I posted a long investigation of the interaction between sendmail, spamassassin, and spamass-milter in Fedora User's group. You can go there to get the full details of that investigation, if you'd like:
Author: Daniel B. Thurman Subject: F8 (and FX?]: Sendmail, Spamassassin, and Spamass-Milter issues.
As it seems, it appears that spamass-milter is the crux of the problem: 1) Starting spamass-milter from services (/etc/init.d) fails to create a socket 2) Starting spamass-milter does not properly set it's socks security context. These problems appear for both F8 and F9.
But in any case, starting spamass-milter manually: # spamass-milter -p '/var/run/spamass-milter/spamass-milter.sock' -f
But unfortunately the security context is wrong, which is: srwxr-xr-x root root unconfined_u:object_r:var_run_r:s0 spamass-milter.sock
Even so, setroubleshoot, says to do the following: restorecon -v '/var/run/spamass-milter/spamass-milter.sock',
Changes the security context to: srwxr-xr-x root root system_u:object_r:spamd_var_run_t:s0 spamass-milter.sock
Which I believe is still incorrect, because it is assigned to spamd_var_run_t, in my opinion, is still not allowing sendmail rights to access this filter.
Whatever the actual problem is., I am still getting errors in the message/maillog log files saying that spamass-milter fails to run the filter.
For testing, I tried to manually set the socket to: sendmail_var_t or sendmail_t, but chcon denies permissions to do so. I am unable to test to see what the security context actually should be.
Please note, that I did not have any more problems with spamass-milter for awhile, until the latest releases of F8 has broken it. I also note that F9 broke as well.
Can someone please help?
Thanks! Dan Thurman
On Sat, 06 Dec 2008 10:33:16 PST, "Daniel B. Thurman" wrote: [snip]
Can someone please help?
I don't have any input on what works, just wanted to chime in to say there is at least one other site that is having the very same issues.
Paul Howarth had some example code for enabling some other milters to play with sendmail, but AFAICT it never went any where.
++doug
On Sat, 06 Dec 2008 18:48:07 -0600 Doug Maxey dwm@enoyolf.org wrote:
On Sat, 06 Dec 2008 10:33:16 PST, "Daniel B. Thurman" wrote: [snip]
Can someone please help?
I don't have any input on what works, just wanted to chime in to say there is at least one other site that is having the very same issues.
Paul Howarth had some example code for enabling some other milters to play with sendmail, but AFAICT it never went any where.
The code has very recently been merged in upstream selinux reference policy. I'm hoping that Dan will include it in updates to selinux-policy soon, though he's reluctant to update F8 policy for a non-security issue so close to F8 EOL.
You might want to chime in on one or more of the following buzgilla tickets:
https://bugzilla.redhat.com/show_bug.cgi?id=446975 (spamass-milter pid file denials)
https://bugzilla.redhat.com/show_bug.cgi?id=452248 (RFE: make the milter more postfix-friendly)
https://bugzilla.redhat.com/show_bug.cgi?id=455820 (AVC errors when launching spamc (spamass-milter for sendmail))
Paul.
On Sun, 07 Dec 2008 13:08:08 GMT, Paul Howarth wrote:
On Sat, 06 Dec 2008 18:48:07 -0600 Doug Maxey dwm@enoyolf.org wrote:
[snip]
The code has very recently been merged in upstream selinux reference policy. I'm hoping that Dan will include it in updates to selinux-policy soon,
That would be wonderful.
though he's reluctant to update F8 policy for a non-security issue so close to F8 EOL.
You might want to chime in on one or more of the following buzgilla tickets:
https://bugzilla.redhat.com/show_bug.cgi?id=446975 (spamass-milter pid file denials)
https://bugzilla.redhat.com/show_bug.cgi?id=452248 (RFE: make the milter more postfix-friendly)
https://bugzilla.redhat.com/show_bug.cgi?id=455820 (AVC errors when launching spamc (spamass-milter for sendmail))
Thanks, will look into those when $DAYJOB is not taking up 200% of my time. :)
++doug
selinux@lists.fedoraproject.org