What is wrong when spamc is not allowed to connect to spamd?

Daniel J Walsh dwalsh at redhat.com
Tue Dec 9 19:59:53 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Göran Uddeborg wrote:
> I'm gradually upgrading to Fedora 10 using yum, so I suspect this
> problem might be that some package is not yet upgraded.  But I can't
> understand what it could be.
> 
> I'm running spamassassin using the lines
> 
>     DROPPRIVS=yes
>     INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc
> 
> in /etc/procmailrc.  After upgrading to Fedora 10 policy and
> spamassassin I get these AVC:s
> 
>     time->Sun Dec  7 20:01:46 2008
>     type=SYSCALL msg=audit(1228676506.702:50): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=1358850 a2=10 a3=8 items=0 ppid=3558 pid=3559 auid=4294967295 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) ses=4294967295 comm="spamc" exe="/usr/bin/spamc" subj=system_u:system_r:spamc_t:s0 key=(null)
>     type=AVC msg=audit(1228676506.702:50): avc:  denied  { name_connect } for  pid=3559 comm="spamc" dest=783 scontext=system_u:system_r:spamc_t:s0 tcontext=system_u:object_r:spamd_port_t:s0 tclass=tcp_socket
> 
> I.e., spamc isn't allowed to connect to spamd's TCP socket.
> 
> Looking in the spamassassin.te source I see that spamc_t is allowed to
> connect to spamd_t:unix_stream_socket but I can't see anything that
> would allow it to connect to a tcp_socket of any type.
> 
> Looking at the spamassassin code, I spamd would create and spamc use a
> unix-domain socket if given explicit path to it, but in the default
> configuration I can't see anything that would add those flags.
> 
> I've enabled spamassassin_can_network as a temporary workaround, but
> that shouldn't be necessary just to use spamc, should it?
> 
> What am I missing here?
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Seems reasonable,
Fixed in selinux-policy-3.5.13-34.fc10
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk+zjkACgkQrlYvE4MpobO3+ACeLA3B+oLt5y2OvvFiEVOirnt8
OWQAnjGzyq+0cXUUiyUHoIPXNbqAM0td
=AmvN
-----END PGP SIGNATURE-----

More information about the selinux mailing list