The default configuration file for opendkim configures the communication socket to be /run/opendkim/opendkim.sock. But the SELinux policy doesn't allow opendkim to create the directory. If created outside of opendkim, the daemon still doesn't have the right to create a socket in it. Reproducible: Always Steps to Reproduce: 1.systemtl start opendkim Actual Results: This AVC: type=AVC msg=audit(1730652453.517:396285): avc: denied { write } for pid=1440679 comm="opendkim" name="opendkim" dev="tmpfs" ino=172284 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 Expected Results: No AVC violations. One could argue if this should be changed on the opendkim side or the SELinux side. One way to solve it obviously is to add more allow rules. Another way is to use an inet socket rather than a Unix socket. I created this as an opendkim ticket for an initial consideration.
Same problem here. It looks like this issue was also reported in bug 2322523. I hope it gets fixed soon.
I'm also affected by this issue and want to upvote it.
these policies bring it up again (paste it in a file and name it opendkim.te): module opendkim 1.0; -----snipp--- require { type dkim_milter_t; type var_run_t; class dir { read write open add_name remove_name }; class file { read write open create getattr unlink }; } #============= dkim_milter_t ============== allow dkim_milter_t var_run_t:dir { add_name write remove_name }; allow dkim_milter_t var_run_t:file { create getattr open write unlink }; ---- snipp ---- install with: checkmodule -M -m -o opendkim.mod opendkim.te semodule_package -m opendkim.mod -o opendkim.pp semodule -i opendkim.pp
again due to wrong position of snipp these policies bring it up again (paste it in a file and name it opendkim.te): -----snipp--- module opendkim 1.0; require { type dkim_milter_t; type var_run_t; class dir { read write open add_name remove_name }; class file { read write open create getattr unlink }; } #============= dkim_milter_t ============== allow dkim_milter_t var_run_t:dir { add_name write remove_name }; allow dkim_milter_t var_run_t:file { create getattr open write unlink }; ---- snipp ---- install with: checkmodule -M -m -o opendkim.mod opendkim.te semodule_package -m opendkim.mod -o opendkim.pp semodule -i opendkim.pp
Until this gets fixed, the easiest workaround is just to restore the removed file context locally and reboot or restart opendkim (the existing policy for allowing interaction with dkim_milter_data_t does the rest): semanage fcontext -a -t dkim_milter_data_t "/run/opendkim(/.*)?"
In order to get the socket to create on Fedora 42, I had to modify the policy workaround provided above by fedora to include sock_file like so: -----snipp--- module opendkim 1.0; require { type dkim_milter_t; type var_run_t; class dir { read write open add_name remove_name }; class file { read write open create getattr unlink }; class sock_file { read write open create getattr unlink }; } #============= dkim_milter_t ============== allow dkim_milter_t var_run_t:dir { add_name write remove_name }; allow dkim_milter_t var_run_t:file { create getattr open write unlink }; allow dkim_milter_t var_run_t:sock_file { create getattr open write unlink }; ---- snipp ---- install with: checkmodule -M -m -o opendkim.mod opendkim.te semodule_package -m opendkim.mod -o opendkim.pp semodule -i opendkim.pp
Giving opendkim the ability to create the socket wasn't enough - I also had to give sendmail the ability to access the socket as well. These rules might be overly broad, but it worked . . . -----snipp--- module opendkim 1.0; require { type dkim_milter_t; type sendmail_t; type var_run_t; class dir { read write open add_name remove_name }; class file { read write open create getattr unlink }; class sock_file { read write open create getattr unlink }; } #============= dkim_milter_t ============== allow dkim_milter_t var_run_t:dir { add_name write remove_name }; allow dkim_milter_t var_run_t:file { create getattr open write unlink }; allow dkim_milter_t var_run_t:sock_file { create getattr open write unlink }; allow sendmail_t var_run_t:sock_file { create getattr open write unlink }; ---- snipp ----
I'm tossing some other notes in here regarding opendkim. Because I want to use ReplaceHeaders and ReplaceRules in my opendkim.conf file, I have to enable them in a custom build. For Fedora 42, doing my normal rebuild to patch in support for both ReplaceHeaders and ReplaceRules had issues . . . there were some complications: * The source RPM is still from fc41 (not fc42) * The source RPM doesn't want to build with the new gcc because of an issue in miltertest where it won't compile with c23 * The merge of /usr/sbin into /usr/bin runs into issues with the opendkim.spec file Here are my notes on how I worked around these issues (and it would be really cool if Fedora decided to support ReplaceHeaders and ReplaceRules in their build so I could stop doing this every time I rebuild my server on a new version of Fedora). In addition to installing the standard bunch of development tools, I needed the following (it's possible some of these are no longer needed - I've been building my custom opendkim for many years): dnf install rpm-build libbsd-devel libdb-devel libmemcached-devel libtool lua-devel opendbx-devel openldap-devel openssl-devel sendmail-devel I'm assuming you have downloaded opendkim-2.11.0-0.39.fc41.src.rpm and run rpm -i to create the rpmbuild directory structure (this can all be done as a normal user from the user's homedir). Create the file ~/rpmbuild/SOURCES/opendkim.ReplaceRules.patch with the following contents: ====== BEGIN FILE CONTENTS ====== --- a/opendkim/opendkim-config.h +++ b/opendkim/opendkim-config.h @@ -147,6 +147,7 @@ { "RemoveARFrom", CONFIG_TYPE_STRING, FALSE }, { "RemoveOldSignatures", CONFIG_TYPE_BOOLEAN, FALSE }, #ifdef _FFR_REPLACE_RULES + { "ReplaceHeaders", CONFIG_TYPE_STRING, FALSE }, { "ReplaceRules", CONFIG_TYPE_STRING, FALSE }, #endif /* _FFR_REPLACE_RULES */ { "ReportAddress", CONFIG_TYPE_STRING, FALSE }, ====== END FILE CONTENTS ====== Create the file ~/rpmbuild/SOURCES/opendkim.MilterTestCompile.patch with the following contents: ====== BEGIN FILE CONTENTS ====== --- a/miltertest/Makefile.am +++ b/miltertest/Makefile.am @@ -2,7 +2,7 @@ # All rights reserved. # what flags you want to pass to the C compiler & linker -#AM_CFLAGS = --pedantic -Wall -O2 +AM_CFLAGS = -std=gnu17 # this lists the binaries to produce, the (non-PHONY, binary) targets in # the previous manual Makefile ====== END FILE CONTENTS ====== Make a whole bunch of changes to ~/rpmbuild/SPECS/opendkim.spec: * Modify the following line (find the Release line and update it - the .1 is to distinguish the custom version, and the fc41 is so it matches the current fc41 version instead of jumping to fc42): Release: 0.39.1.fc41 * Add the following lines following the Patch3 line - this enables the two patches we created above: Patch4: opendkim.ReplaceRules.patch Patch5: opendkim.MilterTestCompile.patch * Verify there is only one %configure line and then replace it with the following line (this should add the --enable-replace_rules option): %configure --with-odbx --with-db --with-libmemcached --with-openldap --enable-query_cache --enable-replace_rules --with-lua * Modify the following lines to handle the symlink of sbin to bin: install -m 0755 stats/%{name}-reportstats %{buildroot}%{_sbindir}/%{name}-reportstats sed -i 's|^%{bigname}STATSDIR="/var/db/%{name}"|%{bigname}STATSDIR="%{_localstatedir}/spool/%{name}"|g' %{buildroot}%{_sbindir}/%{name}-reportstats sed -i 's|^%{bigname}DATOWNER="mailnull:mailnull"|%{bigname}DATOWNER="%{name}:%{name}"|g' %{buildroot}%{_sbindir}/%{name}-reportstats With those files created and the opendkim.spec modified, you can now build: cd ~/rpmbuild/SPECS rpmbuild -ba opendkim.spec Then you can login as root and upgrade to your new packages (making sure ~user_that_did_the_build is correct) : rpm -U ~user_that_did_the_build/rpmbuild/RPMS/x86_64/libopendkim-2.11.0-0.39.1.fc41.x86_64.rpm ~user_that_did_the_build/rpmbuild/RPMS/x86_64/opendkim-2.11.0-0.39.1.fc41.x86_64.rpm Interestingly, the timestamps on /usr/bin/opendkim and /usr/lib64/libopendkim.so.11.0.0 don't change, but the sizes and contents do. You can verify that _FFR_REPLACE_RULES is enabled in the installed bin: opendkim -V You should see _FFR_REPLACE_RULES in the Active code options section. Note that I really have no clue what I'm doing - I just stumble along persistently until I eventually figure out something that works! So YMMV!
This message is a reminder that Fedora Linux 41 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 41 on 2025-12-15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '41'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 41 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
For me this issue got addressed by the fix for bug 2322523
Agreed, this is no longer a problem in Fedora 43.