This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 1022349 - Allow opendmarc to bind to a port
Allow opendmarc to bind to a port
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: opendkim (Show other bugs)
19
All All
unspecified Severity high
: ---
: ---
Assigned To: Steve Jenkins
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 905304
  Show dependency treegraph
 
Reported: 2013-10-23 02:23 EDT by Adam Williamson
Modified: 2015-01-08 15:55 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-08 15:55:29 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Adam Williamson 2013-10-23 02:23:34 EDT
https://bugzilla.redhat.com/show_bug.cgi?id=905304#c41

OpenDMARC is being added to Fedora; in testing it, I found selinux-policy-targeted blocks it from binding to a port, which it needs to do. By default it's configured to bind to port 8893.

Oct 22 22:16:45 mail.happyassassin.net kernel: type=1400 audit(1382505405.071:12314): avc:  denied  { name_bind } for  pid=31163 comm="opendmarc" src=8893 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
Oct 22 22:16:45 mail.happyassassin.net opendmarc[31163]: OpenDMARC Filter: Unable to bind to port inet:8893@localhost: Permission denied
Oct 22 22:16:45 mail.happyassassin.net opendmarc[31163]: OpenDMARC Filter: Unable to create listening socket on conn inet:8893@localhost
Oct 22 22:16:45 mail.happyassassin.net opendmarc[31163]: smfi_opensocket() failed
Oct 22 22:16:45 mail.happyassassin.net opendmarc[31161]: Starting OpenDMARC Milter: opendmarc: smfi_opensocket() failed
Oct 22 22:16:45 mail.happyassassin.net opendmarc[31161]: [FAILED]
Comment 1 Adam Williamson 2013-10-23 19:47:12 EDT
Also found this. opendmarc.conf has a IgnoreHosts setting which works precisely like opendkim's TrustedHosts setting - you specify a file containing a list of IPs, IP ranges and/or domains whose mail you want to 'trust' (i.e. not run a DMARC check for). If I create /etc/opendmarc/IgnoreHosts , make it owned by opendmarc.opendmarc, and add:

IgnoreHosts /etc/opendmarc/IgnoreHosts

to /etc/opendmarc.conf , then the service fails to start with an AVC:

[64911.109988] type=1400 audit(1382571679.326:491): avc:  denied  { dac_override } for  pid=13650 comm="opendmarc" capability=1  scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability
[64911.109994] type=1400 audit(1382571679.326:492): avc:  denied  { dac_read_search } for  pid=13650 comm="opendmarc" capability=2  scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability

audit2allow suggests:

#============= dkim_milter_t ==============
allow dkim_milter_t self:capability { dac_read_search dac_override };

but I'm not sure that's a correct solution.
Comment 2 Miroslav Grepl 2013-10-24 08:45:03 EDT
avc:  denied  { name_bind } for  pid=31163 comm="opendmarc" src=8893 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

has been added.

commit 5ae73645e46927969192ef6987c970e2782d4a4b
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Oct 23 10:26:30 2013 +0200

    Add tcp/8893 as milter port
Comment 3 Miroslav Grepl 2013-10-24 08:45:33 EDT
Lukas, could you back port it.
Comment 4 Miroslav Grepl 2013-10-24 08:48:11 EDT
(In reply to Adam Williamson from comment #1)
> Also found this. opendmarc.conf has a IgnoreHosts setting which works
> precisely like opendkim's TrustedHosts setting - you specify a file
> containing a list of IPs, IP ranges and/or domains whose mail you want to
> 'trust' (i.e. not run a DMARC check for). If I create
> /etc/opendmarc/IgnoreHosts , make it owned by opendmarc.opendmarc, and add:
> 
> IgnoreHosts /etc/opendmarc/IgnoreHosts
> 
> to /etc/opendmarc.conf , then the service fails to start with an AVC:
> 
> [64911.109988] type=1400 audit(1382571679.326:491): avc:  denied  {
> dac_override } for  pid=13650 comm="opendmarc" capability=1 
> scontext=system_u:system_r:dkim_milter_t:s0
> tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability
> [64911.109994] type=1400 audit(1382571679.326:492): avc:  denied  {
> dac_read_search } for  pid=13650 comm="opendmarc" capability=2 
> scontext=system_u:system_r:dkim_milter_t:s0
> tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability
> 
> audit2allow suggests:
> 
> #============= dkim_milter_t ==============
> allow dkim_milter_t self:capability { dac_read_search dac_override };
> 
> but I'm not sure that's a correct solution.

I don't see UID info from AVC msg. Could you paste full info. Basically I believe it runs as root.
Comment 5 Lukas Vrabec 2013-10-24 10:09:40 EDT
back ported.
Comment 6 Adam Williamson 2013-10-24 14:33:30 EDT
mgrepl: According to ps, it's running as 'opendmarc':

[adamw@mail ~]$ ps aux | grep dmarc
opendma+ 13675  0.0  0.0 185072   936 ?        Ssl  Oct23   0:00 /usr/sbin/opendmarc -c /etc/opendmarc.conf -P /var/run/opendmarc/opendmarc.pid

I don't see any other AVC stuff besides the two lines I quoted, from dmesg or journalctl:

Oct 23 16:41:19 mail.happyassassin.net sudo[13645]: adamw : TTY=pts/1 ; PWD=/etc/opendmarc ; USER=root ; COMMAND=/usr/bin/systemctl restart opendmarc.service
Oct 23 16:41:19 mail.happyassassin.net systemd[1]: Starting LSB: Start and stop OpenDMARC...
Oct 23 16:41:19 mail.happyassassin.net kernel: type=1400 audit(1382571679.326:491): avc:  denied  { dac_override } for  pid=13650 comm="opendmarc" capability=1  scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability
Oct 23 16:41:19 mail.happyassassin.net kernel: type=1400 audit(1382571679.326:492): avc:  denied  { dac_read_search } for  pid=13650 comm="opendmarc" capability=2  scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability
Oct 23 16:41:19 mail.happyassassin.net opendmarc[13648]: Starting OpenDMARC Milter: opendmarc: can't load ignore list from /etc/opendmarc/IgnoreHosts: Permission denied
Oct 23 16:41:19 mail.happyassassin.net opendmarc[13648]: [FAILED]
Oct 23 16:41:19 mail.happyassassin.net systemd[1]: opendmarc.service: control process exited, code=exited status=1
Comment 7 Adam Williamson 2013-10-24 14:35:01 EDT
lukas: I believe it's planned to build OpenDMARC for EL6 and F18+, so we'd need the fix in selinux policy for all those releases - thanks!
Comment 8 Miroslav Grepl 2013-10-25 02:38:20 EDT
Adam,
could you turn on full auditing?

# echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules
# service auditd restart

an re-test. Thank you.

The port fix has been also added to EL6.
Comment 9 Lukas Vrabec 2013-10-25 04:18:25 EDT
Back ported also to F18.
Comment 10 Derek Atkins 2013-12-09 10:48:01 EST
What is the status of this issue?
Comment 11 Adam Williamson 2014-06-16 18:31:22 EDT
The issue I reported with IgnoreHosts is still valid. I forgot about mgrepl's request, finally did it now. Here's what I get:

type=DAEMON_START msg=audit(1402957701.257:2684): auditd start, ver=2.3.6 format=raw kernel=3.14.5-100.fc19.x86_64 auid=4294967295 pid=14100 subj=system_u:system_r:auditd_t:s0 res=success
type=AVC msg=audit(1402957723.950:5076): avc:  denied  { dac_override } for  pid=14115 comm="opendmarc" capability=1  scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability
type=AVC msg=audit(1402957723.950:5076): avc:  denied  { dac_read_search } for  pid=14115 comm="opendmarc" capability=2  scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=capability
type=SYSCALL msg=audit(1402957723.950:5076): arch=c000003e syscall=2 success=no exit=-13 a0=ce02f0 a1=0 a2=1b6 a3=0 items=1 ppid=14114 pid=14115 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="opendmarc" exe="/usr/sbin/opendmarc" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=CWD msg=audit(1402957723.950:5076):  cwd="/"
type=PATH msg=audit(1402957723.950:5076): item=0 name="/etc/opendmarc/IgnoreHosts" inode=667266 dev=fc:03 mode=0100640 ouid=494 ogid=493 rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=NORMAL
type=SERVICE_START msg=audit(1402957723.960:5077): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="opendmarc" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

this may also be useful:

[root@mail adamw]# ls -lZ /etc/opendmarc/IgnoreHosts 
-rw-r-----. opendmarc opendmarc unconfined_u:object_r:etc_t:s0   /etc/opendmarc/IgnoreHosts
Comment 12 Daniel Walsh 2014-06-17 16:49:33 EDT
If you change the permissions to

644 or group to root, this AVC will go away.
Comment 13 Matt Domsch 2014-10-01 10:20:55 EDT
Adam, I'll add /etc/opendmarc to the list of directories owned by the opendmarc package.  How does this look?

drwxr-xr-x    2 opendmaropendmar                    0 Oct  1 09:16 /etc/opendmarc
-rw-r--r--    1 root    root                    12336 Oct  1 09:16 /etc/opendmarc.conf
Comment 14 Adam Williamson 2014-10-15 20:39:35 EDT
I'm unclear on the rationale for one being owned by opendmarc and the other being owned by root, but I guess it looks OK? Sorry, I've sort of lost track of this issue, been focusing on other things lately.
Comment 15 Adam Williamson 2015-01-08 15:55:29 EST
Well, I think it makes sense to close this report at this point, the requested change was made some time ago and the follow-up was something else.

Note You need to log in before you can comment on or make changes to this bug.