On Wed, 18 Feb 2009 17:53:41 -0500 "G.Wolfe Woodbury" ggw@wolves.durham.nc.us wrote:
Similar to the mailman problem, SELinux doesn't understand the interactions between sendmail and spamassassin. In this case, however, the spamassassin stuff quits working completely.
This installation of spamassassin uses the "spamc" daemon, and mails are passed to that daemon from user's .procmailrc files. (This allows the user to opt-in/opt-out of spam detection on their own by altering their own .procmailrc file.)
SELinux complains a lot because every message passwd from the user delivery chain gets a denial because "sendmail" (actually procmail) has no permissions to write the spamassassin spamc socket:
type=AVC msg=audit(1234094494.975:3163): avc: denied { read write } for pid=612 comm="spamc" path="socket:[2166561]" dev=sockfs ino=2166561 scontext=system_u:system_r:spamc_t:s0 context=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket
This is actually spamc failing to read/write a sendmail socket and is most likely to be a leaked file descriptor in the sendmail local delivery process, as per Bug #485426. Do you have *any* milters in your sendmail config?
I don't fully understand some of the concepts used in SELinux, and am running F10+updates in "permissive" mode so that things work but I get notified of "abnormal" events.
Additionally, other aspects of the sendmail/spamassassin interaction attract SELinux complaints. (getattr of spamc socket, etc) but I geet thousands of complaints about the read/write of the spamc socket. (about 8 active e-mail accounts, several of which are spam traps.)
Thanks for your attention and patience.
Can you post examples of the other denials you get?
Paul.