Bug 1120080 - milter socket denied
Summary: milter socket denied
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: opendkim
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Steve Jenkins
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-16 08:47 UTC by dev002
Modified: 2019-08-22 04:54 UTC (History)
6 users (show)

Fixed In Version: opendkim-2.10.1-13.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-18 09:32:15 UTC


Attachments (Terms of Use)

Description dev002 2014-07-16 08:47:01 UTC
Description of problem:
milter unix socket not access not allowed

Version-Release number of selected component (if applicable):


How reproducible:
configure a milter

Steps to Reproduce:
1.configure milter
2.test mta
3.denied

Actual results:
denied

Expected results:
allowed

Additional info:

Can be "solved" changing permissions of /var/run/opendkim to group accessible, and executable. Add MTA (sendmail, postfix,...)  to opendkim group.

Comment 1 Matt Domsch 2015-03-01 05:13:27 UTC
type=AVC msg=audit(1425186480.418:188189): avc:  denied  { name_bind } for  pid=32275 comm="opendkim" src=5244 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1425186480.418:188189): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=b53fead0 a2=d14954 a3=e items=0 ppid=1 pid=32275 auid=4294967295 uid=496 gid=495 euid=496 suid=496 fsuid=496 egid=495 sgid=495 fsgid=495 tty=(none) ses=4294967295 comm="opendkim" exe="/usr/sbin/opendkim" subj=system_u:system_r:dkim_milter_t:s0 key=(null)

[root@do1 mail]# rpm -q opendkim
opendkim-2.9.0-2.el6.i686
[root@do1 mail]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.7.19-260.el6_6.2.noarch

Comment 2 Steve Jenkins 2015-03-04 04:26:20 UTC
Hi, Matt. Does this need to be addressed in the SELinux policy package, or is it something I should consider trying to solve via the OpenDKIM pacakge? Thx.

Comment 3 Matt Domsch 2015-03-04 19:25:49 UTC
Adding Dan.  I don't know the right solution. Enabling sebool allow_ypbind is a bad idea.  The app here is opening a socket to make outbound DNS requests.  I don't know why that wouldn't be allowed in context of dkim_milter_t.  So I expect that's an selinux policy issue.  It may have been fixed in fedora and not yet backported to RHEL.

Comment 4 Steve Jenkins 2015-03-05 04:43:54 UTC
@dev002@pas-world.com: Can you be more specific about what is "denying" the access to the socket? I don't have enough info to reproduce the issue to fully understand it.

Comment 5 dev002 2015-03-05 11:09:34 UTC
Does not work:
[root@mail log]# ls -l /var/run/ | grep opendkim
drwxr-xr-x  2 opendkim opendkim   80 dic 19  2013 opendkim

For me works with this:
/usr/bin/chmod 0775 /var/run/opendkim

[root@mail log]# ls -l /var/run/ | grep opendkim
drwxrwxr-x  2 opendkim opendkim   80 mar  5 11:47 opendkim

[root@mail log]# cat /etc/group | grep opendkim
mail:x:12:postfix,opendkim,dovecot,vmail
opendkim:x:989:postfix


I do not remember well the issue. But I think that /var/run/opendkim should be group accessible for all programs that needs read the socket (mail programs).

,regards

Comment 6 Steve Jenkins 2015-03-09 15:44:00 UTC
@dev002: Can you confirm that your settings in /etc/opendkim.conf are:

UserID  opendkim:opendkim

Umask   002

Your grep of the group file has me confused, as I don't believe the package adds the postfix user to the opendkim group. Is that something you did manually?

And does the problem still persist with the most recent version of the pacakge in the testing repos? It's now at 2.10.1-2.

Comment 7 Steve Jenkins 2015-03-09 15:47:22 UTC
Adding Adam, as he has a lot of experience with OpenDKIM + SELinux issues and can hopefully add some insight as to whether this is a pacakge issue or a post-install config issue.

Comment 8 dev002 2015-03-10 00:03:40 UTC
(In reply to Steve Jenkins from comment #6)
> @dev002: Can you confirm that your settings in /etc/opendkim.conf are:
> 
> UserID  opendkim:opendkim
> 
> Umask   002
> 

Yes.

> Your grep of the group file has me confused, as I don't believe the package
> adds the postfix user to the opendkim group. Is that something you did
> manually?

Yes.

> 
> And does the problem still persist with the most recent version of the
> pacakge in the testing repos? It's now at 2.10.1-2.

Yes.


[root@mail log]# rpm -q opendkim
opendkim-2.10.1-2.fc20.x86_64

[root@mail log]# ls -l /run/ | grep opendkim
drwxr-xr-x  2 opendkim opendkim   80 mar 10 00:35 opendkim

[root@mail log]# cat /etc/group | grep opendkim
mail:x:12:postfix,opendkim,dovecot,vmail
opendkim:x:493:

[root@mail log]# cat /var/log/maillog | grep "No such"
Mar 10 00:34:37 mail postfix/smtpd[23553]: warning: connect to Milter service unix:/run/opendkim/opendkim.sock: No such file or directory

[root@mail log]# /usr/bin/chmod 0775 /run/opendkim

[root@mail log]# cat /var/log/maillog | grep "denied"
Mar 10 00:46:29 mail postfix/smtpd[25820]: warning: connect to Milter service unix:/run/opendkim/opendkim.sock: Permission denied

[root@mail log]# usermod -G opendkim postfix

[root@mail etc]# systemctl restart  postfix

[root@mail etc]# cat /var/log/maillog | grep "opendkim" | grep success
Mar 10 00:48:27 mail opendkim[26437]: 0F760BF61E: DKIM verification successful

Comment 9 Adam Williamson 2015-03-23 20:46:22 UTC
Sorry, I got nothin'.

Comment 10 Matt Domsch 2015-03-24 17:03:23 UTC
The only problem I'm still seeing is needing to setsebool ypbind true (on EL6), so that opendkim can do outgoing DNS queries.  I haven't seen any socket permission failures (though I'm using sendmail, not postfix).

If there's a better way to allow outgoing DNS queries, I'm all ears.

Thanks,
Matt

Comment 11 Steve Jenkins 2015-03-26 22:03:15 UTC
Matt:

I'm using Postfix, and am not seeing socket permission failures, either.

The reporter of the bug notes that he took manual steps to include the postfix user in the opendkim group (which is not the package's default behavior... and probably shouldn't be, since it can't be sure which MTA the installer is using). Therefore, I believe his issue is actually a result of the user's group add, rather than a bug in the package itself.

This isn't me trying to get out of fixing something (because I never mind that), I just don't think this behavior should be classified as "broken."

If a user wants to go beyond the default behavior of the package by adding their MTA user to the opendkim, it stands to reason that they can also go one step further to change the permission of /var/run/opendkim to group accessible and executable if they desire (which is how he worked around in this case).

That said, I'm floating the idea of simply allowing /var/run/opendkim to be group executable to allow for this type of modification. If nobody here (or there) sees any security or performance problem with it, then I suppose it won't hurt to make that the default for the pacakge.

Comment 12 Steve Jenkins 2015-03-26 22:17:02 UTC
Hmm... looking back through this, the default permissions and ownership of /var/run/opendkim is 0755 and owned by opendkim:opendkim.

I'm not sure why the MTA user needs write access to that directory.

I suspect this could potentially be a configuration problem with the user's Postfix configuration (main.conf) rather than an issue with the package. 

That said, the line in the spec file that creates the directory is:

%dir %attr(-,%{name},%{name}) %{_localstatedir}/run/%{name}

Not really sure what damage it will do to change that to:

%dir %attr(0775,%{name},%{name}) %{_localstatedir}/run/%{name}

to be "readyu" for anyone else who wants to configure like this.

Comment 13 Fedora Update System 2015-03-28 20:49:13 UTC
opendkim-2.10.1-7.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-7.fc21

Comment 14 Fedora Update System 2015-03-28 20:49:20 UTC
opendkim-2.10.1-7.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-7.el7

Comment 15 Fedora Update System 2015-03-28 20:50:29 UTC
opendkim-2.10.1-7.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-7.fc22

Comment 16 Fedora Update System 2015-03-28 20:50:35 UTC
opendkim-2.10.1-7.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-7.fc20

Comment 17 Fedora Update System 2015-03-28 20:51:45 UTC
opendkim-2.10.1-7.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-7.el6

Comment 18 Fedora Update System 2015-03-28 20:51:51 UTC
opendkim-2.10.1-7.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-7.el5

Comment 19 Fedora Update System 2015-03-30 02:16:37 UTC
opendkim-2.10.1-8.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-8.fc21

Comment 20 Fedora Update System 2015-03-30 02:16:44 UTC
opendkim-2.10.1-8.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-8.el6

Comment 21 Fedora Update System 2015-03-30 02:16:50 UTC
opendkim-2.10.1-8.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-8.fc22

Comment 22 Fedora Update System 2015-03-30 02:16:57 UTC
opendkim-2.10.1-8.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-8.fc20

Comment 23 Fedora Update System 2015-03-30 02:17:02 UTC
opendkim-2.10.1-8.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-8.el7

Comment 24 Fedora Update System 2015-03-30 02:17:08 UTC
opendkim-2.10.1-8.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-8.el5

Comment 25 Fedora Update System 2015-03-30 07:05:29 UTC
Package opendkim-2.10.1-7.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing opendkim-2.10.1-7.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5000/opendkim-2.10.1-7.fc21
then log in and leave karma (feedback).

Comment 26 Fedora Update System 2015-04-02 18:02:16 UTC
opendkim-2.10.1-9.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-9.fc21

Comment 27 Fedora Update System 2015-04-02 18:02:24 UTC
opendkim-2.10.1-9.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-9.fc20

Comment 28 Fedora Update System 2015-04-02 18:02:31 UTC
opendkim-2.10.1-9.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-9.fc22

Comment 29 Fedora Update System 2015-04-02 18:02:38 UTC
opendkim-2.10.1-9.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-9.el6

Comment 30 Fedora Update System 2015-04-02 18:02:46 UTC
opendkim-2.10.1-9.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-9.el5

Comment 31 Fedora Update System 2015-04-02 18:02:54 UTC
opendkim-2.10.1-9.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-9.el7

Comment 32 Fedora Update System 2015-04-03 23:11:28 UTC
opendkim-2.10.1-10.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-10.fc21

Comment 33 Fedora Update System 2015-04-03 23:11:38 UTC
opendkim-2.10.1-10.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-10.el6

Comment 34 Fedora Update System 2015-04-03 23:11:48 UTC
opendkim-2.10.1-10.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-10.fc22

Comment 35 Fedora Update System 2015-04-03 23:11:57 UTC
opendkim-2.10.1-10.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-10.el7

Comment 36 Fedora Update System 2015-04-03 23:12:09 UTC
opendkim-2.10.1-10.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-10.fc20

Comment 37 Fedora Update System 2015-04-03 23:12:19 UTC
opendkim-2.10.1-10.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-10.el5

Comment 38 Fedora Update System 2015-04-07 05:22:00 UTC
opendkim-2.10.1-12.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-12.fc21

Comment 39 Fedora Update System 2015-04-07 05:22:34 UTC
opendkim-2.10.1-12.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-12.el5

Comment 40 Fedora Update System 2015-04-07 05:23:01 UTC
opendkim-2.10.1-12.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-12.fc20

Comment 41 Fedora Update System 2015-04-07 05:23:26 UTC
opendkim-2.10.1-12.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-12.el6

Comment 42 Fedora Update System 2015-04-07 05:23:52 UTC
opendkim-2.10.1-12.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-12.fc22

Comment 43 Fedora Update System 2015-04-07 05:24:18 UTC
opendkim-2.10.1-12.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-12.el7

Comment 44 Fedora Update System 2015-04-08 06:57:08 UTC
Package opendkim-2.10.1-12.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing opendkim-2.10.1-12.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5714/opendkim-2.10.1-12.fc20
then log in and leave karma (feedback).

Comment 45 Fedora Update System 2015-04-18 09:32:15 UTC
opendkim-2.10.1-12.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 46 Fedora Update System 2015-04-18 09:45:01 UTC
opendkim-2.10.1-12.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 47 Fedora Update System 2015-04-20 22:05:58 UTC
opendkim-2.10.1-13.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-13.fc21

Comment 48 Fedora Update System 2015-04-20 22:06:09 UTC
opendkim-2.10.1-13.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-13.el5

Comment 49 Fedora Update System 2015-04-20 22:06:19 UTC
opendkim-2.10.1-13.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-13.el6

Comment 50 Fedora Update System 2015-04-20 22:08:36 UTC
opendkim-2.10.1-13.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-13.fc22

Comment 51 Fedora Update System 2015-04-20 22:08:44 UTC
opendkim-2.10.1-13.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-13.el7

Comment 52 Fedora Update System 2015-04-20 22:08:57 UTC
opendkim-2.10.1-13.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/opendkim-2.10.1-13.fc20

Comment 53 Fedora Update System 2015-04-29 13:08:16 UTC
opendkim-2.10.1-13.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 54 Fedora Update System 2015-05-01 16:44:08 UTC
opendkim-2.10.1-13.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 55 Fedora Update System 2015-05-01 16:54:49 UTC
opendkim-2.10.1-13.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 56 Fedora Update System 2015-05-08 16:40:37 UTC
opendkim-2.10.1-13.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 57 Fedora Update System 2015-05-08 16:40:58 UTC
opendkim-2.10.1-13.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 58 Fedora Update System 2015-05-08 16:41:02 UTC
opendkim-2.10.1-13.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 59 Štefan Gurský 2018-12-07 13:37:47 UTC
The permission on /var/run/opendkim directory keeps being reset. To fix this, it is necessary to make changes also in /etc/tmpfiles.d/opendkim.conf file.

Comment 60 dev002 2018-12-07 20:50:09 UTC
(In reply to Štefan Gurský from comment #59)
> The permission on /var/run/opendkim directory keeps being reset. To fix
> this, it is necessary to make changes also in /etc/tmpfiles.d/opendkim.conf
> file.

It's true.
My /etc/tmpfiles.d/opendkim.conf file looks like:

D /var/run/opendkim 0770 opendkim mail -

Comment 61 IanB 2019-08-22 04:54:45 UTC
> The permission on /var/run/opendkim directory keeps being reset. To fix
> this, it is necessary to make changes also in /etc/tmpfiles.d/opendkim.conf
> file.

I just got bitten by this issue using opendkim-2.11.0-0.1.el7.x86_64 on Centos 7.3

I've created a new bug here: https://bugzilla.redhat.com/show_bug.cgi?id=1744391


Note You need to log in before you can comment on or make changes to this bug.