Description of problem: I'm trying to get my postfix email server to use DKIM. This can be done by connecting to the external program dkim-milter via a local Unix socket or TCP. By default dkim-milter uses the /var/run/dkim-milter/dkim-milter.sock Unix socket. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-300.el5_6.1.noarch.rpm dkim-milter-2.8.3-4.el5.i386.rpm How reproducible: Every time Steps to Reproduce: 1. Install postfix & dkim-milter and do some basic configuration. 1.a. Add this to /etc/postfix/main.cf: smtpd_milters = unix:/var/run/dkim-milter/dkim-milter.sock non_smtpd_milters = $smtpd_milters 1.b. Configure DKIM keys: 1.b.i. Go to /etc/mail/dkim-milter/keys 1.b.ii Run dkim-genkey -d `hostname` && chown dkim-milter default* 1.b.iii Add the generated key to the keylist file by running echo "*:`hostname`:${PWD}/default" >> keylist 2. Fix the permissions to let postfix connect to the Unix socket. This is needed because the default permissions for /var/run/dkim-milter are set to 0700. One way to get around this might be: 2.a. usermod -a -G dkim-milter postfix 2.b. chmod g+rx /var/run/dkim-milter 2.c. set the UMask in dkim-milter.conf to 002 3. Send an email for example with Thunderbird or by running the command date | mail -s "test `date`" root@`hostname`. Actual results: SELinux denials when using Thunderbird: ---- time->Fri Jul 1 15:37:16 2011 type=USER_AUTH msg=audit(1309523836.476:97): user pid=4508 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct="ciupicri" : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=dovecot res=success)' ---- time->Fri Jul 1 15:37:16 2011 type=USER_ACCT msg=audit(1309523836.477:98): user pid=4508 uid=0 auid=0 subj=root:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct="ciupicri" : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=?, addr=?, terminal=dovecot res=success)' ---- time->Fri Jul 1 15:37:15 2011 type=SYSCALL msg=audit(1309523835.478:96): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfd399a0 a2=ff6ff4 a3=1e items=0 ppid=4498 pid=4503 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=2 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=root:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1309523835.478:96): avc: denied { connectto } for pid=4503 comm="smtpd" path="/var/run/dkim-milter/dkim-milter.sock" scontext=root:system_r:postfix_smtpd_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1309523835.478:96): avc: denied { write } for pid=4503 comm="smtpd" name="dkim-milter.sock" dev=vda2 ino=932904 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=sock_file ---- time->Fri Jul 1 15:37:16 2011 type=SYSCALL msg=audit(1309523836.525:99): arch=40000003 syscall=102 success=yes exit=1 a0=11 a1=bfe6e280 a2=9e0ff4 a3=8874a68 items=0 ppid=4498 pid=4510 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=2 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=root:system_r:postfix_cleanup_t:s0 key=(null) type=AVC msg=audit(1309523836.525:99): avc: denied { read write } for pid=4510 comm="cleanup" path="socket:[19569]" dev=sockfs ino=19569 scontext=root:system_r:postfix_cleanup_t:s0 tcontext=root:system_r:postfix_smtpd_t:s0 tclass=unix_stream_socket SELinux denials when using the mail command: ---- time->Fri Jul 1 16:02:56 2011 type=SYSCALL msg=audit(1309525376.403:116): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfd239b0 a2=dacff4 a3=1e items=0 ppid=4830 pid=4843 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=root:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1309525376.403:116): avc: denied { connectto } for pid=4843 comm="smtpd" path="/var/run/dkim-milter/dkim-milter.sock" scontext=root:system_r:postfix_smtpd_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket ---- time->Fri Jul 1 16:02:56 2011 type=SYSCALL msg=audit(1309525376.444:117): arch=40000003 syscall=102 success=yes exit=1 a0=11 a1=bf85a3d0 a2=ffdff4 a3=84b8a68 items=0 ppid=4830 pid=4847 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=root:system_r:postfix_cleanup_t:s0 key=(null) type=AVC msg=audit(1309525376.444:117): avc: denied { read write } for pid=4847 comm="cleanup" path="socket:[21097]" dev=sockfs ino=21097 scontext=root:system_r:postfix_cleanup_t:s0 tcontext=root:system_r:postfix_smtpd_t:s0 tclass=unix_stream_socket Expected results: No SELinux denials. Additional info: [root@intovps1 ~]# ls -laZ /var/run/dkim-milter/ drwxr-x--- dkim-milter dkim-milter system_u:object_r:var_run_t . -rw-rw-r-- dkim-milter dkim-milter root:object_r:initrc_var_run_t dkim-milter.pid srwxrwxr-x dkim-milter dkim-milter root:object_r:var_run_t dkim-milter.sock
The support for dkim-milter needs to be backported.
Product Management has reviewed and declined this request. You may appeal this decision by reopening this request.
We have this working in RHEL6. I believe we want to make this working also in RHEL5.
Fixed in selinux-policy-2.4.6-318.el5
I've upgraded to EL6 in the mean time and I'm getting SELinux denials with selinux-policy-3.7.19-93.el6_1.7.noarch as well: time->Mon Oct 24 19:07:15 2011 type=SYSCALL msg=audit(1319472435.719:75): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfa652d0 a2=8b9ff4 a3=bfa653ae items=0 ppid=1099 pid=1512 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1319472435.719:75): avc: denied { connectto } for pid=1512 comm="smtpd" path="/var/run/dkim-milter/dkim-milter.sock" scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1319472435.719:75): avc: denied { write } for pid=1512 comm="smtpd" name="dkim-milter.sock" dev=vda2 ino=22934 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file type=AVC msg=audit(1319472435.719:75): avc: denied { search } for pid=1512 comm="smtpd" name="dkim-milter" dev=vda2 ino=15480 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir ---- time->Mon Oct 24 19:07:16 2011 type=SYSCALL msg=audit(1319472436.072:78): arch=40000003 syscall=102 success=yes exit=1 a0=11 a1=bfdbf3a0 a2=f06ff4 a3=1a9de70 items=0 ppid=1099 pid=1526 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=system_u:system_r:postfix_cleanup_t:s0 key=(null) type=AVC msg=audit(1319472436.072:78): avc: denied { read write } for pid=1526 comm="cleanup" path="socket:[12136]" dev=sockfs ino=12136 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=unix_stream_socket ---- time->Mon Oct 24 19:07:16 2011 type=SYSCALL msg=audit(1319472436.073:79): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=bfdbf350 a2=f06ff4 a3=1aa29e0 items=0 ppid=1099 pid=1526 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=system_u:system_r:postfix_cleanup_t:s0 key=(null) type=AVC msg=audit(1319472436.073:79): avc: denied { getattr } for pid=1526 comm="cleanup" scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=unix_stream_socket ---- time->Mon Oct 24 19:07:30 2011 type=SYSCALL msg=audit(1319472450.570:80): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfdbf2e0 a2=f06ff4 a3=bfdbf3be items=0 ppid=1099 pid=1526 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=system_u:system_r:postfix_cleanup_t:s0 key=(null) type=AVC msg=audit(1319472450.570:80): avc: denied { connectto } for pid=1526 comm="cleanup" path="/var/run/dkim-milter/dkim-milter.sock" scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1319472450.570:80): avc: denied { write } for pid=1526 comm="cleanup" name="dkim-milter.sock" dev=vda2 ino=22934 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file type=AVC msg=audit(1319472450.570:80): avc: denied { search } for pid=1526 comm="cleanup" name="dkim-milter" dev=vda2 ino=15480 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir ---- time->Mon Oct 24 19:10:02 2011 type=SYSCALL msg=audit(1319472602.004:81): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfe19e70 a2=4abff4 a3=bfe19f4e items=0 ppid=1099 pid=1538 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1319472602.004:81): avc: denied { write } for pid=1538 comm="smtpd" name="dkim-milter.sock" dev=vda2 ino=22934 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file
We have this fixed in the latest RHEL6 release which is available on http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/
I've upgraded to selinux-policy-3.7.19-119.el6.noarch (postfix-2.6.6-2.2.el6_1.i686, dkim-milter-2.8.3-8.el6.i686) and I'm still getting the following SELinux denials when running in permissive mode: ---- time->Thu Oct 27 18:25:42 2011 type=SYSCALL msg=audit(1319729142.651:136): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bff1e930 a2=6ecff4 a3=bff1ea0e items=0 ppid=16760 pid=16845 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=3 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=unconfined_u:system_r:postfix_cleanup_t:s0 key=(null) type=AVC msg=audit(1319729142.651:136): avc: denied { connectto } for pid=16845 comm="cleanup" path="/var/run/dkim-milter/dkim-milter.sock" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1319729142.651:136): avc: denied { write } for pid=16845 comm="cleanup" name="dkim-milter.sock" dev=vda2 ino=7552 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file type=AVC msg=audit(1319729142.651:136): avc: denied { search } for pid=16845 comm="cleanup" name="dkim-milter" dev=vda2 ino=7451 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir ---- time->Thu Oct 27 18:27:41 2011 type=SYSCALL msg=audit(1319729261.076:137): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf8c4ca0 a2=2b9ff4 a3=bf8c4d7e items=0 ppid=16760 pid=16851 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=3 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1319729261.076:137): avc: denied { connectto } for pid=16851 comm="smtpd" path="/var/run/dkim-milter/dkim-milter.sock" scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1319729261.076:137): avc: denied { write } for pid=16851 comm="smtpd" name="dkim-milter.sock" dev=vda2 ino=7552 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file type=AVC msg=audit(1319729261.076:137): avc: denied { search } for pid=16851 comm="smtpd" name="dkim-milter" dev=vda2 ino=7451 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir ---- time->Thu Oct 27 18:28:39 2011 type=SYSCALL msg=audit(1319729319.967:138): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf8c4ca0 a2=2b9ff4 a3=bf8c4d7e items=0 ppid=16760 pid=16851 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=3 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1319729319.967:138): avc: denied { search } for pid=16851 comm="smtpd" name="dkim-milter" dev=vda2 ino=7451 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:dkim_milter_data_t:s0 tclass=dir ---- time->Thu Oct 27 18:28:56 2011 type=SYSCALL msg=audit(1319729336.285:139): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfef7f50 a2=8ecff4 a3=bfef802e items=0 ppid=16760 pid=16863 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=3 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1319729336.285:139): avc: denied { write } for pid=16863 comm="smtpd" name="dkim-milter.sock" dev=vda2 ino=7552 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:dkim_milter_data_t:s0 tclass=sock_file ================ # audit2allow -m mypostfix < postfix_dkim_denials.txt module mypostfix 1.0; require { type dkim_milter_data_t; type dkim_milter_t; type postfix_smtpd_t; type postfix_cleanup_t; class sock_file write; class unix_stream_socket connectto; class dir search; } #============= postfix_cleanup_t ============== allow postfix_cleanup_t dkim_milter_data_t:dir search; allow postfix_cleanup_t dkim_milter_data_t:sock_file write; allow postfix_cleanup_t dkim_milter_t:unix_stream_socket connectto; #============= postfix_smtpd_t ============== allow postfix_smtpd_t dkim_milter_data_t:dir search; allow postfix_smtpd_t dkim_milter_data_t:sock_file write; allow postfix_smtpd_t dkim_milter_t:unix_stream_socket connectto;
we have this for milter_stream_connect_all(postfix_smtp_t) we need this also for _smtpd_t, _cleanup_t
Fixed in selinux-policy-2.4.6-320.el5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html