+++ This bug was initially created as a clone of Bug #2217139 +++ SELinux blocks openarc / dkim_milter_data_t missing from /run/openarc Description of problem: SELinux blocks postfix from connecting to the openarc milter. Version-Release number of selected component (if applicable): selinux-policy-38.1.11-2.el9_2.3.noarch How reproducible: Always Steps to Reproduce: 1. Configure postfix to add the openarc milter 2. 3. Actual results: type=AVC msg=audit(1687527199.794:156): avc: denied { write } for pid=4174 comm="smtpd" name="openarc.sock" dev="tmpfs" ino=1105 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1 Expected results: Successful connection. Additional info: Current dkim_milter_data_t is as follows. [root@seawitch ~]# semanage fcontext -l | grep dkim_milter_data_t /var/lib/dkim-milter(/.*)? all files system_u:object_r:dkim_milter_data_t:s0 /var/run/dkim-milter(/.*)? all files system_u:object_r:dkim_milter_data_t:s0 /var/run/opendkim(/.*)? all files system_u:object_r:dkim_milter_data_t:s0 /var/run/opendmarc(/.*)? all files system_u:object_r:dkim_milter_data_t:s0 /var/spool/opendkim(/.*)? all files system_u:object_r:dkim_milter_data_t:s0 /var/spool/opendmarc(/.*)? all files system_u:object_r:dkim_milter_data_t:s0 The /run/openarc directory is missing: [root@seawitch ~]# ls -alZ /run/openarc total 4 drwxr-x---. 2 openarc openarc system_u:object_r:var_run_t:s0 80 Jun 24 10:43 . drwxr-xr-x. 60 root root system_u:object_r:var_run_t:s0 1480 Jun 24 10:44 .. -rw-rw----. 1 openarc openarc system_u:object_r:var_run_t:s0 5 Jun 24 10:43 openarc.pid srwxrwx---. 1 openarc openarc system_u:object_r:var_run_t:s0 0 Jun 24 10:43 openarc.sock Workaround: semanage fcontext -a -t dkim_milter_data_t '/var/run/openarc(/.*)?' --- Additional comment from Milos Malik on 2023-06-26 16:25:55 CEST --- The openarc service is not confined by SELinux. The openarc package comes from EPEL. # rpm -q openarc openarc-1.0.0-0.15.Beta3.el9.x86_64 # rpm -ql openarc | xargs matchpathcon /etc/openarc system_u:object_r:etc_t:s0 /etc/openarc.conf system_u:object_r:etc_t:s0 /etc/openarc/PeerList system_u:object_r:etc_t:s0 /run/openarc system_u:object_r:var_run_t:s0 /usr/lib/.build-id system_u:object_r:lib_t:s0 /usr/lib/.build-id/60 system_u:object_r:lib_t:s0 /usr/lib/.build-id/60/c1ee5243451e9e8c2dae2f8e903e29ef117c92 system_u:object_r:lib_t:s0 /usr/lib/systemd/system/openarc.service system_u:object_r:systemd_unit_file_t:s0 /usr/lib/tmpfiles.d/openarc.conf system_u:object_r:lib_t:s0 /usr/sbin/openarc system_u:object_r:bin_t:s0 /usr/share/doc/openarc system_u:object_r:usr_t:s0 /usr/share/doc/openarc/README system_u:object_r:usr_t:s0 /usr/share/doc/openarc/RELEASE_NOTES system_u:object_r:usr_t:s0 /usr/share/doc/openarc/openarc.conf.sample system_u:object_r:usr_t:s0 /usr/share/licenses/openarc system_u:object_r:usr_t:s0 /usr/share/licenses/openarc/LICENSE system_u:object_r:usr_t:s0 /usr/share/licenses/openarc/LICENSE.Sendmail system_u:object_r:usr_t:s0 /usr/share/man/man5/openarc.conf.5.gz system_u:object_r:man_t:s0 /usr/share/man/man8/openarc.8.gz system_u:object_r:man_t:s0 #
> The openarc service is not confined by SELinux. The openarc package comes from EPEL. Openarc is a milter, which by definition can only be connected to by postfix/sendmail if openarc is confined by selinux. Please either: - Add openarc to dkim_milter_data_t as requested; or - remove selinux from postfix/sendmail, as the config is not usable without switching selinux off.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39.