[CentOS] OpenDKIM and SELinux

Mon May 12 13:17:54 UTC 2014
James B. Byrne <byrnejb at harte-lyne.ca>

Following the most recent kernel updates I restarted our outgoing SMTP MTA
which was recently reconfigured to DKIM sign messages using OpenDKIM.  This
morning I discovered that Postfix had stopped on that server.  Whether it is
related to the Postfix issue or not is yet to be determined but, in the
process of getting things restarted I ran across this error with Open DKIM:

# service opendkim restart
Stopping OpenDKIM Milter:                                  [FAILED]
Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf:
refile:/etc/opendkim/TrustedHosts: dkimf_db_open(): Permission denied
                                                           [FAILED]

I check the permissions and ownership on the file and everything seems normal.
 I then checked audit2why and got this:

audit2allow: error: no such option: --
[root at inet08 opendkim]# audit2why -l -a
type=AVC msg=audit(1399898848.286:2317): avc:  denied  { dac_read_search } for
 pid=15213 comm="opendkim" capability=2 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1399898848.286:2317): avc:  denied  { dac_override } for 
pid=15213 comm="opendkim" capability=1 
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.



We have been using dkim for a little while now and our dmarc records indicate
that messages from our domains should be signed so this problem needed an
immediate fix or workaround.  What I ended up with was this .te file that
generates an SEModule which at least gets the service running.  What else it
opens us up to I am not sure so I would appreciate some commentary on how I
should proceed to obtain a permanent fix:



module localOpenDKIMmod 1.0;

require {
	type dkim_milter_t;
	class capability { dac_read_search dac_override };
}

#============= dkim_milter_t ==============
allow dkim_milter_t self:capability { dac_read_search dac_override };



-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3