Description of problem: SELinux prevents Postfix from accessing the OpenDKIM UNIX socket when it is specified under non_smtpd_milters. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-166.el7_4.9 postfix-2:2.10.1-6.el7 opendkim-2.11.0-0.1.el7 How reproducible: Always, when OpenDKIM is configured to use a local UNIX socket and Postfix is configured to use it with non_smtpd_milters. Steps to Reproduce: 1. Configure OpenDKIM to use a socket at /var/run/opendkim/opendkim.sock 2. Add the socket to Postfix using non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock 3. Restart Postfix and try to send mail Actual results: OpenDKIM milter rejects mail with "postfix/cleanup[1612]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: Permission denied" Expected results: OpenDKIM milter should accept and process mail Additional info: Entries in audit.log confirm that SELinux is preventing access to the socket. Identical bug is shown here as fixed in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1436026. Using audit2allow to generate a custom policy addition solves the error.
Please collect SELinux denials and attach them here: # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
I'm sorry, they are already present in BZ#1436026.
Here it is just in case: type=AVC msg=audit(03/28/2018 11:22:33.110:2352) : avc: denied { connectto } for pid=32428 comm=cleanup path=/run/opendkim/opendkim.sock scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=unix_stream_socket
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111