Bug 1436026 - selinux prevents postfix cleanup from accessing socket based non_smtpd_milters
Summary: selinux prevents postfix cleanup from accessing socket based non_smtpd_milters
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-26 21:36 UTC by Scott Shambarger
Modified: 2018-09-03 19:15 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-260.9.fc26 selinux-policy-3.13.1-260.10.fc26 selinux-policy-3.13.1-260.13.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-17 19:21:15 UTC
Type: Bug


Attachments (Terms of Use)

Description Scott Shambarger 2017-03-26 21:36:03 UTC
Description of problem:
SELinux prevents postfix/cleanup from accessing a non_smtpd_milter socket (or likely any socket based milter).

postfix/smtpd can access smtpd_milters as expected.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-225.11
postfix-3.1.4-1
opendkim-2.11.0-0.1

How reproducible:
Always with opendkim configured to use local unix socket, and postfix configured with it as a non_smptd_milter.

Steps to Reproduce:
1. Start opendkim configured with /etc/opendkim.conf:
Socket local:/var/run/opendkim/opendkim.sock

2. Start postfix configured with /etc/postfix/main.cf:
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock

3. Use any local mail submission (eg sendmail)

Actual results:
Milter fails, from log:
postfix/cleanup[31777]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock

Expected results:
Message is processed by opendkim, adding appropriate headers.

Additional info:

# ls -lZ /var/run/opendkim/opendkim.sock
opendkim opendkim system_u:object_r:dkim_milter_data_t:s0 5 Mar 26 13:14 opendkim.sock

# ausearch -m avc -ts recent
type=AVC msg=audit(1490562286.174:2949): avc:  denied  { write } for  pid=31777 comm="cleanup" name="opendkim.sock" dev="dm-0" ino=1573831 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=sock_file permissive=0

From examining the policy source, postfix.te appears to include:

milter_stream_connect_all(postfix_smtpd_t)

(which works for smtpd_milters), but is missing 

milter_stream_connect_all(postfix_cleanup_t)

(which is used by non_smtpd_milters).

Adding a policy file with the postfix_cleanup_t entry above fixes the problem.

Comment 1 Fedora Update System 2017-08-14 15:21:02 UTC
selinux-policy-3.13.1-225.20.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a

Comment 2 Fedora Update System 2017-08-15 03:50:34 UTC
selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a

Comment 3 Scott Shambarger 2017-08-22 11:10:51 UTC
Sorry, moved all my systems to F26, so can't test this.  Bug exists in current version on F26, so updating version (selinux-policy-3.13.1-260.4)

Comment 4 Fedora Update System 2017-08-27 06:21:34 UTC
selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Scott Shambarger 2017-08-27 09:59:52 UTC
Bug still present in Fedora 26, re-opening for that release.

Comment 6 Fedora Update System 2017-09-01 09:20:51 UTC
selinux-policy-3.13.1-260.8.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-fd93b6e5f8

Comment 7 Fedora Update System 2017-09-03 05:23:34 UTC
selinux-policy-3.13.1-260.8.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-fd93b6e5f8

Comment 8 Fedora Update System 2017-09-05 00:51:22 UTC
selinux-policy-3.13.1-260.8.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Scott Shambarger 2017-09-08 19:53:32 UTC
Checked on F26, problem still exists with the same error as posted in description.  Re-opening.

Comment 10 Fedora Update System 2017-09-18 10:58:58 UTC
selinux-policy-3.13.1-260.9.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0cf00e6f4e

Comment 11 Fedora Update System 2017-09-19 04:21:50 UTC
selinux-policy-3.13.1-260.9.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0cf00e6f4e

Comment 12 Scott Shambarger 2017-09-19 06:41:31 UTC
The update above does not fix the bug... patch still not applied.

Comment 13 Fedora Update System 2017-09-20 22:54:31 UTC
selinux-policy-3.13.1-260.9.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Scott Shambarger 2017-09-21 01:01:50 UTC
No, as indicated above, this is STILL not fixed!  Re-opening...

Comment 15 Fedora Update System 2017-09-29 12:59:20 UTC
selinux-policy-3.13.1-260.10.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-29d4eac4a8

Comment 16 Scott Shambarger 2017-10-01 07:51:29 UTC
Still not fixed in 260.10.

Comment 17 Fedora Update System 2017-10-01 23:53:18 UTC
selinux-policy-3.13.1-260.10.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-29d4eac4a8

Comment 18 Lukas Vrabec 2017-10-02 09:37:59 UTC
You're right, sorry for that. Fixes pushed to F26 and higher.

commit c74947cf93db39d36399cf44b4228f01e3c8c6da (HEAD -> f26, origin/f26)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Mon Oct 2 11:21:45 2017 +0200

    Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)

Comment 19 Fedora Update System 2017-10-02 16:22:31 UTC
selinux-policy-3.13.1-260.10.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Scott Shambarger 2017-10-02 18:51:29 UTC
Excellent, looks like this will be in the next build?  Setting back to POST as the fix wasn't in the 260.10 policy yet.

Comment 21 Fedora Update System 2017-10-10 11:58:50 UTC
selinux-policy-3.13.1-260.12.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-88b6a06bce

Comment 22 Fedora Update System 2017-10-11 02:54:58 UTC
selinux-policy-3.13.1-260.12.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-88b6a06bce

Comment 23 Fedora Update System 2017-10-11 20:08:35 UTC
selinux-policy-3.13.1-260.13.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-88b6a06bce

Comment 24 Scott Shambarger 2017-10-11 21:11:17 UTC
Appears fixed in 260.13!
Thanks!

Comment 25 Fedora Update System 2017-10-13 04:22:38 UTC
selinux-policy-3.13.1-260.13.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-88b6a06bce

Comment 26 Fedora Update System 2017-10-17 19:21:15 UTC
selinux-policy-3.13.1-260.13.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.