Description of problem: After the fix of bug 1757950, opendkim is now able to _execute_ sendmail. But the sendmail process is still not able to deliver any mail. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.4-39.fc31.noarch How reproducible: Every time Steps to Reproduce: 1. Configure sendmail to use opendkim 2. Give it a mail with a broken dkim signature Actual results: No warning mail, and two AVCs: ---- time->Sun Nov 10 16:33:26 2019 type=AVC msg=audit(1573400006.845:32261): avc: denied { setrlimit } for pid=212036 comm="sendmail" scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=process permissive=0 ---- time->Sun Nov 10 16:33:26 2019 type=AVC msg=audit(1573400006.845:32262): avc: denied { search } for pid=212036 comm="sendmail" name="clientmqueue" dev="dm-0" ino=5193760 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir permissive=0 Additional info: I notice the sendmail binary has type sendmail_exec_t. Maybe the correct fix here is not to allow those operations, but to allow dkim_milter_t to transition into sendmail_t?
Hi, can you put SELinux to permissive? via #seteneforce 0 then reproduce situation and send AVCs which you have in permissive? Thank you, Patrik
Created attachment 1637652 [details] AVCs triggered in permissive mode At you service!
commit 32a849cbbb1855f7deb0def876f1728d3571ca49 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Patrik Koncity <pkoncity> Date: Fri Nov 29 11:05:49 2019 +0100 Update milter policy to allow use sendmail Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1770570 Add macro to allow dkim_milter_t domain to manage mail queue files in domain mqueue_spool_t Allow dkim_milter_t domain to set own process resource limit Allow dkim_milter_t domain to get attributes of filesystem Allow dkim_milter_t domain to connect simple mail transfer protocol port
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.