Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 451631 - Problem with Spamassassin triggered by procmail
Summary: Problem with Spamassassin triggered by procmail
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-06-16 10:52 UTC by Adam Huffman
Modified: 2008-06-24 10:04 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-06-24 10:04:26 UTC

Attachments (Terms of Use)
Alert text from sealert (deleted)
2008-06-16 10:52 UTC, Adam Huffman
no flags Details

Description Adam Huffman 2008-06-16 10:52:54 UTC
Description of problem:
Since upgrading to F9 I've been seeing selinux errors with SpamAssassin, which
is triggered by my .procmailrc.

This causes thousands of AVC messages, meaning I have to shutdown
setroubleshootd in order to make the system usable.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

Comment 1 Adam Huffman 2008-06-16 10:52:54 UTC
Created attachment 309477 [details]
Alert text from sealert

Comment 2 Daniel Walsh 2008-06-22 12:38:20 UTC
This avc shows spamassassin tryint to bind to a udp socket 32230?

Is this expected behaviour?

Comment 3 Daniel Walsh 2008-06-22 12:40:22 UTC
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Comment 4 Adam Huffman 2008-06-24 09:52:41 UTC
I'm assuming it's expected behaviour as I'm using SpamAssassin's defaults. 
Here's how it's triggered in .procmailrc:


and here's the content of that file:

# send mail through spamassassin
| /usr/bin/spamassassin

Here's the content of /etc/sysconfig/spamassassin:

# Options to spamd
SPAMDOPTIONS="-d -c -m5 -H"

Comment 5 Daniel Walsh 2008-06-24 10:04:26 UTC
Turn on the spamassassin_can_network boolean.

If you run your AVC though audit2why it shows

 audit2why -i /tmp/t type=AVC msg=audit(1213613494.259:1224): avc: 
denied  { name_bind } for  pid=5705 comm="spamassassin" src=32230
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

	Was caused by:
	One of the following booleans was set incorrectly.
	Allow user spamassassin clients to use the network.

	Allow access by executing:
	# setsebool -P spamassassin_can_network 1
	Allow system to run with NIS

	Allow access by executing:
	# setsebool -P allow_ypbind 1

Note You need to log in before you can comment on or make changes to this bug.