Bug 877236
| Summary: | SELinux AVC's Postfix <--> OpenDKIM | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Patrick <rh_bugzilla> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.3 | CC: | dwalsh, erinn.looneytriggs, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-01-04 07:54:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I need to backport opendkim support from Fedora. Hi Miroslav. In the changelog of selinux-policy-3.7.19-183.el6.noarch.rpm I noticed that you had backported opendkim. Thanks! I installed the 183 RPMs but there are some issues. Here are the details: # rpm -qa selinux* selinux-policy-3.7.19-183.el6.noarch selinux-policy-targeted-3.7.19-183.el6.noarch Also did an autorelabel and rebooted: # touch /.autorelabel && reboot Then removed the opendkim RPM and any files it might had left behind: # yum -y remove opendkim && rm -rf /etc/opendkim /etc/opendkim.conf /var/spool/opendkim Next I installed opendkim-2.7.3-5.el6. Here are the security contexts: # ls -Z /etc | grep opendkim drwxr-x---. root opendkim system_u:object_r:etc_t:s0 opendkim -rw-r-----. root root system_u:object_r:etc_t:s0 opendkim.conf # ls -Z /etc/opendkim drwxr-x---. root opendkim system_u:object_r:etc_t:s0 keys -rw-r-----. opendkim opendkim system_u:object_r:etc_t:s0 KeyTable -rw-r-----. opendkim opendkim system_u:object_r:etc_t:s0 SigningTable -rw-r-----. opendkim opendkim system_u:object_r:etc_t:s0 TrustedHosts # ls -Z /etc/opendkim/keys -rw-------. opendkim opendkim unconfined_u:object_r:etc_runtime_t:s0 default.private -rw-r--r--. opendkim opendkim unconfined_u:object_r:etc_runtime_t:s0 default.txt # ls -Z /var/spool | grep opendkim drwxr-x---. opendkim opendkim system_u:object_r:dkim_milter_data_t:s0 opendkim # ls -Z /var/run | grep opendkim drwxr-x---. opendkim mail system_u:object_r:dkim_milter_data_t:s0 opendkim (I noticed that the /etc/opendkim/* contexts seems quite different from the Fedora ones at http://git.fedorahosted.org/cgit/selinux-policy.git/plain/dkim.fc?h=master_contrib&id=aeb5a1164617b32db3c2093250db254d8568ff02) After configuring opendkim and starting the opendkim service I see the following AVCs: type=AVC msg=audit(1354406104.319:15388): avc: denied { dac_override } for pid=2697 comm="opendkim" capability=1 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability type=AVC msg=audit(1354406104.319:15388): avc: denied { dac_read_search } for pid=2697 comm="opendkim" capability=2 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability For which the solution seems to be: # grep "1354406104.319:15388" /var/log/audit/audit.log | audit2allow -m opendkim > opendkim.te && cat opendkim.te module opendkim 1.0; require { type dkim_milter_t; class capability { dac_read_search dac_override }; } #============= dkim_milter_t ============== allow dkim_milter_t self:capability { dac_read_search dac_override }; Question: is there somewhere a public git SELinux RHEL repo where I can follow the development? Please let me know if you need more information. Thank you for your efforts. PLEASE SKIP COMMENT #3 My apologies for the noise in comment #3. I was too hasty with my feedback. I just read in one of Dan's SELinux articles about DAC_OVERRIDE and as a result have changed the ownership of the /etc/opendkim.conf and /etc/opendkim/* files to root. As a result the AVCs in comment #3 go away. But with the ownership corrected, there are still some AVCs. OpenDKIM configuration uses an IPv4 TCP socket on port 8891 by default. From the /etc/opendkim.conf file: # Create a socket through which your MTA can communicate. Socket inet:8891@localhost When I try to start OpenDKIM with that Socket config and iptables/ip6tables services stopped then I see the following error in the log: Dec 2 01:25:59 zarafa opendkim[3073]: OpenDKIM Filter: Unable to bind to port inet:8891@localhost: Permission denied Dec 2 01:25:59 zarafa opendkim[3073]: OpenDKIM Filter: Unable to create listening socket on conn inet:8891@localhost Dec 2 01:25:59 zarafa opendkim[3073]: smfi_opensocket() failed And the following AVCs: type=AVC msg=audit(1354407959.575:15411): avc: denied { search } for pid=3073 comm="opendkim" scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir type=SYSCALL msg=audit(1354407959.575:15411): arch=c000003e syscall=2 success=no exit=-13 a0=3b7ff55c3a a1=0 a2=ffffffffffffffa8 a3=7fffac6d8ca0 items=0 ppid=3072 pid=3073 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="opendkim" exe="/usr/sbin/opendkim" subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null) type=AVC msg=audit(1354407959.576:15412): avc: denied { name_bind } for pid=3073 comm="opendkim" src=8891 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1354407959.576:15412): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fffac6d8e10 a2=10 a3=7fffac6d8ac0 items=0 ppid=3072 pid=3073 auid=500 uid=497 gid=496 euid=497 suid=497 fsuid=497 egid=496 sgid=496 fsgid=496 tty=pts2 ses=3 comm="opendkim" exe="/usr/sbin/opendkim" subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null) If I configure OpenDKIM to use an IPv6 TCP socket on the default port: Socket inet6:8891@[::1] Then I see similar AVCs as with Socket inet:8891@localhost OpenDKIM can also use a UNIX domain socket and when I configure it as: Socket local:/var/run/opendkim/opendkim.sock Then I see the following AVC: type=AVC msg=audit(1354408548.697:15415): avc: denied { search } for pid=3144 comm="opendkim" scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir type=SYSCALL msg=audit(1354408548.697:15415): arch=c000003e syscall=2 success=no exit=-13 a0=3b7ff55c3a a1=0 a2=ffffffffffffffa8 a3=7fff063de740 items=0 ppid=3143 pid=3144 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="opendkim" exe="/usr/sbin/opendkim" subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null) Which results in: # grep "1354408548.697:15415" /var/log/audit/audit.log | audit2allow -m opendkim > opendkim.te && cat opendkim.te module opendkim 1.0; require { type dkim_milter_t; type sysctl_kernel_t; class dir search; } #============= dkim_milter_t ============== allow dkim_milter_t sysctl_kernel_t:dir search; When I stop the OpenDKIM service with the UNIX domain socket configured then I see the following AVC: type=AVC msg=audit(1354410438.602:15435): avc: denied { signal } for pid=3739 comm="opendkim" scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=process type=SYSCALL msg=audit(1354410438.602:15435): arch=c000003e syscall=234 success=no exit=-13 a0=e9b a1=e9b a2=a a3=7fff000efb50 items=0 ppid=1 pid=3739 auid=500 uid=497 gid=12 euid=497 suid=497 fsuid=497 egid=12 sgid=12 fsgid=12 tty=(none) ses=3 comm="opendkim" exe="/usr/sbin/opendkim" subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null) Which results in: # grep "1354410438.602:15435" /var/log/audit/audit.log | audit2allow -m opendkim > opendkim.te && cat opendkim.te module opendkim 1.0; require { type dkim_milter_t; class process signal; } #============= dkim_milter_t ============== allow dkim_milter_t self:process signal; Then there is also an issue when OpenDKIM wants to write statistics to /var/spool/opendkim/stats.dat. In the log file I see: Dec 2 02:01:51 zarafa opendkim[3627]: /var/spool/opendkim/stats.dat: fopen(): Permission denied Dec 2 02:01:51 zarafa opendkim[3627]: statistics recording failed # ls -Z /var/spool | grep opendkim drwxr-x---. opendkim mail system_u:object_r:dkim_milter_data_t:s0 opendkim # ls -Z /var/spool/opendkim -rw-r--r--. opendkim mail system_u:object_r:dkim_milter_data_t:s0 stats.dat Writing to /var/spool/opendkim/stats.dat does work OK when SELinux is in permissive mode. Hope this helps. Please let me know if you need more information. I backported some fixes from Fedora. But I see a problem with
type=AVC msg=audit(1354407959.576:15412): avc: denied { name_bind } for pid=3073 comm="opendkim" src=8891 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Basically I believe this port is also used by others and we could see problems then.
Could you test it with
# semanage port -a -t milter_port_t -p tcp 8891
Here's the result of adding that port: # semanage port -a -t milter_port_t -p tcp 8891 libsepol.context_from_record: type milter_port_t is not defined (No such file or directory). <snipped more error messages> There does not seem to anything with milter defined: # semanage port -l | grep milter # Also port 8891 is not defined: # semanage port -l | grep 8891 # # rpm -qa selinux* selinux-policy-3.7.19-183.el6.noarch selinux-policy-targeted-3.7.19-183.el6.noarch Ah, you are right. I need to backport it from Fedora too. Patrick, you can test it with the latest builds http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/ Hi Miroslav. Thank you for the new release. Getting a lot closer. Here are the test results:
*****************************************************
1st setup using socket /var/run/opendkim/opendkim.sock
*****************************************************
1) installed the 187 release, touched /.autorelabel and rebooted
2) use socket /var/run/opendkim/opendkim.sock to communicate between postfix
and opendkim
3) send email from gmail account (which adds a dkim signature) to test server
4) email is received and dkim signature is correctly analysed but I see the following error and AVC:
Error in /var/log/maillog:
Dec 15 22:21:38 zarafa opendkim[6273]: /var/spool/opendkim/stats.dat: fopen(): Permission denied
Dec 15 22:21:38 zarafa opendkim[6273]: statistics recording failed
AVC in /var/log/audit/audit.log:
type=AVC msg=audit(1355606497.828:15658): avc: denied { search } for pid=6351 comm="opendkim" name="spool" dev=vda2 ino=473 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1355606497.828:15658): arch=c000003e syscall=2 success=no exit=-13 a0=1f94810 a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=6351 auid=500 uid=497 gid=12 euid=497 suid=497 fsuid=497 egid=12 sgid=12 fsgid=12 tty=(none) ses=2 comm="opendkim" exe="/usr/sbin/opendkim" subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)
Which results in:
# grep "1355606497.828:15658" /var/log/audit/audit.log | audit2allow -m opendkim > opendkim.te && cat opendkim.te
module opendkim 1.0;
require {
type dkim_milter_t;
type var_spool_t;
class dir search;
}
#============= dkim_milter_t ==============
allow dkim_milter_t var_spool_t:dir search;
# ls -Z /var/spool | grep opendkim
drwxr-x---. opendkim opendkim system_u:object_r:dkim_milter_data_t:s0 opendkim
# ls -Z /var/spool/opendkim
-rw-r--r--. opendkim mail system_u:object_r:dkim_milter_data_t:s0 stats.dat
*****************************************************
2nd setup using Socket inet:8891@localhost
*****************************************************
1) installed the 187 release, touched /.autorelabel and rebooted
2) use socket inet:8891@localhost to communicate between postfix
and opendkim
3) turn off iptables/ip6tables
4) restart postfix to activate smtpd_milters = inet:127.0.0.1:8891 config
5) postfix restarts ok
6) restart opendkim to activate Socket inet:8891@localhost config
7) opendkim restart fails with the following error and AVC:
Error in /var/log/maillog:
Dec 15 22:34:31 zarafa opendkim[6643]: OpenDKIM Filter: Unable to bind to port inet:8891@localhost: Permission denied
Dec 15 22:34:31 zarafa opendkim[6643]: OpenDKIM Filter: Unable to create listening socket on conn inet:8891@localhost
Dec 15 22:34:31 zarafa opendkim[6643]: smfi_opensocket() failed
AVC in /var/log/audit/audit.log:
type=AVC msg=audit(1355607271.349:15670): avc: denied { name_bind } for pid=6643 comm="opendkim" src=8891 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1355607271.349:15670): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fffdd9afab0 a2=10 a3=7fffdd9afaac items=0 ppid=6642 pid=6643 auid=500 uid=497 gid=12 euid=497 suid=497 fsuid=497 egid=12 sgid=12 fsgid=12 tty=pts1 ses=2 comm="opendkim" exe="/usr/sbin/opendkim" subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)
Which results in the following:
# grep "1355607271.349:15670" /var/log/audit/audit.log | audit2allow -m opendkim > opendkim.te && cat opendkim.te
module opendkim 1.0;
require {
type dkim_milter_t;
type port_t;
class tcp_socket name_bind;
}
#============= dkim_milter_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow dkim_milter_t port_t:tcp_socket name_bind;
FYI: the same error and AVC happens when I use an IPv6 socket as below:
Postfix: smtpd_milters = inet:localhost6:8891
OpenDKIM: Socket inet6:8891@[::1]
If I set SELinux to Permissive then with an IPv4 or IPv6 inet socket all works as expected except for the "search" AVC listed in the 1st setup.
Please let me know if you need more information. Thanks!
And if you execute # semanage port -a -t milter_port_t -p tcp 8891 now? Hi Miroslav. Thanks for the feedback. After adding the port it works great with both IPv4 and IPv6 sockets. The only thing remaining is that AVC blocking OpenDKIM doing stuff with /var/spool/opendkim/stats.dat. Should be fixed in the latest policy. |
Description of problem: SELinux blocks communication between Postfix and OpenDKIM Version-Release number of selected component (if applicable): selinux-policy-3.7.19-180.el6 postfix-2.6.6-2.2.el6_1.x86_64 libopendkim-2.7.1-3.el6.x86_64 opendkim-2.7.1-3.el6.x86_64 How reproducible: Configure OpenDKIM, configure Postfix, start OpenDKIM, start Postfix, send email from remote host to Postfix/OpenDKIM box and watch the AVC's fly by. Steps to Reproduce: 1. Configure OpenDKIM, configure Postfix 2. start OpenDKIM, start Postfix 3. send email from remote host to Postfix/OpenDKIM box Actual results: Message is not received (bounce is generated). Expected results: Message is checked by OpenDKIM and handed off to Postfix again for further processing. Additional info: Postfix config in /etc/postfix/main.cf smtpd_milters = inet:localhost6:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept OpenDKIM config in /etc/opendkim.conf (the default port is used) UserID opendkim:mail Socket inet6:8891@[::1] # ls -Z /var/run | grep opendkim drwxr-x---. opendkim mail system_u:object_r:var_run_t:s0 opendkim # ls -Z /var/run/opendkim -rw-rw-r--. opendkim mail unconfined_u:object_r:initrc_var_run_t:s0 opendkim.pid Error messages in /var/log/maillog: Nov 16 01:57:57 zarafa postfix/smtpd[5889]: connect from puzzled.xs4all.nl[10.0.0.100] Nov 16 01:57:57 zarafa postfix/smtpd[5889]: 1492D2F91: client=puzzled.xs4all.nl[10.0.0.100] Nov 16 01:57:57 zarafa postfix/cleanup[5894]: warning: cannot receive milters via service cleanup socket socket Nov 16 01:57:57 zarafa postfix/cleanup[5894]: fatal: cleanup_milter_receive: milter receive failed Nov 16 01:57:58 zarafa postfix/smtpd[5889]: warning: cannot send milters to service public/cleanup socket Nov 16 01:57:58 zarafa postfix/master[5838]: warning: process /usr/libexec/postfix/cleanup pid 5894 exit status 1 Nov 16 01:57:58 zarafa postfix/cleanup[5899]: 17DF22F91: message-id=<20121116005758.17DF22F91.xs4all.nl> Nov 16 01:57:58 zarafa postfix/qmgr[5841]: 17DF22F91: from=<double-bounce.xs4all.nl>, size=1094, nrcpt=1 (queue active) The AVC's in /var/log/audit/audit.log type=AVC msg=audit(1353026824.093:15621): avc: denied { getattr } for pid=5847 comm="cleanup" laddr=::1 lport=46767 faddr=::1 fport=8891 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:system_r:postfix_smtpd_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1353026824.093:15621): arch=c000003e syscall=51 success=yes exit=0 a0=10 a1=7fff03414360 a2=7fff0341435c a3=7fff034140d0 items=0 ppid=5838 pid=5847 auid=500 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=unconfined_u:system_r:postfix_cleanup_t:s0 key=(null) type=AVC msg=audit(1353026824.096:15622): avc: denied { getopt } for pid=5847 comm="cleanup" laddr=::1 lport=46767 faddr=::1 fport=8891 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:system_r:postfix_smtpd_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1353026824.096:15622): arch=c000003e syscall=55 success=yes exit=0 a0=10 a1=6 a2=2 a3=7fff0341432c items=0 ppid=5838 pid=5847 auid=500 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=unconfined_u:system_r:postfix_cleanup_t:s0 key=(null) type=MAC_STATUS msg=audit(1353027360.269:15623): enforcing=1 old_enforcing=0 auid=500 ses=4 I don't recall seeing the postfix_cleanup AVC's with OpenDKIM 2.6.3 and selinux-policy 179 but that OpenDKIM release is no longer an option due to some CVE. I also tried to make it work using sockets: Postfix config in /etc/postfix/main.cf smtpd_milters = unix:/var/run/opendkim/opendkim.sock non_smtpd_milters = $smtpd_milters milter_default_action = accept OpenDKIM config in /etc/opendkim.conf UserID opendkim:mail Socket Socket local:/var/run/opendkim/opendkim.sock # ls -Z /var/run/opendkim -rw-rw-r--. opendkim mail unconfined_u:object_r:initrc_var_run_t:s0 opendkim.pid srwxrwxr-x. opendkim mail unconfined_u:object_r:var_run_t:s0 opendkim.sock The AVC's in /var/log/audit/audit.log type=AVC msg=audit(1353030079.866:15637): avc: denied { write } for pid=7089 comm="smtpd" name="opendkim.sock" dev=vda2 ino=332 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=AVC msg=audit(1353030079.866:15637): avc: denied { connectto } for pid=7089 comm="smtpd" path="/var/run/opendkim/opendkim.sock" scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1353030079.866:15637): arch=c000003e syscall=42 success=yes exit=0 a0=12 a1=7fff6dec0ab0 a2=6e a3=35 items=0 ppid=7085 pid=7089 auid=500 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=8 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null) If you need more information please let me know. Thanks!