On 05/12/2014 09:17 AM, James B. Byrne wrote: > Following the most recent kernel updates I restarted our outgoing SMTP MTA > which was recently reconfigured to DKIM sign messages using OpenDKIM. This > morning I discovered that Postfix had stopped on that server. Whether it is > related to the Postfix issue or not is yet to be determined but, in the > process of getting things restarted I ran across this error with Open DKIM: > > # service opendkim restart > Stopping OpenDKIM Milter: [FAILED] > Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: > refile:/etc/opendkim/TrustedHosts: dkimf_db_open(): Permission denied > [FAILED] > > I check the permissions and ownership on the file and everything seems normal. > I then checked audit2why and got this: > > audit2allow: error: no such option: -- > [root at inet08 opendkim]# audit2why -l -a > type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_read_search } for > pid=15213 comm="opendkim" capability=2 > scontext=unconfined_u:system_r:dkim_milter_t:s0 > tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_override } for > pid=15213 comm="opendkim" capability=1 > scontext=unconfined_u:system_r:dkim_milter_t:s0 > tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > > > We have been using dkim for a little while now and our dmarc records indicate > that messages from our domains should be signed so this problem needed an > immediate fix or workaround. What I ended up with was this .te file that > generates an SEModule which at least gets the service running. What else it > opens us up to I am not sure so I would appreciate some commentary on how I > should proceed to obtain a permanent fix: > > > > module localOpenDKIMmod 1.0; > > require { > type dkim_milter_t; > class capability { dac_read_search dac_override }; > } > > #============= dkim_milter_t ============== > allow dkim_milter_t self:capability { dac_read_search dac_override }; > > > dac_read_search and dac_override are usually bad to add. They typically mean the permission flags on the file in question is two tight for a root process to read/use. Loosing up the group/other permissions would probably allow a root process to read the object without requiring these capabities.