1770570 – SELinux prevents sendmail started from DKIM milter to work

Bug 1770570 - SELinux prevents sendmail started from DKIM milter to work

Summary: SELinux prevents sendmail started from DKIM milter to work

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	31
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Patrik Koncity
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-10 15:51 UTC by Göran Uddeborg
Modified:	2020-05-04 09:39 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-02-01 01:30:42 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
AVCs triggered in permissive mode (6.75 KB, text/plain) 2019-11-19 13:22 UTC, Göran Uddeborg	no flags	Details
View All

Description Göran Uddeborg 2019-11-10 15:51:55 UTC

Description of problem:
After the fix of bug 1757950, opendkim is now able to _execute_ sendmail.  But the sendmail process is still not able to deliver any mail.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.4-39.fc31.noarch


How reproducible:
Every time


Steps to Reproduce:
1. Configure sendmail to use opendkim
2. Give it a mail with a broken dkim signature


Actual results:
No warning mail, and two AVCs:

----
time->Sun Nov 10 16:33:26 2019
type=AVC msg=audit(1573400006.845:32261): avc:  denied  { setrlimit } for  pid=212036 comm="sendmail" scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=process permissive=0
----
time->Sun Nov 10 16:33:26 2019
type=AVC msg=audit(1573400006.845:32262): avc:  denied  { search } for  pid=212036 comm="sendmail" name="clientmqueue" dev="dm-0" ino=5193760 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir permissive=0


Additional info:
I notice the sendmail binary has type sendmail_exec_t.  Maybe the correct fix here is not to allow those operations, but to allow dkim_milter_t to transition into sendmail_t?

Comment 1 Patrik Koncity 2019-11-19 11:06:36 UTC

Hi, 
can you put SELinux to permissive?
via #seteneforce 0
then reproduce situation and send AVCs which you have in permissive?

Thank you,
Patrik

Comment 2 Göran Uddeborg 2019-11-19 13:22:18 UTC

Created attachment 1637652 [details]
AVCs triggered in permissive mode

At you service!

Comment 3 Lukas Vrabec 2020-01-03 15:54:17 UTC

commit 32a849cbbb1855f7deb0def876f1728d3571ca49 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Patrik Koncity <pkoncity>
Date:   Fri Nov 29 11:05:49 2019 +0100

    Update milter policy to allow use sendmail
    
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1770570
    Add macro to allow dkim_milter_t domain to manage mail queue files
    in domain mqueue_spool_t
    Allow dkim_milter_t domain to set own process resource limit
    Allow dkim_milter_t domain to get attributes of filesystem
    Allow dkim_milter_t domain to connect simple mail transfer protocol port

Comment 4 Fedora Update System 2020-01-31 01:28:38 UTC

selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17

Comment 5 Fedora Update System 2020-02-01 01:30:42 UTC

selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.