Bug 718219
Summary: | RFE: let postfix use dkim-milter | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Cristian Ciupitu <cristian.ciupitu> |
Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.6 | CC: | bgollahe, dwalsh, ksrot, mmalik |
Target Milestone: | rc | Keywords: | FutureFeature, Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-2.4.6-322.el5 | Doc Type: | Enhancement |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-02-21 05:47:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 771700, 772019 |
Description
Cristian Ciupitu
2011-07-01 13:07:54 UTC
The support for dkim-milter needs to be backported. Product Management has reviewed and declined this request. You may appeal this decision by reopening this request. We have this working in RHEL6. I believe we want to make this working also in RHEL5. Fixed in selinux-policy-2.4.6-318.el5 I've upgraded to EL6 in the mean time and I'm getting SELinux denials with selinux-policy-3.7.19-93.el6_1.7.noarch as well: time->Mon Oct 24 19:07:15 2011 type=SYSCALL msg=audit(1319472435.719:75): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfa652d0 a2=8b9ff4 a3=bfa653ae items=0 ppid=1099 pid=1512 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1319472435.719:75): avc: denied { connectto } for pid=1512 comm="smtpd" path="/var/run/dkim-milter/dkim-milter.sock" scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1319472435.719:75): avc: denied { write } for pid=1512 comm="smtpd" name="dkim-milter.sock" dev=vda2 ino=22934 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file type=AVC msg=audit(1319472435.719:75): avc: denied { search } for pid=1512 comm="smtpd" name="dkim-milter" dev=vda2 ino=15480 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir ---- time->Mon Oct 24 19:07:16 2011 type=SYSCALL msg=audit(1319472436.072:78): arch=40000003 syscall=102 success=yes exit=1 a0=11 a1=bfdbf3a0 a2=f06ff4 a3=1a9de70 items=0 ppid=1099 pid=1526 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=system_u:system_r:postfix_cleanup_t:s0 key=(null) type=AVC msg=audit(1319472436.072:78): avc: denied { read write } for pid=1526 comm="cleanup" path="socket:[12136]" dev=sockfs ino=12136 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=unix_stream_socket ---- time->Mon Oct 24 19:07:16 2011 type=SYSCALL msg=audit(1319472436.073:79): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=bfdbf350 a2=f06ff4 a3=1aa29e0 items=0 ppid=1099 pid=1526 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=system_u:system_r:postfix_cleanup_t:s0 key=(null) type=AVC msg=audit(1319472436.073:79): avc: denied { getattr } for pid=1526 comm="cleanup" scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=unix_stream_socket ---- time->Mon Oct 24 19:07:30 2011 type=SYSCALL msg=audit(1319472450.570:80): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfdbf2e0 a2=f06ff4 a3=bfdbf3be items=0 ppid=1099 pid=1526 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=system_u:system_r:postfix_cleanup_t:s0 key=(null) type=AVC msg=audit(1319472450.570:80): avc: denied { connectto } for pid=1526 comm="cleanup" path="/var/run/dkim-milter/dkim-milter.sock" scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1319472450.570:80): avc: denied { write } for pid=1526 comm="cleanup" name="dkim-milter.sock" dev=vda2 ino=22934 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file type=AVC msg=audit(1319472450.570:80): avc: denied { search } for pid=1526 comm="cleanup" name="dkim-milter" dev=vda2 ino=15480 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir ---- time->Mon Oct 24 19:10:02 2011 type=SYSCALL msg=audit(1319472602.004:81): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfe19e70 a2=4abff4 a3=bfe19f4e items=0 ppid=1099 pid=1538 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1319472602.004:81): avc: denied { write } for pid=1538 comm="smtpd" name="dkim-milter.sock" dev=vda2 ino=22934 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file We have this fixed in the latest RHEL6 release which is available on http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ I've upgraded to selinux-policy-3.7.19-119.el6.noarch (postfix-2.6.6-2.2.el6_1.i686, dkim-milter-2.8.3-8.el6.i686) and I'm still getting the following SELinux denials when running in permissive mode: ---- time->Thu Oct 27 18:25:42 2011 type=SYSCALL msg=audit(1319729142.651:136): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bff1e930 a2=6ecff4 a3=bff1ea0e items=0 ppid=16760 pid=16845 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=3 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=unconfined_u:system_r:postfix_cleanup_t:s0 key=(null) type=AVC msg=audit(1319729142.651:136): avc: denied { connectto } for pid=16845 comm="cleanup" path="/var/run/dkim-milter/dkim-milter.sock" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1319729142.651:136): avc: denied { write } for pid=16845 comm="cleanup" name="dkim-milter.sock" dev=vda2 ino=7552 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file type=AVC msg=audit(1319729142.651:136): avc: denied { search } for pid=16845 comm="cleanup" name="dkim-milter" dev=vda2 ino=7451 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir ---- time->Thu Oct 27 18:27:41 2011 type=SYSCALL msg=audit(1319729261.076:137): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf8c4ca0 a2=2b9ff4 a3=bf8c4d7e items=0 ppid=16760 pid=16851 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=3 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1319729261.076:137): avc: denied { connectto } for pid=16851 comm="smtpd" path="/var/run/dkim-milter/dkim-milter.sock" scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1319729261.076:137): avc: denied { write } for pid=16851 comm="smtpd" name="dkim-milter.sock" dev=vda2 ino=7552 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file type=AVC msg=audit(1319729261.076:137): avc: denied { search } for pid=16851 comm="smtpd" name="dkim-milter" dev=vda2 ino=7451 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir ---- time->Thu Oct 27 18:28:39 2011 type=SYSCALL msg=audit(1319729319.967:138): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf8c4ca0 a2=2b9ff4 a3=bf8c4d7e items=0 ppid=16760 pid=16851 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=3 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1319729319.967:138): avc: denied { search } for pid=16851 comm="smtpd" name="dkim-milter" dev=vda2 ino=7451 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir ---- time->Thu Oct 27 18:28:56 2011 type=SYSCALL msg=audit(1319729336.285:139): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfef7f50 a2=8ecff4 a3=bfef802e items=0 ppid=16760 pid=16863 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=3 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1319729336.285:139): avc: denied { write } for pid=16863 comm="smtpd" name="dkim-milter.sock" dev=vda2 ino=7552 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file ================ # audit2allow -m mypostfix < postfix_dkim_denials.txt module mypostfix 1.0; require { type dkim_milter_data_t; type dkim_milter_t; type postfix_smtpd_t; type postfix_cleanup_t; class sock_file write; class unix_stream_socket connectto; class dir search; } #============= postfix_cleanup_t ============== allow postfix_cleanup_t dkim_milter_data_t:dir search; allow postfix_cleanup_t dkim_milter_data_t:sock_file write; allow postfix_cleanup_t dkim_milter_t:unix_stream_socket connectto; #============= postfix_smtpd_t ============== allow postfix_smtpd_t dkim_milter_data_t:dir search; allow postfix_smtpd_t dkim_milter_data_t:sock_file write; allow postfix_smtpd_t dkim_milter_t:unix_stream_socket connectto; we have this for milter_stream_connect_all(postfix_smtp_t) we need this also for _smtpd_t, _cleanup_t Fixed in selinux-policy-2.4.6-320.el5 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html |