Description of problem: SELinux is preventing opendkim from execute access on the file /usr/bin/bash. Additional Information: Source Context system_u:system_r:dkim_milter_t:SystemLow Target Context system_u:object_r:shell_exec_t:SystemLow Target Objects /usr/bin/bash [ file ] Source opendkim Source Path opendkim Port <Unknown> Host mimmi Source RPM Packages Target RPM Packages bash-4.3.43-4.fc25.x86_64 Policy RPM selinux-policy-3.14.3-38.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name mimmi Platform Linux mimmi 5.0.13-300.fc30.x86_64 #1 SMP Mon May 6 00:39:45 UTC 2019 x86_64 x86_64 Alert Count 1 First Seen 2019-06-04 11:00:02 CEST Last Seen 2019-06-04 11:00:02 CEST Local ID dc7f0947-0fe1-4cec-8033-f30b85348ef0 Raw Audit Messages type=AVC msg=audit(1559638802.661:1750): avc: denied { execute } for pid=9699 comm="opendkim" name="bash" dev="dm-0" ino=117309473 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.3-38.fc30.noarch opendkim-2.11.0-0.8.fc30.x86_64 How reproducible: Happened once so far, but I have only been running opendkim for a while, so I don't know how often it happens. Additional info: Journal entries from the time this happened: jun 04 11:00:02 mimmi sendmail[9697]: STARTTLS=server, relay=bob.bthstudent.se [193.11.190.196], version=TLSv1.2, verify=NO, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256 jun 04 11:00:02 mimmi sendmail[9697]: x54902wd009697: from=<tp-sv-bounces.se>, size=5654, class=-30, nrcpts=1, msgid=<23798.13066.635806.234189.HOWL>, proto=ESMTPS, daemon=MTA, relay=bob.bthstudent.se [193.11.190.196] jun 04 11:00:02 mimmi opendkim[1906]: x54902wd009697: bob.bthstudent.se [193.11.190.196] not internal jun 04 11:00:02 mimmi opendkim[1906]: x54902wd009697: not authenticated jun 04 11:00:02 mimmi opendkim[1906]: x54902wd009697: external host bob.bthstudent.se attempted to send as uddeborg.se jun 04 11:00:02 mimmi sendmail[9697]: x54902wd009697: Milter insert (1): header: Authentication-Results: mimmi.uddeborg.se;\n\tdkim=fail reason="signature verification failed" (1024-bit key) header.d=uddeborg.se header.i= header.b="B3TbD9mn" jun 04 11:00:02 mimmi audit[9699]: AVC avc: denied { execute } for pid=9699 comm="opendkim" name="bash" dev="dm-0" ino=117309473 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 jun 04 11:00:02 mimmi opendkim[1906]: x54902wd009697: popen(): Cannot allocate memory jun 04 11:00:02 mimmi opendkim[1906]: x54902wd009697: bad signature data jun 04 11:00:02 mimmi sendmail[9697]: x54902wd009697: Milter insert (1): header: DKIM-Filter: OpenDKIM Filter v2.11.0 mimmi.uddeborg.se x54902wd009697
Hi, Are you able to reproduce it? Thanks, Lukas.
Created attachment 1579919 [details] AVC:s in permissive mode Yes! After some failed attempts I've finally managed to reproduce it. It happens when I receive an email with an DKIM signature that is INvalid. It doesn't happen too often, thus a bit hard to find. Anyway, when I found this, I could reproduce it by sending myself an intentionally broken message. What Opendkim tries to do is to send postmaster a message reporting about the failure. It executes the system call execve("/bin/sh", ["sh", "-c", "/usr/sbin/sendmail -t -fpostmaster"], ["LANG=sv_SE.utf8", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin", "HOME=/var/run/opendkim", "LOGNAME=opendkim", "USER=opendkim", "INVOCATION_ID=1173df22a0f6463b8c630ac1ae70a61a", "JOURNAL_STREAM=9:39867", "OPTIONS=-x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid", "DKIM_SELECTOR=default", "DKIM_KEYDIR=/etc/opendkim/keys"] <unfinished ...> This is the call that fails in enforcing mode. Obviously, it will shortly after that try to exec the sendmail binary too, which would also have failed. I put my machine in permissive mode, and repeated the experiment. I got the ng AVC:s in the attached file. I guess not all those should be allowed. My understanding is that dkim_milter_t should be allowed to execute shell_exec_t and sendmail_exec_t, and to transition into the sendmail_t domain. But I'm sure you know this better than I do!
commit 36d8b45d3923aa95555125258ba53e5fb43a376f (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Fri Jun 14 22:49:53 2019 +0200 Allow dkim_milter_t to use shell BZ(1716937)
So far so good, but that still doesn't allow it to transition into sendmail_t when later executing sendmail, does it?
FEDORA-2019-9da5c35472 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472
selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472
selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
I don't understand why, but I can't see any difference. I have the following installed: selinux-policy-3.14.3-39.fc30.noarch selinux-policy-targeted-3.14.3-39.fc30.noarch selinux-policy-devel-3.14.3-39.fc30.noarch selinux-policy-sandbox-3.14.3-39.fc30.noarch selinux-policy-doc-3.14.3-39.fc30.noarch When I give sendmail a mail with a broken signature, I still get this AVC: type=AVC msg=audit(1561490481.576:346018): avc: denied { execute } for pid=29243 comm="opendkim" name="bash" dev="dm-0" ino=117309473 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
commit 2a22f41f1795f6f53324f330b3632b376c2f1430 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Lukas Vrabec <lvrabec> Date: Mon Jul 1 22:02:00 2019 +0200 Allow dkim_milter_t domain to execute shell BZ(17116937)
FEDORA-2019-9c513c4cf8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8
selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8
With 3.14.3-40.fc30 it comes further. The original AVC is gone now. But opendkim still fails when it tries to execute sendmail in order to actually report the failure. (See comment 2 for what the shell being executed will try to do.) time->Thu Jul 11 11:57:39 2019 type=AVC msg=audit(1562839059.337:557821): avc: denied { execute } for pid=17358 comm="sh" name="sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0 ---- time->Thu Jul 11 11:57:39 2019 type=AVC msg=audit(1562839059.337:557822): avc: denied { getattr } for pid=17358 comm="sh" path="/usr/sbin/sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0 ---- time->Thu Jul 11 11:57:39 2019 type=AVC msg=audit(1562839059.337:557823): avc: denied { getattr } for pid=17358 comm="sh" path="/usr/sbin/sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0
selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Not fully resolved yet as indicated above, so I reopen. (Let me know if you prefer a separate bugzilla for the remaining problems.)
commit 9250a22c9745056b5175bcdc0edef65662a61b77 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Lukas Vrabec <lvrabec> Date: Tue Jul 16 22:23:20 2019 +0200 Allow dkim-milter to send e-mails BZ(1716937)
FEDORA-2019-b156bd756a has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b156bd756a
selinux-policy-3.14.3-41.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b156bd756a
With 3.14.3-41.fc30 I still see the following AVCs. To my eyes, it looks very similar to what it looked before. (As a consequence, the warning mail is still not sent.) time->Sat Jul 20 15:16:35 2019 type=AVC msg=audit(1563628595.286:155244): avc: denied { execute } for pid=26909 comm="sh" name="sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0 ---- time->Sat Jul 20 15:16:35 2019 type=AVC msg=audit(1563628595.286:155245): avc: denied { getattr } for pid=26909 comm="sh" path="/usr/sbin/sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0 ---- time->Sat Jul 20 15:16:35 2019 type=AVC msg=audit(1563628595.286:155246): avc: denied { getattr } for pid=26909 comm="sh" path="/usr/sbin/sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0
selinux-policy-3.14.3-41.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
As before, reopening since not fully resolved.
Closing again. I reopened since the functionality wasn't there yet. But since this is because of other problems later in the process, I created a separate bug 1757950 to take care of those.