https://bugzilla.redhat.com/show_bug.cgi?id=905304#c41 OpenDMARC is being added to Fedora; in testing it, I found selinux-policy-targeted blocks it from binding to a port, which it needs to do. By default it's configured to bind to port 8893. Oct 22 22:16:45 mail.happyassassin.net kernel: type=1400 audit(1382505405.071:12314): avc: denied { name_bind } for pid=31163 comm="opendmarc" src=8893 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket Oct 22 22:16:45 mail.happyassassin.net opendmarc[31163]: OpenDMARC Filter: Unable to bind to port inet:8893@localhost: Permission denied Oct 22 22:16:45 mail.happyassassin.net opendmarc[31163]: OpenDMARC Filter: Unable to create listening socket on conn inet:8893@localhost Oct 22 22:16:45 mail.happyassassin.net opendmarc[31163]: smfi_opensocket() failed Oct 22 22:16:45 mail.happyassassin.net opendmarc[31161]: Starting OpenDMARC Milter: opendmarc: smfi_opensocket() failed Oct 22 22:16:45 mail.happyassassin.net opendmarc[31161]: [FAILED]
Also found this. opendmarc.conf has a IgnoreHosts setting which works precisely like opendkim's TrustedHosts setting - you specify a file containing a list of IPs, IP ranges and/or domains whose mail you want to 'trust' (i.e. not run a DMARC check for). If I create /etc/opendmarc/IgnoreHosts , make it owned by opendmarc.opendmarc, and add: IgnoreHosts /etc/opendmarc/IgnoreHosts to /etc/opendmarc.conf , then the service fails to start with an AVC: [64911.109988] type=1400 audit(1382571679.326:491): avc: denied { dac_override } for pid=13650 comm="opendmarc" capability=1 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability [64911.109994] type=1400 audit(1382571679.326:492): avc: denied { dac_read_search } for pid=13650 comm="opendmarc" capability=2 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability audit2allow suggests: #============= dkim_milter_t ============== allow dkim_milter_t self:capability { dac_read_search dac_override }; but I'm not sure that's a correct solution.
avc: denied { name_bind } for pid=31163 comm="opendmarc" src=8893 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket has been added. commit 5ae73645e46927969192ef6987c970e2782d4a4b Author: Miroslav Grepl <mgrepl> Date: Wed Oct 23 10:26:30 2013 +0200 Add tcp/8893 as milter port
Lukas, could you back port it.
(In reply to Adam Williamson from comment #1) > Also found this. opendmarc.conf has a IgnoreHosts setting which works > precisely like opendkim's TrustedHosts setting - you specify a file > containing a list of IPs, IP ranges and/or domains whose mail you want to > 'trust' (i.e. not run a DMARC check for). If I create > /etc/opendmarc/IgnoreHosts , make it owned by opendmarc.opendmarc, and add: > > IgnoreHosts /etc/opendmarc/IgnoreHosts > > to /etc/opendmarc.conf , then the service fails to start with an AVC: > > [64911.109988] type=1400 audit(1382571679.326:491): avc: denied { > dac_override } for pid=13650 comm="opendmarc" capability=1 > scontext=system_u:system_r:dkim_milter_t:s0 > tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability > [64911.109994] type=1400 audit(1382571679.326:492): avc: denied { > dac_read_search } for pid=13650 comm="opendmarc" capability=2 > scontext=system_u:system_r:dkim_milter_t:s0 > tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability > > audit2allow suggests: > > #============= dkim_milter_t ============== > allow dkim_milter_t self:capability { dac_read_search dac_override }; > > but I'm not sure that's a correct solution. I don't see UID info from AVC msg. Could you paste full info. Basically I believe it runs as root.
back ported.
mgrepl: According to ps, it's running as 'opendmarc': [adamw@mail ~]$ ps aux | grep dmarc opendma+ 13675 0.0 0.0 185072 936 ? Ssl Oct23 0:00 /usr/sbin/opendmarc -c /etc/opendmarc.conf -P /var/run/opendmarc/opendmarc.pid I don't see any other AVC stuff besides the two lines I quoted, from dmesg or journalctl: Oct 23 16:41:19 mail.happyassassin.net sudo[13645]: adamw : TTY=pts/1 ; PWD=/etc/opendmarc ; USER=root ; COMMAND=/usr/bin/systemctl restart opendmarc.service Oct 23 16:41:19 mail.happyassassin.net systemd[1]: Starting LSB: Start and stop OpenDMARC... Oct 23 16:41:19 mail.happyassassin.net kernel: type=1400 audit(1382571679.326:491): avc: denied { dac_override } for pid=13650 comm="opendmarc" capability=1 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability Oct 23 16:41:19 mail.happyassassin.net kernel: type=1400 audit(1382571679.326:492): avc: denied { dac_read_search } for pid=13650 comm="opendmarc" capability=2 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability Oct 23 16:41:19 mail.happyassassin.net opendmarc[13648]: Starting OpenDMARC Milter: opendmarc: can't load ignore list from /etc/opendmarc/IgnoreHosts: Permission denied Oct 23 16:41:19 mail.happyassassin.net opendmarc[13648]: [FAILED] Oct 23 16:41:19 mail.happyassassin.net systemd[1]: opendmarc.service: control process exited, code=exited status=1
lukas: I believe it's planned to build OpenDMARC for EL6 and F18+, so we'd need the fix in selinux policy for all those releases - thanks!
Adam, could you turn on full auditing? # echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules # service auditd restart an re-test. Thank you. The port fix has been also added to EL6.
Back ported also to F18.
What is the status of this issue?
The issue I reported with IgnoreHosts is still valid. I forgot about mgrepl's request, finally did it now. Here's what I get: type=DAEMON_START msg=audit(1402957701.257:2684): auditd start, ver=2.3.6 format=raw kernel=3.14.5-100.fc19.x86_64 auid=4294967295 pid=14100 subj=system_u:system_r:auditd_t:s0 res=success type=AVC msg=audit(1402957723.950:5076): avc: denied { dac_override } for pid=14115 comm="opendmarc" capability=1 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability type=AVC msg=audit(1402957723.950:5076): avc: denied { dac_read_search } for pid=14115 comm="opendmarc" capability=2 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability type=SYSCALL msg=audit(1402957723.950:5076): arch=c000003e syscall=2 success=no exit=-13 a0=ce02f0 a1=0 a2=1b6 a3=0 items=1 ppid=14114 pid=14115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="opendmarc" exe="/usr/sbin/opendmarc" subj=system_u:system_r:dkim_milter_t:s0 key=(null) type=CWD msg=audit(1402957723.950:5076): cwd="/" type=PATH msg=audit(1402957723.950:5076): item=0 name="/etc/opendmarc/IgnoreHosts" inode=667266 dev=fc:03 mode=0100640 ouid=494 ogid=493 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL type=SERVICE_START msg=audit(1402957723.960:5077): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="opendmarc" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' this may also be useful: [root@mail adamw]# ls -lZ /etc/opendmarc/IgnoreHosts -rw-r-----. opendmarc opendmarc unconfined_u:object_r:etc_t:s0 /etc/opendmarc/IgnoreHosts
If you change the permissions to 644 or group to root, this AVC will go away.
Adam, I'll add /etc/opendmarc to the list of directories owned by the opendmarc package. How does this look? drwxr-xr-x 2 opendmaropendmar 0 Oct 1 09:16 /etc/opendmarc -rw-r--r-- 1 root root 12336 Oct 1 09:16 /etc/opendmarc.conf
I'm unclear on the rationale for one being owned by opendmarc and the other being owned by root, but I guess it looks OK? Sorry, I've sort of lost track of this issue, been focusing on other things lately.
Well, I think it makes sense to close this report at this point, the requested change was made some time ago and the follow-up was something else.