After upgrading to Fedora 41 with selinux-policy-41.24-1.fc41, I noticed that OpenDKIM/Postfix aren't working properly and that the /run/opendkim directory is labeled var_run_t when it should be dkim_milter_data_t. Upstream https://github.com/fedora-selinux/selinux-policy/commit/eaa8cf1d7f187819a4c82c1fa52704a669ec780b also removed the entry: /run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) which should probably be put back and a new policy package released.
I am not an selinux maintainer, but I noticed that the commit message says: "Remove a few lines duplicated between {dkim,milter}.fc" However, this is present in both files: /var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0) More to the point, there don't seem to be any file contexts from dkim.fc in selinux-policy-targeted-41.24-1.fc41.noarch: $ sudo semanage fcontext -l | fgrep dkim /etc/mail/dkim-milter/keys(/.*)? all files system_u:object_r:dkim_milter_private_key_t:s0 /run/opendmarc(/.*)? all files system_u:object_r:dkim_milter_data_t:s0 /usr/bin/dkim-filter regular file system_u:object_r:dkim_milter_exec_t:s0 /usr/bin/opendkim regular file system_u:object_r:dkim_milter_exec_t:s0 /usr/bin/opendmarc regular file system_u:object_r:dkim_milter_exec_t:s0 /var/spool/opendkim(/.*)? all files system_u:object_r:dkim_milter_data_t:s0 /var/spool/opendmarc(/.*)? all files system_u:object_r:dkim_milter_data_t:s0 The problem appears to be that the dkim module is missing: $ sudo semodule --list-modules=full | fgrep 'dkim' In contrast: $ sudo semodule --list-modules=full | fgrep 'milter' 100 milter pp
From https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v41.24.zip: $ egrep -n 'dkim|milter' ./selinux-policy-41.24/dist/targeted/modules.conf 1377:# Module: milter 1381:milter = module
(In reply to Steve from comment #1) > I am not an selinux maintainer, but I noticed that the commit message says: > > "Remove a few lines duplicated between {dkim,milter}.fc" > > However, this is present in both files: > > /var/spool/opendkim(/.*)? > gen_context(system_u:object_r:dkim_milter_data_t,s0) > > More to the point, there don't seem to be any file contexts from dkim.fc in > selinux-policy-targeted-41.24-1.fc41.noarch: > > $ sudo semanage fcontext -l | fgrep dkim > /etc/mail/dkim-milter/keys(/.*)? all files > system_u:object_r:dkim_milter_private_key_t:s0 > /run/opendmarc(/.*)? all files > system_u:object_r:dkim_milter_data_t:s0 > /usr/bin/dkim-filter regular file > system_u:object_r:dkim_milter_exec_t:s0 > /usr/bin/opendkim regular file > system_u:object_r:dkim_milter_exec_t:s0 > /usr/bin/opendmarc regular file > system_u:object_r:dkim_milter_exec_t:s0 > /var/spool/opendkim(/.*)? all files > system_u:object_r:dkim_milter_data_t:s0 > /var/spool/opendmarc(/.*)? all files > system_u:object_r:dkim_milter_data_t:s0 > > The problem appears to be that the dkim module is missing: > > $ sudo semodule --list-modules=full | fgrep 'dkim' > > In contrast: > > $ sudo semodule --list-modules=full | fgrep 'milter' > 100 milter pp That is also correct. The entry for /run/opendkim(/.*)? is missing from the install and either updating milter.fc or ensuring the dkim policy is included could resolve the issue.
Still present in selinux-policy-41.28-1.fc41.noarch Please re-add the following to milter.fc, since it appears dkim isn't built in Fedora targeted policy /run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
This upstream pull request would resolve the issue: https://github.com/fedora-selinux/selinux-policy/pull/2447
FEDORA-2025-37c20d2140 (selinux-policy-41.46-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-37c20d2140
FEDORA-2025-37c20d2140 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-37c20d2140` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-37c20d2140 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Will there be a Fedora 42 release with the same fix?
(In reply to Anthony Messina from comment #8) > Will there be a Fedora 42 release with the same fix? Nevermind. It looks updated in F42.
FEDORA-2025-37c20d2140 (selinux-policy-41.46-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.