Bug 983551

Summary: SELinux blocks OpenDMARC (<-> Postfix)
Product: Red Hat Enterprise Linux 6 Reporter: Patrick <rh_bugzilla>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, herrold, mmalik, patrick, rh_bugzilla
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-228.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 05:45:15 EST Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 905304    

Description Patrick 2013-07-11 08:56:55 EDT
Description of problem:
SELinux does not yet have a policy for OpenDMARC so it generates AVCs

Version-Release number of selected component (if applicable):
OpenDMARC 1.1.3 (based on https://bugzilla.redhat.com/show_bug.cgi?id=905304)

$ rpm -qa | grep selinux
selinux-policy-3.7.19-195.el6_4.12.noarch
libselinux-2.0.94-5.3.el6_4.1.x86_64
libselinux-python-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-targeted-3.7.19-195.el6_4.12.noarch
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64

How reproducible:
Install OpenDMARC 1.1.3, configure it, configure milter in Postfix, start OpenDMARC, reload Postfix, send test message to Postfix server, see AVCs being generated

Steps to Reproduce:
1. install and configure OpenDMARC, Postfix
2. send test email to Postfix server
3. see AVCs being generated

Actual results:
OpenDMARC is blocked and interaction between Postfix and OpenDMARC is blocked. 

Expected results:
No blockage, everything working, more spam defeated.

Additional info:

OpenDMARC is another new anti-spam with the Internet's 800 pound gorilla's already using it (Google, Facebook, etc.). Currently it is not yet available in any Fedora or EPEL repo (review in progress in bz905304). Lacking an SELinux policy will prevent OpenDMARC from working properly. To prevent this I am submitting this report in the hopes that when OpenDMARC shows up in Fedora & EPEL it will work out of the box right away.

OpenDMARC works pretty much the same as OpenDKIM so perhaps that policy can be used as a basis to save some time.

The OpenDMARC default config uses the following files, directories and commands:

Config file /etc/opendmarc.conf
BaseDirectory /var/run/opendmarc
HistoryFile /var/spool/opendmarc/opendmarc.dat
IgnoreHosts /etc/opendmarc/ignore.hosts
PidFile /var/run/opendmarc.pid
ReportCommand /usr/sbin/sendmail -t
Socket /var/run/opendmarc/opendmarc.sock
Socket inet:8893@localhost
SyslogFacility mail (must be able to log to /var/log/maillog)
TemporaryDirectory /var/tmp
UserID  opendmarc:mail


The AVCs I found thus far (using socket /var/run/opendmarc/opendmarc.sock):

type=AVC msg=audit(1373546882.708:293036): avc:  denied  { write } for  pid=18947 comm="smtpd" name="opendmarc.sock" dev=vda2 ino=5376619 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file

type=AVC msg=audit(1373546882.708:293036): avc:  denied  { connectto } for  pid=18947 comm="smtpd" path="/var/run/opendmarc/opendmarc.sock" scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket

type=AVC msg=audit(1373546883.814:293038): avc:  denied  { connectto } for  pid=18977 comm="cleanup" path="/var/run/opendmarc/opendmarc.sock" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket

type=AVC msg=audit(1373546873.676:293034): avc:  denied  { read } for  pid=18971 comm="sendmail" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir

If you need more information please let me know. Thanks!
Comment 2 Milos Malik 2013-07-12 05:49:31 EDT
We also need a policy for opendmarc:

# service opendmarc status
opendmarc is stopped
# service opendmarc start
Starting OpenDMARC Milter: [  OK  ]
# service opendmarc status
opendmarc (pid  16994) is running...
# ps -efZ | grep dmarc
unconfined_u:system_r:initrc_t:s0 498    16994     1  0 05:46 ?        00:00:00 /usr/sbin/opendmarc -c /etc/opendmarc.conf -P /var/run/opendmarc/opendmarc.pid
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 17007 12434  0 05:46 pts/0 00:00:00 grep dmarc
#
Comment 3 Patrick Laimbock 2013-07-19 10:28:14 EDT
Testing an SELinux policy is preferably done on EL6 since that's what my mailserver runs on. So it would be most appreciated if you could make a policy available for EL6 first or in addition to one for Fedora. Thanks!
Comment 4 Miroslav Grepl 2013-07-23 10:15:08 EDT
Could you try to execute

# chcon -t dkim_milter_exec_t /usr/sbin/opendmarc
# chcon -R -t dkim_milter_data_t /var/run/opendmarc /var/spool/opendmarc

and re-test it.

Thank you.
Comment 5 Patrick Laimbock 2013-07-23 14:58:16 EDT
Hi Miroslav. Here are the results:

Old: 
$ ls -Z /usr/sbin/opendmarc
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/opendmarc
$ ls -Z /var/spool/opendmarc/
-rw-rw----. opendmarc mail unconfined_u:object_r:var_spool_t:s0 opendmarc.dat

Change:
$ sudo chcon -t dkim_milter_exec_t /usr/sbin/opendmarc
$ chcon -R -t dkim_milter_data_t /var/run/opendmarc /var/spool/opendmarc

New:
$ ls -Z /usr/sbin/opendmarc
-rwxr-xr-x. root root system_u:object_r:dkim_milter_exec_t:s0 /usr/sbin/opendmarc
$ ls -Z /var/run/opendmarc /var/spool/opendmarc
-rw-rw----. opendmarc mail unconfined_u:object_r:dkim_milter_data_t:s0 opendmarc.dat

When sending mail I no longer see any AVCs in enforced or in permissive mode in /var/log/audit/audit.log.

Please note that I could only test it with opendmarc using a socket.
Comment 6 Miroslav Grepl 2013-07-24 01:23:20 EDT
I added to Fedora

commit fa78971ce5af7886b1a5f799b558ca38a4086411
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Jul 24 07:21:15 2013 +0200

    Add support for OpenDMARC

and will back port.

Thank you for testing.
Comment 14 errata-xmlrpc 2013-11-21 05:45:15 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html