Bug 718219 - RFE: let postfix use dkim-milter
Summary: RFE: let postfix use dkim-milter
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.6
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 771700 772019
TreeView+ depends on / blocked
 
Reported: 2011-07-01 13:07 UTC by Cristian Ciupitu
Modified: 2012-10-16 11:29 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-2.4.6-322.el5
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-21 05:47:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0158 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-02-20 14:53:50 UTC

Description Cristian Ciupitu 2011-07-01 13:07:54 UTC 
Description of problem:
I'm trying to get my postfix email server to use DKIM. This can be done by connecting to the external program dkim-milter via a local Unix socket or TCP. By default dkim-milter uses the /var/run/dkim-milter/dkim-milter.sock Unix socket.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-300.el5_6.1.noarch.rpm
dkim-milter-2.8.3-4.el5.i386.rpm


How reproducible:
Every time


Steps to Reproduce:
1. Install postfix & dkim-milter and do some basic configuration.
   1.a. Add this to /etc/postfix/main.cf:
        smtpd_milters = unix:/var/run/dkim-milter/dkim-milter.sock
        non_smtpd_milters = $smtpd_milters
   1.b. Configure DKIM keys:
        1.b.i. Go to /etc/mail/dkim-milter/keys
        1.b.ii Run dkim-genkey -d `hostname` && chown dkim-milter default*
        1.b.iii Add the generated key to the keylist file by running echo "*:`hostname`:${PWD}/default" >> keylist

2. Fix the permissions to let postfix connect to the Unix socket. This is needed because the default permissions for /var/run/dkim-milter are set to 0700. One way to get around this might be:
   2.a. usermod -a -G dkim-milter postfix
   2.b. chmod g+rx /var/run/dkim-milter
   2.c. set the UMask in dkim-milter.conf to 002

3. Send an email for example with Thunderbird or by running the command date | mail -s "test `date`" root@`hostname`.


Actual results:
SELinux denials when using Thunderbird:
----
time->Fri Jul  1 15:37:16 2011
type=USER_AUTH msg=audit(1309523836.476:97): user pid=4508 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct="ciupicri" : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=dovecot res=success)'
----
time->Fri Jul  1 15:37:16 2011
type=USER_ACCT msg=audit(1309523836.477:98): user pid=4508 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct="ciupicri" : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=dovecot res=success)'
----
time->Fri Jul  1 15:37:15 2011
type=SYSCALL msg=audit(1309523835.478:96): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfd399a0 a2=ff6ff4 a3=1e items=0 ppid=4498 pid=4503 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=2 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=root:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1309523835.478:96): avc:  denied  { connectto } for  pid=4503 comm="smtpd" path="/var/run/dkim-milter/dkim-milter.sock" scontext=root:system_r:postfix_smtpd_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1309523835.478:96): avc:  denied  { write } for  pid=4503 comm="smtpd" name="dkim-milter.sock" dev=vda2 ino=932904 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=sock_file
----
time->Fri Jul  1 15:37:16 2011
type=SYSCALL msg=audit(1309523836.525:99): arch=40000003 syscall=102 success=yes exit=1 a0=11 a1=bfe6e280 a2=9e0ff4 a3=8874a68 items=0 ppid=4498 pid=4510 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=2 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=root:system_r:postfix_cleanup_t:s0 key=(null)
type=AVC msg=audit(1309523836.525:99): avc:  denied  { read write } for  pid=4510 comm="cleanup" path="socket:[19569]" dev=sockfs ino=19569 scontext=root:system_r:postfix_cleanup_t:s0 tcontext=root:system_r:postfix_smtpd_t:s0 tclass=unix_stream_socket

SELinux denials when using the mail command:
----
time->Fri Jul  1 16:02:56 2011
type=SYSCALL msg=audit(1309525376.403:116): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfd239b0 a2=dacff4 a3=1e items=0 ppid=4830 pid=4843 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=root:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1309525376.403:116): avc:  denied  { connectto } for  pid=4843 comm="smtpd" path="/var/run/dkim-milter/dkim-milter.sock" scontext=root:system_r:postfix_smtpd_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Fri Jul  1 16:02:56 2011
type=SYSCALL msg=audit(1309525376.444:117): arch=40000003 syscall=102 success=yes exit=1 a0=11 a1=bf85a3d0 a2=ffdff4 a3=84b8a68 items=0 ppid=4830 pid=4847 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=root:system_r:postfix_cleanup_t:s0 key=(null)
type=AVC msg=audit(1309525376.444:117): avc:  denied  { read write } for  pid=4847 comm="cleanup" path="socket:[21097]" dev=sockfs ino=21097 scontext=root:system_r:postfix_cleanup_t:s0 tcontext=root:system_r:postfix_smtpd_t:s0 tclass=unix_stream_socket


Expected results:
No SELinux denials.


Additional info:
[root@intovps1 ~]# ls -laZ /var/run/dkim-milter/
drwxr-x---  dkim-milter dkim-milter system_u:object_r:var_run_t      .
-rw-rw-r--  dkim-milter dkim-milter root:object_r:initrc_var_run_t   dkim-milter.pid
srwxrwxr-x  dkim-milter dkim-milter root:object_r:var_run_t          dkim-milter.sock
Comment 1 Miroslav Grepl 2011-07-01 14:20:12 UTC 
The support for dkim-milter needs to be backported.
Comment 2 RHEL Program Management 2011-08-16 21:25:02 UTC 
Product Management has reviewed and declined this request.  You may appeal this
decision by reopening this request.
Comment 3 Miroslav Grepl 2011-08-22 08:19:29 UTC 
We have this working in RHEL6. I believe we want to make this working also in RHEL5.
Comment 5 Miroslav Grepl 2011-10-20 15:37:35 UTC 
Fixed in selinux-policy-2.4.6-318.el5
Comment 7 Cristian Ciupitu 2011-10-24 16:22:44 UTC 
I've upgraded to EL6 in the mean time and I'm getting SELinux denials with selinux-policy-3.7.19-93.el6_1.7.noarch as well:

time->Mon Oct 24 19:07:15 2011
type=SYSCALL msg=audit(1319472435.719:75): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfa652d0 a2=8b9ff4 a3=bfa653ae items=0 ppid=1099 pid=1512 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1319472435.719:75): avc:  denied  { connectto } for  pid=1512 comm="smtpd" path="/var/run/dkim-milter/dkim-milter.sock" scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1319472435.719:75): avc:  denied  { write } for  pid=1512 comm="smtpd" name="dkim-milter.sock" dev=vda2 ino=22934 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file
type=AVC msg=audit(1319472435.719:75): avc:  denied  { search } for  pid=1512 comm="smtpd" name="dkim-milter" dev=vda2 ino=15480 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir
----
time->Mon Oct 24 19:07:16 2011
type=SYSCALL msg=audit(1319472436.072:78): arch=40000003 syscall=102 success=yes exit=1 a0=11 a1=bfdbf3a0 a2=f06ff4 a3=1a9de70 items=0 ppid=1099 pid=1526 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=system_u:system_r:postfix_cleanup_t:s0 key=(null)
type=AVC msg=audit(1319472436.072:78): avc:  denied  { read write } for  pid=1526 comm="cleanup" path="socket:[12136]" dev=sockfs ino=12136 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=unix_stream_socket
----
time->Mon Oct 24 19:07:16 2011
type=SYSCALL msg=audit(1319472436.073:79): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=bfdbf350 a2=f06ff4 a3=1aa29e0 items=0 ppid=1099 pid=1526 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=system_u:system_r:postfix_cleanup_t:s0 key=(null)
type=AVC msg=audit(1319472436.073:79): avc:  denied  { getattr } for  pid=1526 comm="cleanup" scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=unix_stream_socket
----
time->Mon Oct 24 19:07:30 2011
type=SYSCALL msg=audit(1319472450.570:80): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfdbf2e0 a2=f06ff4 a3=bfdbf3be items=0 ppid=1099 pid=1526 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=system_u:system_r:postfix_cleanup_t:s0 key=(null)
type=AVC msg=audit(1319472450.570:80): avc:  denied  { connectto } for  pid=1526 comm="cleanup" path="/var/run/dkim-milter/dkim-milter.sock" scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1319472450.570:80): avc:  denied  { write } for  pid=1526 comm="cleanup" name="dkim-milter.sock" dev=vda2 ino=22934 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file
type=AVC msg=audit(1319472450.570:80): avc:  denied  { search } for  pid=1526 comm="cleanup" name="dkim-milter" dev=vda2 ino=15480 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir
----
time->Mon Oct 24 19:10:02 2011
type=SYSCALL msg=audit(1319472602.004:81): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfe19e70 a2=4abff4 a3=bfe19f4e items=0 ppid=1099 pid=1538 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1319472602.004:81): avc:  denied  { write } for  pid=1538 comm="smtpd" name="dkim-milter.sock" dev=vda2 ino=22934 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file
Comment 8 Miroslav Grepl 2011-10-24 19:54:32 UTC 
We have this fixed in the latest RHEL6 release which is available on

http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/
Comment 9 Cristian Ciupitu 2011-10-27 15:37:50 UTC 
I've upgraded to selinux-policy-3.7.19-119.el6.noarch (postfix-2.6.6-2.2.el6_1.i686, dkim-milter-2.8.3-8.el6.i686) and I'm still getting the following SELinux denials when running in permissive mode:
----
time->Thu Oct 27 18:25:42 2011
type=SYSCALL msg=audit(1319729142.651:136): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bff1e930 a2=6ecff4 a3=bff1ea0e items=0 ppid=16760 pid=16845 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=3 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=unconfined_u:system_r:postfix_cleanup_t:s0 key=(null)
type=AVC msg=audit(1319729142.651:136): avc:  denied  { connectto } for  pid=16845 comm="cleanup" path="/var/run/dkim-milter/dkim-milter.sock" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1319729142.651:136): avc:  denied  { write } for  pid=16845 comm="cleanup" name="dkim-milter.sock" dev=vda2 ino=7552 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file
type=AVC msg=audit(1319729142.651:136): avc:  denied  { search } for  pid=16845 comm="cleanup" name="dkim-milter" dev=vda2 ino=7451 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir
----
time->Thu Oct 27 18:27:41 2011
type=SYSCALL msg=audit(1319729261.076:137): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf8c4ca0 a2=2b9ff4 a3=bf8c4d7e items=0 ppid=16760 pid=16851 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=3 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1319729261.076:137): avc:  denied  { connectto } for  pid=16851 comm="smtpd" path="/var/run/dkim-milter/dkim-milter.sock" scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1319729261.076:137): avc:  denied  { write } for  pid=16851 comm="smtpd" name="dkim-milter.sock" dev=vda2 ino=7552 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file
type=AVC msg=audit(1319729261.076:137): avc:  denied  { search } for  pid=16851 comm="smtpd" name="dkim-milter" dev=vda2 ino=7451 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir
----
time->Thu Oct 27 18:28:39 2011
type=SYSCALL msg=audit(1319729319.967:138): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf8c4ca0 a2=2b9ff4 a3=bf8c4d7e items=0 ppid=16760 pid=16851 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=3 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1319729319.967:138): avc:  denied  { search } for  pid=16851 comm="smtpd" name="dkim-milter" dev=vda2 ino=7451 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir
----
time->Thu Oct 27 18:28:56 2011
type=SYSCALL msg=audit(1319729336.285:139): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfef7f50 a2=8ecff4 a3=bfef802e items=0 ppid=16760 pid=16863 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=3 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1319729336.285:139): avc:  denied  { write } for  pid=16863 comm="smtpd" name="dkim-milter.sock" dev=vda2 ino=7552 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file

================

# audit2allow -m mypostfix < postfix_dkim_denials.txt
module mypostfix 1.0;

require {
	type dkim_milter_data_t;
	type dkim_milter_t;
	type postfix_smtpd_t;
	type postfix_cleanup_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class dir search;
}

#============= postfix_cleanup_t ==============
allow postfix_cleanup_t dkim_milter_data_t:dir search;
allow postfix_cleanup_t dkim_milter_data_t:sock_file write;
allow postfix_cleanup_t dkim_milter_t:unix_stream_socket connectto;

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t dkim_milter_data_t:dir search;
allow postfix_smtpd_t dkim_milter_data_t:sock_file write;
allow postfix_smtpd_t dkim_milter_t:unix_stream_socket connectto;
Comment 10 Miroslav Grepl 2011-10-27 15:42:35 UTC 
we have this for 

milter_stream_connect_all(postfix_smtp_t)

we need this also for _smtpd_t, _cleanup_t
Comment 14 Miroslav Grepl 2011-11-29 16:36:49 UTC 
Fixed in selinux-policy-2.4.6-320.el5
Comment 17 errata-xmlrpc 2012-02-21 05:47:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html
Note You need to log in before you can comment on or make changes to this bug.