Paul Howarth wrote:
On Wed, 18 Feb 2009 17:53:41 -0500 "G.Wolfe Woodbury" ggw@wolves.durham.nc.us wrote:
Similar to the mailman problem, SELinux doesn't understand the interactions between sendmail and spamassassin. In this case, however, the spamassassin stuff quits working completely.
This installation of spamassassin uses the "spamc" daemon, and mails are passed to that daemon from user's .procmailrc files. (This allows the user to opt-in/opt-out of spam detection on their own by altering their own .procmailrc file.)
SELinux complains a lot because every message passwd from the user delivery chain gets a denial because "sendmail" (actually procmail) has no permissions to write the spamassassin spamc socket:
type=AVC msg=audit(1234094494.975:3163): avc: denied { read write } for pid=612 comm="spamc" path="socket:[2166561]" dev=sockfs ino=2166561 scontext=system_u:system_r:spamc_t:s0 context=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket
This is actually spamc failing to read/write a sendmail socket and is most likely to be a leaked file descriptor in the sendmail local delivery process, as per Bug #485426. Do you have *any* milters in your sendmail config?
Well, there is a clamav-milter in place to check incoming mail for viruses as some users read mail via OE and Windows Thunderbird. This has never been a problem on this system.
My point is that spamc is doing operations in a sendmail context because sendmail is calling procmail to do local delivery and the first entry in most user .procmailrc filter lists is a pipe to/from spamc. The context is two execs removed from sendmail itself. The policy simply doesn't recognize that a sendmail context is calling spamc several hundred times a day.
I don't fully understand some of the concepts used in SELinux, and am running F10+updates in "permissive" mode so that things work but I get notified of "abnormal" events.
Additionally, other aspects of the sendmail/spamassassin interaction attract SELinux complaints. (getattr of spamc socket, etc) but I geet thousands of complaints about the read/write of the spamc socket. (about 8 active e-mail accounts, several of which are spam traps.)
Thanks for your attention and patience.
Can you post examples of the other denials you get?
Paul.
On closer examination, there are no other spamassassin/sendmail AVCs. I have a few clamav-sendmail context AVCs, but that are 6 a day vs. 1200 a day for the spamc AVCs.
Actually reading through the selinux trapper messages is making some things clearer. I'm now more convinced that this is a policy issue rather than a bug.