeerAddr => $ns,
        PeerPort => $self->{res}->{port},
        Proto => 'udp',
        LocalPort => $lport,
        Type => SOCK_DGRAM,
        Domain => $family,

    if (HAS_SOCKET_INET6) {
      $sock = IO::Socket::INET6->new(%args);
    } else {
      $sock = IO::Socket::INET->new(%args);
    $errno = $!;
    if (defined $sock) {  # ok, got it
    } elsif ($! == EADDRINUSE) {  # in use, let's try another source port
      dbg("dns: UDP port $lport already in use, trying another port");
    } else {
      # did we fail due to the attempted use of an IPv6 nameserver?
      $self->_ipv6_ns_warning()  if (!$ipv6 && $errno==EINVAL);
      die "Error creating a DNS resolver socket: $errno"; <-- Error that ends in
the logs
  defined $sock or die "Can't create a DNS resolver socket: $errno";

Comment 12 Nicolas Mailhot 2005-10-28 14:21:45 UTC
[root@rousalka tmp]# rpm -Uvh selinux-policy-targeted-1.27.1-2.11.noarch.rpm 
attention: selinux-policy-targeted-1.27.1-2.11.noarch.rpm: Entête V3 DSA
signature: NOKEY, key ID 30c9ecf8
Préparation...              ########################################### [100%]
   1:selinux-policy-targeted########################################### [100%]
/usr/sbin/load_policy:  Warning!  Policy file argument
(/etc/selinux/targeted/policy/policy.20) is no longer supported, installed
policy is always loaded.  Continuing...
/sbin/restorecon reset /bin/su context
/sbin/restorecon reset /usr/bin/newrole context
/sbin/restorecon reset /usr/bin/spamc context
/var/lib is already defined in /etc/selinux/targeted/contexts/files/file_contexts,
/usr/sbin/genhomedircon will not create a new context.

Will reboot now

Comment 13 Nicolas Mailhot 2005-10-28 14:42:07 UTC
1. After reboot, no relabel is triggered, most services fail (including network)
2. -> reboot in non enforcing mode (which shows that spamassassin succeeds
without selinux BTW)
3. reinstall rawhide policy, reboot, autorelabel, reboot just to make sure, back
to square 1.

Comment 14 Daniel Walsh 2005-10-28 14:56:19 UTC
Sorry I thought you were on FC4.

Try selinux-policy-targeted-1.27.2-8.noarch.rpm

Available on

Comment 15 Nicolas Mailhot 2005-10-28 15:19:06 UTC
This one works, thank you. I can't believe I've actually booted a system in
enforcing mode without any service failing :)

I'll go test squirrelmail now. I seem to remember it had selinux problems too

Comment 16 Nicolas Mailhot 2005-12-04 13:54:41 UTC
And this got broken a few days afterwards with the selinux policy 2 changes.
With selinux-policy-targeted-2.0.8-1 spamassassin can not create its dnsresolver
socket (it does not make the service fail on startup like before but it's a
serious problem still)

Dec  4 14:24:55 rousalka postfix/master[2356]: daemon started -- version 2.2.5,
configuration /etc/postfix
Dec  4 14:24:56 rousalka spamd[2363]: Error creating a DNS resolver socket:
Permission non accordée at
/usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/ line 202.

# audit2allow < /var/log/audit/audit.log | sort
allow cupsd_config_t cupsd_log_t:file { read write };
allow dovecot_auth_t dovecot_var_run_t:dir search;
allow dovecot_auth_t tmp_t:dir getattr;
allow dovecot_auth_t usr_t:lnk_file read;
allow dovecot_t etc_runtime_t:file read;
allow saslauthd_t self:capability setuid;
allow saslauthd_t tmp_t:dir getattr;
allow saslauthd_t usr_t:lnk_file read;
allow spamd_t port_t:udp_socket name_bind;
allow sysadm_su_t etc_runtime_t:file read;
allow sysadm_su_t tmp_t:dir getattr;
allow sysadm_su_t usr_t:lnk_file read;
allow system_chkpwd_t devpts_t:chr_file { read write };
allow system_dbusd_t self:process setcap;
allow updfstab_t tmpfs_t:dir getattr;

Comment 17 Nicolas Mailhot 2005-12-04 17:24:59 UTC
Well I was wrong - the resolver problem crashes spamassassin like before

Comment 18 Daniel Walsh 2005-12-13 04:15:29 UTC
New fixes for this in selinux-policy-targeted-2.1.4-1

Comment 19 Nicolas Mailhot 2005-12-17 10:21:42 UTC
Seems fixed again