spamass-milter initrc_t issues

Dan Thurman dant at cdkkt.com
Sat Jan 26 22:04:05 UTC 2008 

I have tried in vain to resolve the spamass-milter issue and selinux.  Nothing 
I have tried manually, worked to resolve this issue.  The specific issues 
that I had was that selinux was expecting spamass-milter to be of type 
initrc_t.

I have simply turned off spamass-milter in my sendmail.mc file until I can get 
this issue resolved.

Here are some examples of complaints:

/var/log/maillog:
========================
Jan 26 13:56:47 gold sendmail[2408]: m0QLuhZk002408: from=dant, size=53, 
class=0, nrcpts=1, msgid=<200801262156.m0QLuhZk002408 at gold.cdkkt.com>, 
relay=dant at localhost
Jan 26 13:56:47 gold sendmail[2410]: m0QLulQ9002410: Milter (spamassassin): 
error connecting to filter: Permission denied
Jan 26 13:56:47 gold sendmail[2410]: m0QLulQ9002410: Milter (spamassassin): to 
error state
Jan 26 13:56:47 gold sendmail[2410]: STARTTLS=server, 
relay=localhost.localdomain [127.0.0.1], version=TLSv1/SSLv3, verify=NO, 
cipher=DHE-RSA-AES256-SHA, bits=256/256
Jan 26 13:56:47 gold sendmail[2408]: STARTTLS=client, relay=[127.0.0.1], 
version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Jan 26 13:56:50 gold sendmail[2410]: m0QLulQA002410: 
from=<dant at gold.cdkkt.com>, size=332, class=0, nrcpts=1, 
msgid=<200801262156.m0QLuhZk002408 at gold.cdkkt.com>, proto=ESMTP, daemon=MTA, 
relay=localhost.localdomain [127.0.0.1]
Jan 26 13:56:50 gold sendmail[2410]: m0QLulQA002410: Milter add: header: 
X-Virus-Scanned: ClamAV 0.92/5562/Sat Jan 26 03:34:23 2008 on gold.cdkkt.com
Jan 26 13:56:50 gold sendmail[2410]: m0QLulQA002410: Milter add: header: 
X-Virus-Status: Clean
Jan 26 13:56:50 gold sendmail[2408]: m0QLuhZk002408: to=dbthurman at hotmail.com, 
ctladdr=dant (500/500), delay=00:00:07, xdelay=00:00:03, mailer=relay, 
pri=30053, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent 
(m0QLulQA002410 Message accepted for delivery)
Jan 26 13:57:12 gold sendmail[2414]: m0QLulQA002410: 
to=<dbthurman at hotmail.com>, ctladdr=<dant at gold.cdkkt.com> (500/500), 
delay=00:00:23, xdelay=00:00:22, mailer=esmtp, pri=120332, 
relay=mx3.hotmail.com. [65.54.244.200], dsn=2.0.0, stat=Sent ( 
<200801262156.m0QLuhZk002408 at gold.cdkkt.com> Queued mail for delivery)
========================

/var/log/messages:
========================
Jan 26 13:56:53 gold setroubleshoot: #012    SELinux is 
preventing /usr/sbin/sendmail.sendmail (sendmail_t) "connectto" 
to /var/run/spamass-milter/spamass-milter.sock (initrc_t).#012     For 
complete SELinux messages. run sealert -l 
a82ae4e6-5276-4fe6-9db0-44af64ea413d
========================

sealert -l a82ae4e6-5276-4fe6-9db0-44af64ea413d
========================
Summary
    SELinux is preventing /usr/sbin/sendmail.sendmail (sendmail_t) "connectto"
    to /var/run/spamass-milter/spamass-milter.sock (initrc_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/sendmail.sendmail. It is not
    expected that this access is required by /usr/sbin/sendmail.sendmail and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can 
disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a 
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:sendmail_t:s0
Target Context                system_u:system_r:initrc_t:s0
Target Objects                /var/run/spamass-milter/spamass-milter.sock [
                              unix_stream_socket ]
Affected RPM Packages         sendmail-8.14.2-1.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-76.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     gold.cdkkt.com
Platform                      Linux gold.cdkkt.com 2.6.23.14-107.fc8 #1 SMP 
Mon
                              Jan 14 21:37:30 EST 2008 i686 i686
Alert Count                   1
First Seen                    Sat Jan 26 13:56:47 2008
Last Seen                     Sat Jan 26 13:56:47 2008
Local ID                      a82ae4e6-5276-4fe6-9db0-44af64ea413d
Line Numbers                  

Raw Audit Messages            

avc: denied { connectto } for comm=sendmail egid=51 euid=0
exe=/usr/sbin/sendmail.sendmail exit=-13 fsgid=51 fsuid=0 gid=0 items=0
path=/var/run/spamass-milter/spamass-milter.sock pid=2410
scontext=system_u:system_r:sendmail_t:s0 sgid=51
subj=system_u:system_r:sendmail_t:s0 suid=0 tclass=unix_stream_socket
tcontext=system_u:system_r:initrc_t:s0 tty=(none) uid=0
========================

More information about the fedora-selinux-list mailing list