Bug 2222910

Summary: Confine the openarc service
Product: [Fedora] Fedora Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 39CC: dwalsh, lvrabec, minfrin, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2217139 Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2217139    
Bug Blocks:    

Description Zdenek Pytela 2023-07-14 12:51:16 UTC 
+++ This bug was initially created as a clone of Bug #2217139 +++
SELinux blocks openarc / dkim_milter_data_t missing from /run/openarc

Description of problem:

SELinux blocks postfix from connecting to the openarc milter.

Version-Release number of selected component (if applicable):

selinux-policy-38.1.11-2.el9_2.3.noarch


How reproducible:

Always

Steps to Reproduce:
1. Configure postfix to add the openarc milter
2.
3.

Actual results:

type=AVC msg=audit(1687527199.794:156): avc:  denied  { write } for  pid=4174 comm="smtpd" name="openarc.sock" dev="tmpfs" ino=1105 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1


Expected results:

Successful connection.


Additional info:

Current dkim_milter_data_t is as follows.

[root@seawitch ~]# semanage fcontext -l | grep dkim_milter_data_t
/var/lib/dkim-milter(/.*)?                         all files          system_u:object_r:dkim_milter_data_t:s0 
/var/run/dkim-milter(/.*)?                         all files          system_u:object_r:dkim_milter_data_t:s0 
/var/run/opendkim(/.*)?                            all files          system_u:object_r:dkim_milter_data_t:s0 
/var/run/opendmarc(/.*)?                           all files          system_u:object_r:dkim_milter_data_t:s0 
/var/spool/opendkim(/.*)?                          all files          system_u:object_r:dkim_milter_data_t:s0 
/var/spool/opendmarc(/.*)?                         all files          system_u:object_r:dkim_milter_data_t:s0 

The /run/openarc directory is missing:

[root@seawitch ~]# ls -alZ /run/openarc
total 4
drwxr-x---.  2 openarc openarc system_u:object_r:var_run_t:s0   80 Jun 24 10:43 .
drwxr-xr-x. 60 root    root    system_u:object_r:var_run_t:s0 1480 Jun 24 10:44 ..
-rw-rw----.  1 openarc openarc system_u:object_r:var_run_t:s0    5 Jun 24 10:43 openarc.pid
srwxrwx---.  1 openarc openarc system_u:object_r:var_run_t:s0    0 Jun 24 10:43 openarc.sock

Workaround:

semanage fcontext -a -t dkim_milter_data_t '/var/run/openarc(/.*)?'

--- Additional comment from Milos Malik on 2023-06-26 16:25:55 CEST ---

The openarc service is not confined by SELinux. The openarc package comes from EPEL.

# rpm -q openarc
openarc-1.0.0-0.15.Beta3.el9.x86_64
# rpm -ql openarc | xargs matchpathcon
/etc/openarc	system_u:object_r:etc_t:s0
/etc/openarc.conf	system_u:object_r:etc_t:s0
/etc/openarc/PeerList	system_u:object_r:etc_t:s0
/run/openarc	system_u:object_r:var_run_t:s0
/usr/lib/.build-id	system_u:object_r:lib_t:s0
/usr/lib/.build-id/60	system_u:object_r:lib_t:s0
/usr/lib/.build-id/60/c1ee5243451e9e8c2dae2f8e903e29ef117c92	system_u:object_r:lib_t:s0
/usr/lib/systemd/system/openarc.service	system_u:object_r:systemd_unit_file_t:s0
/usr/lib/tmpfiles.d/openarc.conf	system_u:object_r:lib_t:s0
/usr/sbin/openarc	system_u:object_r:bin_t:s0
/usr/share/doc/openarc	system_u:object_r:usr_t:s0
/usr/share/doc/openarc/README	system_u:object_r:usr_t:s0
/usr/share/doc/openarc/RELEASE_NOTES	system_u:object_r:usr_t:s0
/usr/share/doc/openarc/openarc.conf.sample	system_u:object_r:usr_t:s0
/usr/share/licenses/openarc	system_u:object_r:usr_t:s0
/usr/share/licenses/openarc/LICENSE	system_u:object_r:usr_t:s0
/usr/share/licenses/openarc/LICENSE.Sendmail	system_u:object_r:usr_t:s0
/usr/share/man/man5/openarc.conf.5.gz	system_u:object_r:man_t:s0
/usr/share/man/man8/openarc.8.gz	system_u:object_r:man_t:s0
#
Comment 1 Graham Leggett 2023-07-21 18:33:13 UTC 
> The openarc service is not confined by SELinux. The openarc package comes from EPEL.

Openarc is a milter, which by definition can only be connected to by postfix/sendmail if openarc is confined by selinux.

Please either:

- Add openarc to dkim_milter_data_t as requested; or
- remove selinux from postfix/sendmail, as the config is not usable without switching selinux off.
Comment 2 Fedora Release Engineering 2023-08-16 08:12:51 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.