fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: F12/3: SELinux is preventing /usr/bin/perl f

Re: F12/3: SELinux is preventing /usr/bin/perl from binding to port XXXXX

From: Daniel B. Thurman <dant_at_nospam>
Date: Wed Aug 18 2010 - 14:59:58 GMT
To: Daniel J Walsh <dwalsh@redhat.com>, Fedora SELinux Users <selinux@lists.fedoraproject.org>

 On 08/18/2010 06:36 AM, Daniel J Walsh wrote:
> On 08/17/2010 07:30 PM, Daniel B. Thurman wrote:
>> Every once in awhile I get these spurious message, high CPU usage,
>> repeated denials > 512 times and then it quits. I do not have ypbind,
>> nis, nor nfs installed. I even tried /.autorelabel and same issue comes
>> up. I do have spamassassin installed though.
>> So how do I resolve this?
>> ===================================================
>> Summary:
>> SELinux is preventing /usr/bin/perl from binding to port 32726.
>> Detailed Description:
>> SELinux has denied the spamassassin from binding to a network port 32726
>> which
>> does not have an SELinux type associated with it. If spamassassin should be
>> allowed to listen on 32726, use the semanage command to assign 32726 to
>> a port
>> type that spamc_t can bind to ().
>> If spamassassin is not supposed to bind to 32726, this could signal an
>> intrusion
>> attempt.
>> Allowing Access:
>> If you want to allow spamassassin to bind to port 32726, you can execute
>> # semanage port -a -t PORT_TYPE -p udp 32726
>> where PORT_TYPE is one of the following: .
>> If this system is running as an NIS Client, turning on the allow_ypbind
>> boolean
>> may fix the problem. setsebool -P allow_ypbind=1.
>> Additional Information:
>> Source Context system_u:system_r:spamc_t:s0
>> Target Context system_u:object_r:port_t:s0
>> Target Objects None [ udp_socket ]
>> Source spamassassin
>> Source Path /usr/bin/perl
>> Port 32726
>> Host (removed)
>> Source RPM Packages perl-5.10.1-116.fc13
>> Target RPM Packages
>> Policy RPM selinux-policy-3.7.19-44.fc13
>> Selinux Enabled True
>> Policy Type targeted
>> Enforcing Mode Enforcing
>> Plugin Name bind_ports
>> Host Name (removed)
>> Platform Linux (removed) #1
>> SMP Fri Jul 23 17:27:40 UTC 2010 i686 i686
>> Alert Count 512
>> First Seen Tue 17 Aug 2010 02:00:10 PM PDT
>> Last Seen Tue 17 Aug 2010 04:05:25 PM PDT
>> Local ID 280d928d-03f6-42c5-99f8-eb23cb24a236
>> Line Numbers
>> Raw Audit Messages
>> node=(removed) type=AVC msg=audit(1282086325.907:81309): avc: denied {
>> name_bind } for pid=23536 comm="spamassassin" src=32726
>> scontext=system_u:system_r:spamc_t:s0
>> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
>> node=(removed) type=SYSCALL msg=audit(1282086325.907:81309):
>> arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfae7100
>> a2=654b4d4 a3=9fd1008 items=0 ppid=23535 pid=23536 auid=4294967295
>> uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
>> tty=(none) ses=4294967295 comm="spamassassin" exe="/usr/bin/perl"
>> subj=system_u:system_r:spamc_t:s0 key=(null)
> Why does spamassassin bind to a udp port?
That is the mystery. I do not know why spamassassin breaks and
begin searching for another port. Something seems to be breaking,
but what, I do not know. This issue has been repeated before in
this and past OS version and yet the problem seems to persist.

And yes, we could allow spamassasin unfettered access to ports
but are we masking an underlying issue, i.e. putting off this issue
for another day? Looking at the bug reports, this issue is not being
resolved... or so it seems.

Since there is nothing I can do, but to create a rule to allow unfettered
port access to SpamAssassin... well, here it goes...

> You can add this for now using
> # grep spam /var/log/audit/audit.log | audit2allow -M myspam
> # semodule -i myspam.pp

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux