On 05/12/2014 01:26 PM, Daniel J Walsh wrote: > On 05/12/2014 09:17 AM, James B. Byrne wrote: >> Following the most recent kernel updates I restarted our outgoing SMTP MTA >> which was recently reconfigured to DKIM sign messages using OpenDKIM. This >> morning I discovered that Postfix had stopped on that server. Whether it is >> related to the Postfix issue or not is yet to be determined but, in the >> process of getting things restarted I ran across this error with Open DKIM: >> >> # service opendkim restart >> Stopping OpenDKIM Milter: [FAILED] >> Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: >> refile:/etc/opendkim/TrustedHosts: dkimf_db_open(): Permission denied >> [FAILED] >> >> I check the permissions and ownership on the file and everything seems normal. >> I then checked audit2why and got this: >> >> audit2allow: error: no such option: -- >> [root at inet08 opendkim]# audit2why -l -a >> type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_read_search } for >> pid=15213 comm="opendkim" capability=2 >> scontext=unconfined_u:system_r:dkim_milter_t:s0 >> tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability >> Was caused by: >> Missing type enforcement (TE) allow rule. >> >> You can use audit2allow to generate a loadable module to allow this access. >> >> type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_override } for >> pid=15213 comm="opendkim" capability=1 >> scontext=unconfined_u:system_r:dkim_milter_t:s0 >> tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability >> Was caused by: >> Missing type enforcement (TE) allow rule. >> >> You can use audit2allow to generate a loadable module to allow this access. >> >> >> >> We have been using dkim for a little while now and our dmarc records indicate >> that messages from our domains should be signed so this problem needed an >> immediate fix or workaround. What I ended up with was this .te file that >> generates an SEModule which at least gets the service running. What else it >> opens us up to I am not sure so I would appreciate some commentary on how I >> should proceed to obtain a permanent fix: >> >> >> >> module localOpenDKIMmod 1.0; >> >> require { >> type dkim_milter_t; >> class capability { dac_read_search dac_override }; >> } >> >> #============= dkim_milter_t ============== >> allow dkim_milter_t self:capability { dac_read_search dac_override }; >> >> >> > dac_read_search and dac_override are usually bad to add. They typically > mean the permission flags on the file in question is two tight for a > root process to read/use. > > Loosing up the group/other permissions would probably allow a root > process to read the object without requiring these capabities. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos I just wrote a quick blog on this. https://danwalsh.livejournal.com/69478.html