Description of problem: SELinux prevents postfix/cleanup from accessing a non_smtpd_milter socket (or likely any socket based milter). postfix/smtpd can access smtpd_milters as expected. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-225.11 postfix-3.1.4-1 opendkim-2.11.0-0.1 How reproducible: Always with opendkim configured to use local unix socket, and postfix configured with it as a non_smptd_milter. Steps to Reproduce: 1. Start opendkim configured with /etc/opendkim.conf: Socket local:/var/run/opendkim/opendkim.sock 2. Start postfix configured with /etc/postfix/main.cf: non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock 3. Use any local mail submission (eg sendmail) Actual results: Milter fails, from log: postfix/cleanup[31777]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock Expected results: Message is processed by opendkim, adding appropriate headers. Additional info: # ls -lZ /var/run/opendkim/opendkim.sock opendkim opendkim system_u:object_r:dkim_milter_data_t:s0 5 Mar 26 13:14 opendkim.sock # ausearch -m avc -ts recent type=AVC msg=audit(1490562286.174:2949): avc: denied { write } for pid=31777 comm="cleanup" name="opendkim.sock" dev="dm-0" ino=1573831 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=sock_file permissive=0 From examining the policy source, postfix.te appears to include: milter_stream_connect_all(postfix_smtpd_t) (which works for smtpd_milters), but is missing milter_stream_connect_all(postfix_cleanup_t) (which is used by non_smtpd_milters). Adding a policy file with the postfix_cleanup_t entry above fixes the problem.
selinux-policy-3.13.1-225.20.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a
selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a
Sorry, moved all my systems to F26, so can't test this. Bug exists in current version on F26, so updating version (selinux-policy-3.13.1-260.4)
selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Bug still present in Fedora 26, re-opening for that release.
selinux-policy-3.13.1-260.8.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-fd93b6e5f8
selinux-policy-3.13.1-260.8.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-fd93b6e5f8
selinux-policy-3.13.1-260.8.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Checked on F26, problem still exists with the same error as posted in description. Re-opening.
selinux-policy-3.13.1-260.9.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0cf00e6f4e
selinux-policy-3.13.1-260.9.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0cf00e6f4e
The update above does not fix the bug... patch still not applied.
selinux-policy-3.13.1-260.9.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
No, as indicated above, this is STILL not fixed! Re-opening...
selinux-policy-3.13.1-260.10.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-29d4eac4a8
Still not fixed in 260.10.
selinux-policy-3.13.1-260.10.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-29d4eac4a8
You're right, sorry for that. Fixes pushed to F26 and higher. commit c74947cf93db39d36399cf44b4228f01e3c8c6da (HEAD -> f26, origin/f26) Author: Lukas Vrabec <lvrabec> Date: Mon Oct 2 11:21:45 2017 +0200 Allow postfix_cleanup_t domain to stream connect to all milter sockets BZ(1436026)
selinux-policy-3.13.1-260.10.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Excellent, looks like this will be in the next build? Setting back to POST as the fix wasn't in the 260.10 policy yet.
selinux-policy-3.13.1-260.12.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-88b6a06bce
selinux-policy-3.13.1-260.12.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-88b6a06bce
selinux-policy-3.13.1-260.13.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-88b6a06bce
Appears fixed in 260.13! Thanks!
selinux-policy-3.13.1-260.13.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-88b6a06bce
selinux-policy-3.13.1-260.13.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.