2253647 – Report function broken, because of missing SELinux rules

Bug 2253647 - Report function broken, because of missing SELinux rules

Summary: Report function broken, because of missing SELinux rules

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	opendmarc
Sub Component:
Version:	epel9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Kevin Fenzi
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-12-08 15:06 UTC by Frank Büttner
Modified:	2023-12-08 15:06 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	2125030	0	medium	CLOSED	opendkim and opendmarc sendmail policy request	2023-12-08 15:06:11 UTC

Description Frank Büttner 2023-12-08 15:06:12 UTC

Description of problem:
OpenDMARC can't send mails when request by the DMARC DNS records.

Version-Release number of selected component (if applicable):
opendmarc-1.4.2-10.el9.x86_64

How reproducible:
Any time when an SPF fails happens with an "Failure report URI" DNS entry 

Steps to Reproduce:
1. deliver an fake mail to postfix from an sender which use SPF with report set.


Actual results:
OpenDMARC detect it, but can't send the requested mail because of SELinux errors.

Expected results:
That the mail request by the SPF holder are send on SPAM event.


Additional info:
opendmarc-check:
opendmarc-check facebook.com
DMARC record for facebook.com:
	Sample percentage: 100
	DKIM alignment: relaxed
	SPF alignment: relaxed
	Domain policy: reject
	Subdomain policy: unspecified
	Aggregate report URIs:
		a.com
	Failure report URIs:
		fb-dmarc.com

So facebook request an mail on failure.

Log OpenDMARC:
Dez 08 16:03:14 opendmarc[337848]: implicit authentication service: XXXX
Dez 08 16:03:14 opendmarc[337848]: 726218ECB719: SPF(mailfrom): facebook.com fail
Dez 08 16:03:14 opendmarc[337963]: sendmail: fatal: open /etc/postfix/main.cf: Permission denied
Dez 08 16:03:14 postfix/sendmail[337963]: fatal: open /etc/postfix/main.cf: Permission denied
Dez 08 16:03:14 opendmarc[337848]: 726218ECB719: pclose() exited with status 75
Dez 08 16:03:14 opendmarc[337848]: 726218ECB719: facebook.com fail

Log audit:
type=AVC msg=audit(1702047924.918:22137): avc:  denied  { search } for  pid=338016 comm="sendmail" name="postfix" dev="dm-0" ino=134779488 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1702047924.918:22137): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=558efee37ad0 a2=0 a3=0 items=0 ppid=337848 pid=338016 auid=4294967295 uid=981 gid=980 euid=981 suid=981 fsuid=981 egid=980 sgid=980 fsgid=980 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=system_u:system_r:dkim_milter_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="opendmarc" GID="opendmarc" EUID="opendmarc" SUID="opendmarc" FSUID="opendmarc" EGID="opendmarc" SGID="opendmarc" FSGID="opendmarc"
type=PROCTITLE msg=audit(1702047924.918:22137): proctitle=2F7573722F7362696E2F73656E646D61696C002D74002D6F6471

Note You need to log in before you can comment on or make changes to this bug.