Re: SELinux doesn't understand sendmail<->spamassassin interactions

[Paul Howarth <paul city-fan org>]

On Wed, 18 Feb 2009 17:53:41 -0500
"G.Wolfe Woodbury" <ggw wolves durham nc us> wrote:

> Similar to the mailman problem, SELinux doesn't understand the 
> interactions between sendmail and spamassassin.  In this case,
> however, the spamassassin stuff quits working completely.
> 
> This installation of spamassassin uses the "spamc" daemon, and mails
> are passed to that daemon from user's .procmailrc files. (This allows
> the user to opt-in/opt-out of spam detection on their own by altering
> their own .procmailrc file.)
> 
> SELinux complains a lot because every message passwd from the user 
> delivery chain gets a denial because "sendmail" (actually procmail)
> has no permissions to write the spamassassin spamc socket:
> 
> type=AVC msg=audit(1234094494.975:3163): avc:  denied  { read write }
> for  pid=612 comm="spamc" path="socket:[2166561]" dev=sockfs
> ino=2166561 scontext=system_u:system_r:spamc_t:s0 
> context=system_u:system_r:sendmail_t:s0
> tclass=unix_stream_socket

This is actually spamc failing to read/write a sendmail socket and is
most likely to be a leaked file descriptor in the sendmail local
delivery process, as per Bug #485426. Do you have *any* milters in your
sendmail config?

> I don't fully understand some of the concepts used in SELinux, and am 
> running F10+updates in "permissive" mode so that things work but I
> get notified of "abnormal" events.
> 
> Additionally, other aspects of the sendmail/spamassassin interaction 
> attract SELinux complaints. (getattr of spamc socket, etc) but I geet 
> thousands of complaints about the read/write of the spamc socket.
> (about 8 active e-mail accounts, several of which are spam traps.)
> 
> Thanks for your attention and patience.

Can you post examples of the other denials you get?

Paul.