Bug 1770570 - SELinux prevents sendmail started from DKIM milter to work
Summary: SELinux prevents sendmail started from DKIM milter to work
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 31
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Patrik Koncity
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-10 15:51 UTC by Göran Uddeborg
Modified: 2020-05-04 09:39 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-01 01:30:42 UTC
Type: Bug

Attachments (Terms of Use)
AVCs triggered in permissive mode (6.75 KB, text/plain)
2019-11-19 13:22 UTC, Göran Uddeborg 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

Description Göran Uddeborg 2019-11-10 15:51:55 UTC 
Description of problem:
After the fix of bug 1757950, opendkim is now able to _execute_ sendmail.  But the sendmail process is still not able to deliver any mail.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.4-39.fc31.noarch


How reproducible:
Every time


Steps to Reproduce:
1. Configure sendmail to use opendkim
2. Give it a mail with a broken dkim signature


Actual results:
No warning mail, and two AVCs:

----
time->Sun Nov 10 16:33:26 2019
type=AVC msg=audit(1573400006.845:32261): avc:  denied  { setrlimit } for  pid=212036 comm="sendmail" scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:system_r:dkim_milter_t:s0 tclass=process permissive=0
----
time->Sun Nov 10 16:33:26 2019
type=AVC msg=audit(1573400006.845:32262): avc:  denied  { search } for  pid=212036 comm="sendmail" name="clientmqueue" dev="dm-0" ino=5193760 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir permissive=0


Additional info:
I notice the sendmail binary has type sendmail_exec_t.  Maybe the correct fix here is not to allow those operations, but to allow dkim_milter_t to transition into sendmail_t?
Comment 1 Patrik Koncity 2019-11-19 11:06:36 UTC 
Hi, 
can you put SELinux to permissive?
via #seteneforce 0
then reproduce situation and send AVCs which you have in permissive?

Thank you,
Patrik
Comment 2 Göran Uddeborg 2019-11-19 13:22:18 UTC 
Created attachment 1637652 [details]
AVCs triggered in permissive mode

At you service!
Comment 3 Lukas Vrabec 2020-01-03 15:54:17 UTC 
commit 32a849cbbb1855f7deb0def876f1728d3571ca49 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Patrik Koncity <pkoncity@redhat.com>
Date:   Fri Nov 29 11:05:49 2019 +0100

    Update milter policy to allow use sendmail
    
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1770570
    Add macro to allow dkim_milter_t domain to manage mail queue files
    in domain mqueue_spool_t
    Allow dkim_milter_t domain to set own process resource limit
    Allow dkim_milter_t domain to get attributes of filesystem
    Allow dkim_milter_t domain to connect simple mail transfer protocol port
Comment 4 Fedora Update System 2020-01-31 01:28:38 UTC 
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17
Comment 5 Fedora Update System 2020-02-01 01:30:42 UTC 
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.