Description of problem: milter unix socket not access not allowed Version-Release number of selected component (if applicable): How reproducible: configure a milter Steps to Reproduce: 1.configure milter 2.test mta 3.denied Actual results: denied Expected results: allowed Additional info: Can be "solved" changing permissions of /var/run/opendkim to group accessible, and executable. Add MTA (sendmail, postfix,...) to opendkim group.
type=AVC msg=audit(1425186480.418:188189): avc: denied { name_bind } for pid=32275 comm="opendkim" src=5244 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1425186480.418:188189): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=b53fead0 a2=d14954 a3=e items=0 ppid=1 pid=32275 auid=4294967295 uid=496 gid=495 euid=496 suid=496 fsuid=496 egid=495 sgid=495 fsgid=495 tty=(none) ses=4294967295 comm="opendkim" exe="/usr/sbin/opendkim" subj=system_u:system_r:dkim_milter_t:s0 key=(null) [root@do1 mail]# rpm -q opendkim opendkim-2.9.0-2.el6.i686 [root@do1 mail]# rpm -q selinux-policy-targeted selinux-policy-targeted-3.7.19-260.el6_6.2.noarch
Hi, Matt. Does this need to be addressed in the SELinux policy package, or is it something I should consider trying to solve via the OpenDKIM pacakge? Thx.
Adding Dan. I don't know the right solution. Enabling sebool allow_ypbind is a bad idea. The app here is opening a socket to make outbound DNS requests. I don't know why that wouldn't be allowed in context of dkim_milter_t. So I expect that's an selinux policy issue. It may have been fixed in fedora and not yet backported to RHEL.
@dev002: Can you be more specific about what is "denying" the access to the socket? I don't have enough info to reproduce the issue to fully understand it.
Does not work: [root@mail log]# ls -l /var/run/ | grep opendkim drwxr-xr-x 2 opendkim opendkim 80 dic 19 2013 opendkim For me works with this: /usr/bin/chmod 0775 /var/run/opendkim [root@mail log]# ls -l /var/run/ | grep opendkim drwxrwxr-x 2 opendkim opendkim 80 mar 5 11:47 opendkim [root@mail log]# cat /etc/group | grep opendkim mail:x:12:postfix,opendkim,dovecot,vmail opendkim:x:989:postfix I do not remember well the issue. But I think that /var/run/opendkim should be group accessible for all programs that needs read the socket (mail programs). ,regards
@dev002: Can you confirm that your settings in /etc/opendkim.conf are: UserID opendkim:opendkim Umask 002 Your grep of the group file has me confused, as I don't believe the package adds the postfix user to the opendkim group. Is that something you did manually? And does the problem still persist with the most recent version of the pacakge in the testing repos? It's now at 2.10.1-2.
Adding Adam, as he has a lot of experience with OpenDKIM + SELinux issues and can hopefully add some insight as to whether this is a pacakge issue or a post-install config issue.
(In reply to Steve Jenkins from comment #6) > @dev002: Can you confirm that your settings in /etc/opendkim.conf are: > > UserID opendkim:opendkim > > Umask 002 > Yes. > Your grep of the group file has me confused, as I don't believe the package > adds the postfix user to the opendkim group. Is that something you did > manually? Yes. > > And does the problem still persist with the most recent version of the > pacakge in the testing repos? It's now at 2.10.1-2. Yes. [root@mail log]# rpm -q opendkim opendkim-2.10.1-2.fc20.x86_64 [root@mail log]# ls -l /run/ | grep opendkim drwxr-xr-x 2 opendkim opendkim 80 mar 10 00:35 opendkim [root@mail log]# cat /etc/group | grep opendkim mail:x:12:postfix,opendkim,dovecot,vmail opendkim:x:493: [root@mail log]# cat /var/log/maillog | grep "No such" Mar 10 00:34:37 mail postfix/smtpd[23553]: warning: connect to Milter service unix:/run/opendkim/opendkim.sock: No such file or directory [root@mail log]# /usr/bin/chmod 0775 /run/opendkim [root@mail log]# cat /var/log/maillog | grep "denied" Mar 10 00:46:29 mail postfix/smtpd[25820]: warning: connect to Milter service unix:/run/opendkim/opendkim.sock: Permission denied [root@mail log]# usermod -G opendkim postfix [root@mail etc]# systemctl restart postfix [root@mail etc]# cat /var/log/maillog | grep "opendkim" | grep success Mar 10 00:48:27 mail opendkim[26437]: 0F760BF61E: DKIM verification successful
Sorry, I got nothin'.
The only problem I'm still seeing is needing to setsebool ypbind true (on EL6), so that opendkim can do outgoing DNS queries. I haven't seen any socket permission failures (though I'm using sendmail, not postfix). If there's a better way to allow outgoing DNS queries, I'm all ears. Thanks, Matt
Matt: I'm using Postfix, and am not seeing socket permission failures, either. The reporter of the bug notes that he took manual steps to include the postfix user in the opendkim group (which is not the package's default behavior... and probably shouldn't be, since it can't be sure which MTA the installer is using). Therefore, I believe his issue is actually a result of the user's group add, rather than a bug in the package itself. This isn't me trying to get out of fixing something (because I never mind that), I just don't think this behavior should be classified as "broken." If a user wants to go beyond the default behavior of the package by adding their MTA user to the opendkim, it stands to reason that they can also go one step further to change the permission of /var/run/opendkim to group accessible and executable if they desire (which is how he worked around in this case). That said, I'm floating the idea of simply allowing /var/run/opendkim to be group executable to allow for this type of modification. If nobody here (or there) sees any security or performance problem with it, then I suppose it won't hurt to make that the default for the pacakge.
Hmm... looking back through this, the default permissions and ownership of /var/run/opendkim is 0755 and owned by opendkim:opendkim. I'm not sure why the MTA user needs write access to that directory. I suspect this could potentially be a configuration problem with the user's Postfix configuration (main.conf) rather than an issue with the package. That said, the line in the spec file that creates the directory is: %dir %attr(-,%{name},%{name}) %{_localstatedir}/run/%{name} Not really sure what damage it will do to change that to: %dir %attr(0775,%{name},%{name}) %{_localstatedir}/run/%{name} to be "readyu" for anyone else who wants to configure like this.
opendkim-2.10.1-7.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/opendkim-2.10.1-7.fc21
opendkim-2.10.1-7.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/opendkim-2.10.1-7.el7
opendkim-2.10.1-7.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/opendkim-2.10.1-7.fc22
opendkim-2.10.1-7.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/opendkim-2.10.1-7.fc20
opendkim-2.10.1-7.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/opendkim-2.10.1-7.el6
opendkim-2.10.1-7.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/opendkim-2.10.1-7.el5
opendkim-2.10.1-8.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/opendkim-2.10.1-8.fc21
opendkim-2.10.1-8.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/opendkim-2.10.1-8.el6
opendkim-2.10.1-8.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/opendkim-2.10.1-8.fc22
opendkim-2.10.1-8.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/opendkim-2.10.1-8.fc20
opendkim-2.10.1-8.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/opendkim-2.10.1-8.el7
opendkim-2.10.1-8.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/opendkim-2.10.1-8.el5
Package opendkim-2.10.1-7.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing opendkim-2.10.1-7.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-5000/opendkim-2.10.1-7.fc21 then log in and leave karma (feedback).
opendkim-2.10.1-9.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/opendkim-2.10.1-9.fc21
opendkim-2.10.1-9.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/opendkim-2.10.1-9.fc20
opendkim-2.10.1-9.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/opendkim-2.10.1-9.fc22
opendkim-2.10.1-9.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/opendkim-2.10.1-9.el6
opendkim-2.10.1-9.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/opendkim-2.10.1-9.el5
opendkim-2.10.1-9.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/opendkim-2.10.1-9.el7
opendkim-2.10.1-10.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/opendkim-2.10.1-10.fc21
opendkim-2.10.1-10.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/opendkim-2.10.1-10.el6
opendkim-2.10.1-10.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/opendkim-2.10.1-10.fc22
opendkim-2.10.1-10.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/opendkim-2.10.1-10.el7
opendkim-2.10.1-10.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/opendkim-2.10.1-10.fc20
opendkim-2.10.1-10.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/opendkim-2.10.1-10.el5
opendkim-2.10.1-12.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/opendkim-2.10.1-12.fc21
opendkim-2.10.1-12.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/opendkim-2.10.1-12.el5
opendkim-2.10.1-12.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/opendkim-2.10.1-12.fc20
opendkim-2.10.1-12.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/opendkim-2.10.1-12.el6
opendkim-2.10.1-12.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/opendkim-2.10.1-12.fc22
opendkim-2.10.1-12.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/opendkim-2.10.1-12.el7
Package opendkim-2.10.1-12.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing opendkim-2.10.1-12.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-5714/opendkim-2.10.1-12.fc20 then log in and leave karma (feedback).
opendkim-2.10.1-12.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
opendkim-2.10.1-12.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
opendkim-2.10.1-13.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/opendkim-2.10.1-13.fc21
opendkim-2.10.1-13.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/opendkim-2.10.1-13.el5
opendkim-2.10.1-13.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/opendkim-2.10.1-13.el6
opendkim-2.10.1-13.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/opendkim-2.10.1-13.fc22
opendkim-2.10.1-13.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/opendkim-2.10.1-13.el7
opendkim-2.10.1-13.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/opendkim-2.10.1-13.fc20
opendkim-2.10.1-13.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
opendkim-2.10.1-13.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
opendkim-2.10.1-13.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
opendkim-2.10.1-13.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
opendkim-2.10.1-13.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
opendkim-2.10.1-13.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
The permission on /var/run/opendkim directory keeps being reset. To fix this, it is necessary to make changes also in /etc/tmpfiles.d/opendkim.conf file.
(In reply to Štefan Gurský from comment #59) > The permission on /var/run/opendkim directory keeps being reset. To fix > this, it is necessary to make changes also in /etc/tmpfiles.d/opendkim.conf > file. It's true. My /etc/tmpfiles.d/opendkim.conf file looks like: D /var/run/opendkim 0770 opendkim mail -
> The permission on /var/run/opendkim directory keeps being reset. To fix > this, it is necessary to make changes also in /etc/tmpfiles.d/opendkim.conf > file. I just got bitten by this issue using opendkim-2.11.0-0.1.el7.x86_64 on Centos 7.3 I've created a new bug here: https://bugzilla.redhat.com/show_bug.cgi?id=1744391