[CentOS] Opendkim and SELinux

Tue May 6 12:49:47 UTC 2014
James B. Byrne <byrnejb at harte-lyne.ca>

On Mon, May 5, 2014 11:48, Daniel J Walsh wrote:
>
> On 05/05/2014 11:22 AM, James B. Byrne wrote:
>> CentOS-6.5
>> OpenDKIM-2.9.0 (epel)
>> Postfix-2.6.6  (updates)
>>
>> I am trying to get opendkim working with our mailing lists.  In the course
>> of that endeavour I note that these messages are appearing in our syslog:
>>
>>
>> May  4 20:50:02 inet08 setroubleshoot: SELinux is preventing
>> /usr/sbin/opendkim from using the signull access on a process. For complete
>> SELinux messages. run sealert -l 442cb257-3db2-488c-a92e-bfc936e16a0c
>>
. . .
> Attaching the output of the sealert command or the audit.log would help.
>

FYI

# grep dkim /var/log/audit/audit.log

type=AVC msg=audit(1399250949.323:82972): avc:  denied  { signull } for 
pid=32289 comm="opendkim" scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=process

type=SYSCALL msg=audit(1399250949.323:82972): arch=c000003e syscall=234
success=yes exit=0 a0=6932 a1=769f a2=0 a3=7f2264ff6110 items=0 ppid=26929
pid=32289 auid=0 uid=494 gid=493 euid=494 suid=494 fsuid=494 egid=493 sgid=493
fsgid=493 tty=(none) ses=5283 comm="opendkim" exe="/usr/sbin/opendkim"
subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=AVC msg=audit(1399251319.711:82997): avc:  denied  { dac_override } for 
pid=327 comm="opendkim" capability=1 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability

type=SYSCALL msg=audit(1399251319.711:82997): arch=c000003e syscall=2
success=yes exit=3 a0=15aace7 a1=0 a2=1b6 a3=0 items=0 ppid=326 pid=327 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11446
comm="opendkim" exe="/usr/sbin/opendkim"
subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=AVC msg=audit(1399254500.911:83137): avc:  denied  { dac_override } for 
pid=1326 comm="opendkim" capability=1 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability

type=SYSCALL msg=audit(1399254500.911:83137): arch=c000003e syscall=2
success=yes exit=3 a0=1161ce7 a1=0 a2=1b6 a3=0 items=0 ppid=1325 pid=1326
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
ses=11446 comm="opendkim" exe="/usr/sbin/opendkim"
subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=AVC msg=audit(1399277028.540:84183): avc:  denied  { search } for 
pid=10770 comm="opendkim" name="/" dev=sysfs ino=1
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

type=AVC msg=audit(1399277028.540:84183): avc:  denied  { read } for 
pid=10770 comm="opendkim" name="online" dev=sysfs ino=23
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file

type=AVC msg=audit(1399277028.540:84183): avc:  denied  { open } for 
pid=10770 comm="opendkim" name="online" dev=sysfs ino=23
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file

type=SYSCALL msg=audit(1399277028.540:84183): arch=c000003e syscall=2
success=yes exit=20 a0=7ff020cd12b8 a1=80000 a2=2803ff a3=7fefff5fdba0 items=0
ppid=1329 pid=10770 auid=0 uid=494 gid=493 euid=494 suid=494 fsuid=494
egid=493 sgid=493 fsgid=493 tty=(none) ses=11446 comm="opendkim"
exe="/usr/sbin/opendkim" subj=unconfined_u:system_r:dkim_milter_t:s0
key=(null)

type=ANOM_ABEND msg=audit(1399300306.429:85270): auid=0 uid=494 gid=493
ses=11446 subj=unconfined_u:system_r:dkim_milter_t:s0 pid=1331 comm="opendkim"
sig=6

type=AVC msg=audit(1399300307.258:85271): avc:  denied  { dac_override } for 
pid=32612 comm="opendkim" capability=1 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability

type=SYSCALL msg=audit(1399300307.258:85271): arch=c000003e syscall=2
success=yes exit=3 a0=24b1d37 a1=0 a2=1b6 a3=0 items=0 ppid=32611 pid=32612
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
ses=11755 comm="opendkim" exe="/usr/sbin/opendkim"
subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=AVC msg=audit(1399300584.801:85284): avc:  denied  { dac_override } for 
pid=488 comm="opendkim" capability=1 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability

type=SYSCALL msg=audit(1399300584.801:85284): arch=c000003e syscall=2
success=yes exit=3 a0=d28d37 a1=0 a2=1b6 a3=0 items=0 ppid=487 pid=488 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11755
comm="opendkim" exe="/usr/sbin/opendkim"
subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=AVC msg=audit(1399301445.943:85340): avc:  denied  { dac_override } for 
pid=972 comm="opendkim" capability=1 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability

type=SYSCALL msg=audit(1399301445.943:85340): arch=c000003e syscall=2
success=yes exit=3 a0=25acd37 a1=0 a2=1b6 a3=0 items=0 ppid=971 pid=972 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=11755
comm="opendkim" exe="/usr/sbin/opendkim"
subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=AVC msg=audit(1399304087.588:85446): avc:  denied  { dac_override } for 
pid=3500 comm="opendkim" capability=1 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability

type=SYSCALL msg=audit(1399304087.588:85446): arch=c000003e syscall=2
success=yes exit=3 a0=908d37 a1=0 a2=1b6 a3=0 items=0 ppid=3499 pid=3500
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
ses=11755 comm="opendkim" exe="/usr/sbin/opendkim"
subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=AVC msg=audit(1399304622.087:85517): avc:  denied  { search } for 
pid=3899 comm="opendkim" name="/" dev=sysfs ino=1
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

type=AVC msg=audit(1399304622.087:85517): avc:  denied  { read } for  pid=3899
comm="opendkim" name="online" dev=sysfs ino=23
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file

type=AVC msg=audit(1399304622.087:85517): avc:  denied  { open } for  pid=3899
comm="opendkim" name="online" dev=sysfs ino=23
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file

type=SYSCALL msg=audit(1399304622.087:85517): arch=c000003e syscall=2
success=yes exit=18 a0=7f8c877a92b8 a1=80000 a2=2803ff a3=7f8c6a1fbba0 items=0
ppid=3501 pid=3899 auid=0 uid=494 gid=493 euid=494 suid=494 fsuid=494 egid=493
sgid=493 fsgid=493 tty=(none) ses=11755 comm="opendkim"
exe="/usr/sbin/opendkim" subj=unconfined_u:system_r:dkim_milter_t:s0
key=(null)

type=AVC msg=audit(1399305489.246:85560): avc:  denied  { dac_override } for 
pid=4711 comm="opendkim" capability=1 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability

type=SYSCALL msg=audit(1399305489.246:85560): arch=c000003e syscall=2
success=yes exit=3 a0=21c8db7 a1=0 a2=1b6 a3=0 items=0 ppid=4710 pid=4711
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
ses=11755 comm="opendkim" exe="/usr/sbin/opendkim"
subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=ANOM_ABEND msg=audit(1399305489.250:85561): auid=0 uid=0 gid=0 ses=11755
subj=unconfined_u:system_r:dkim_milter_t:s0 pid=4711 comm="opendkim" sig=11

type=AVC msg=audit(1399305583.965:85562): avc:  denied  { dac_override } for 
pid=4821 comm="opendkim" capability=1 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability

type=SYSCALL msg=audit(1399305583.965:85562): arch=c000003e syscall=2
success=yes exit=3 a0=21a5db7 a1=0 a2=1b6 a3=0 items=0 ppid=4820 pid=4821
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
ses=11755 comm="opendkim" exe="/usr/sbin/opendkim"
subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=ANOM_ABEND msg=audit(1399305583.970:85563): auid=0 uid=0 gid=0 ses=11755
subj=unconfined_u:system_r:dkim_milter_t:s0 pid=4821 comm="opendkim" sig=11
type=AVC msg=audit(1399306005.965:85609): avc:  denied  { dac_override } for 
pid=5210 comm="opendkim" capability=1 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability

type=SYSCALL msg=audit(1399306005.965:85609): arch=c000003e syscall=2
success=yes exit=3 a0=896db7 a1=0 a2=1b6 a3=0 items=0 ppid=5209 pid=5210
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
ses=11755 comm="opendkim" exe="/usr/sbin/opendkim"
subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=ANOM_ABEND msg=audit(1399306007.204:85610): auid=0 uid=494 gid=493
ses=11755 subj=unconfined_u:system_r:dkim_milter_t:s0 pid=4859 comm="opendkim"
sig=6

type=ANOM_ABEND msg=audit(1399308116.940:85723): auid=0 uid=494 gid=493
ses=11755 subj=unconfined_u:system_r:dkim_milter_t:s0 pid=5324 comm="opendkim"
sig=6

type=AVC msg=audit(1399308117.051:85724): avc:  denied  { dac_override } for 
pid=6402 comm="opendkim" capability=1 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability

type=SYSCALL msg=audit(1399308117.051:85724): arch=c000003e syscall=2
success=yes exit=3 a0=1f55db7 a1=0 a2=1b6 a3=0 items=0 ppid=6401 pid=6402
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
ses=11813 comm="opendkim" exe="/usr/sbin/opendkim"
subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=AVC msg=audit(1399313980.345:86053): avc:  denied  { dac_override } for 
pid=9683 comm="opendkim" capability=1 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability

type=SYSCALL msg=audit(1399313980.345:86053): arch=c000003e syscall=2
success=yes exit=3 a0=6ebdb7 a1=0 a2=1b6 a3=0 items=0 ppid=9682 pid=9683
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=11842 comm="opendkim" exe="/usr/sbin/opendkim"
subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=ANOM_ABEND msg=audit(1399313981.617:86054): auid=0 uid=494 gid=493
ses=11813 subj=unconfined_u:system_r:dkim_milter_t:s0 pid=6407 comm="opendkim"
sig=6

type=AVC msg=audit(1399314071.098:86061): avc:  denied  { dac_override } for 
pid=9748 comm="opendkim" capability=1 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability

type=SYSCALL msg=audit(1399314071.098:86061): arch=c000003e syscall=2
success=yes exit=3 a0=f42db7 a1=0 a2=1b6 a3=0 items=0 ppid=9747 pid=9748
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=11842 comm="opendkim" exe="/usr/sbin/opendkim"
subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=AVC msg=audit(1399316862.527:86239): avc:  denied  { dac_override } for 
pid=13015 comm="opendkim" capability=1 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability

type=SYSCALL msg=audit(1399316862.527:86239): arch=c000003e syscall=2
success=yes exit=3 a0=e4ddb7 a1=0 a2=1b6 a3=0 items=0 ppid=13014 pid=13015
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2
ses=11842 comm="opendkim" exe="/usr/sbin/opendkim"
subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

type=ANOM_ABEND msg=audit(1399316863.171:86240): auid=0 uid=494 gid=493
ses=11842 subj=unconfined_u:system_r:dkim_milter_t:s0 pid=9753 comm="opendkim"
sig=6

type=AVC msg=audit(1399322293.847:86503): avc:  denied  { search } for 
pid=19335 comm="opendkim" name="/" dev=sysfs ino=1
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

type=AVC msg=audit(1399322293.847:86503): avc:  denied  { read } for 
pid=19335 comm="opendkim" name="online" dev=sysfs ino=23
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file

type=AVC msg=audit(1399322293.847:86503): avc:  denied  { open } for 
pid=19335 comm="opendkim" name="online" dev=sysfs ino=23
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file

type=SYSCALL msg=audit(1399322293.847:86503): arch=c000003e syscall=2
success=yes exit=18 a0=7f202bbd82b8 a1=80000 a2=2803ff a3=7f200ebfcba0 items=0
ppid=13066 pid=19335 auid=0 uid=494 gid=493 euid=494 suid=494 fsuid=494
egid=493 sgid=493 fsgid=493 tty=(none) ses=11842 comm="opendkim"
exe="/usr/sbin/opendkim" subj=unconfined_u:system_r:dkim_milter_t:s0
key=(null)




The sealerts are no longer available for some reason.

sealert -l 442cb257-3db2-488c-a92e-bfc936e16a0c
Error
query_alerts error (1003): id (442cb257-3db2-488c-a92e-bfc936e16a0c) not found




-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3