-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel B. Thurman wrote: > > I am getting bombed Spamassassin for which SELinux is complaining: > > Dec 22 14:03:01 gold setroubleshoot: SELinux is preventing the > spamassassin (spamassassin_t) from binding to port 31120. For complete > SELinux messages. run sealert -l d55ced24-a79c-4712-9ed3-854874f886e3 > > Please note, this is message one of *many* reports for which the port > numbers > are running up and down the port numbers in the thousands... and failing... > > Did I mis-configure Spamassassin or is this an SELinux issue? > > ========================================================= > # sealert -l d55ced24-a79c-4712-9ed3-854874f886e3: > > > Summary: > > SELinux is preventing the spamassassin (spamassassin_t) from binding to > port > 32733. > > Detailed Description: > > SELinux has denied the spamassassin from binding to a network port 32733 > which > does not have an SELinux type associated with it. If spamassassin is > supposed to > be allowed to listen on this port, you can use the semanage command to > add this > port to a port type that spamassassin_t can bind to. semanage port -l > will list > all port types. Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the > selinux-policy > package. If spamassassin is not supposed to bind to this port, this > could signal > a intrusion attempt. If this system is running as an NIS Client, turning > on the > allow_ypbind boolean, may fix the problem. setsebool -P allow_ypbind=1. > > Allowing Access: > > If you want to allow spamassassin to bind to this port semanage port -a -t > PORT_TYPE -p PROTOCOL 32733 Where PORT_TYPE is a type that > spamassassin_t can > bind and PROTOCOL is udp or tcp. > > Additional Information: > > Source Context system_u:system_r:spamassassin_t:s0 > Target Context system_u:object_r:port_t:s0 > Target Objects None [ udp_socket ] > Source spamassassin > Source Path /usr/bin/perl > Port 32733 > Host gold.cdkkt.com > Source RPM Packages Target RPM Packages Policy > RPM selinux-policy-3.3.1-111.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name bind_ports > Host Name gold.cdkkt.com > Platform Linux gold.cdkkt.com 2.6.27.7-53.fc9.i686 > #1 SMP > Thu Nov 27 02:29:03 EST 2008 i686 i686 > Alert Count 3378 > First Seen Mon Dec 22 14:00:08 2008 > Last Seen Mon Dec 22 14:00:20 2008 > Local ID d55ced24-a79c-4712-9ed3-854874f886e3 > Line Numbers > Raw Audit Messages > node=gold.cdkkt.com type=AVC msg=audit(1229983220.80:14243): avc: > denied { name_bind } for pid=6493 comm="spamassassin" src=32733 > scontext=system_u:system_r:spamassassin_t:s0 > tcontext=system_u:object_r:port_t:s0 tclass=udp_socket > ========================================================= > > Thanks! > Dan > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Does turning on the boolean spamassassin_can_network solve your problem. setsebool -P spamassassin_can_network 1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklRFcAACgkQrlYvE4MpobORbACg1oeeeFUAJJM0PdTuCX8eD+fB G0UAn3nE7sio3R/ld6dSt2PJINPLo8oe =UrIM -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
