[CentOS] OpenDKIM and SELinux

Mon May 12 17:26:07 UTC 2014
Daniel J Walsh <dwalsh at redhat.com>

On 05/12/2014 09:17 AM, James B. Byrne wrote:
> Following the most recent kernel updates I restarted our outgoing SMTP MTA
> which was recently reconfigured to DKIM sign messages using OpenDKIM.  This
> morning I discovered that Postfix had stopped on that server.  Whether it is
> related to the Postfix issue or not is yet to be determined but, in the
> process of getting things restarted I ran across this error with Open DKIM:
>
> # service opendkim restart
> Stopping OpenDKIM Milter:                                  [FAILED]
> Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf:
> refile:/etc/opendkim/TrustedHosts: dkimf_db_open(): Permission denied
>                                                            [FAILED]
>
> I check the permissions and ownership on the file and everything seems normal.
>  I then checked audit2why and got this:
>
> audit2allow: error: no such option: --
> [root at inet08 opendkim]# audit2why -l -a
> type=AVC msg=audit(1399898848.286:2317): avc:  denied  { dac_read_search } for
>  pid=15213 comm="opendkim" capability=2 
> scontext=unconfined_u:system_r:dkim_milter_t:s0
> tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1399898848.286:2317): avc:  denied  { dac_override } for 
> pid=15213 comm="opendkim" capability=1 
> scontext=unconfined_u:system_r:dkim_milter_t:s0
> tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
>
>
> We have been using dkim for a little while now and our dmarc records indicate
> that messages from our domains should be signed so this problem needed an
> immediate fix or workaround.  What I ended up with was this .te file that
> generates an SEModule which at least gets the service running.  What else it
> opens us up to I am not sure so I would appreciate some commentary on how I
> should proceed to obtain a permanent fix:
>
>
>
> module localOpenDKIMmod 1.0;
>
> require {
> 	type dkim_milter_t;
> 	class capability { dac_read_search dac_override };
> }
>
> #============= dkim_milter_t ==============
> allow dkim_milter_t self:capability { dac_read_search dac_override };
>
>
>
dac_read_search and dac_override are usually bad to add. They typically
mean the permission flags on the file in question is two tight for a
root process to read/use.

Loosing up the group/other permissions would probably allow a root
process to read the object without requiring these capabities.