Following the most recent kernel updates I restarted our outgoing SMTP MTA which was recently reconfigured to DKIM sign messages using OpenDKIM. This morning I discovered that Postfix had stopped on that server. Whether it is related to the Postfix issue or not is yet to be determined but, in the process of getting things restarted I ran across this error with Open DKIM: # service opendkim restart Stopping OpenDKIM Milter: [FAILED] Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: refile:/etc/opendkim/TrustedHosts: dkimf_db_open(): Permission denied [FAILED] I check the permissions and ownership on the file and everything seems normal. I then checked audit2why and got this: audit2allow: error: no such option: -- [root at inet08 opendkim]# audit2why -l -a type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_read_search } for pid=15213 comm="opendkim" capability=2 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_override } for pid=15213 comm="opendkim" capability=1 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. We have been using dkim for a little while now and our dmarc records indicate that messages from our domains should be signed so this problem needed an immediate fix or workaround. What I ended up with was this .te file that generates an SEModule which at least gets the service running. What else it opens us up to I am not sure so I would appreciate some commentary on how I should proceed to obtain a permanent fix: module localOpenDKIMmod 1.0; require { type dkim_milter_t; class capability { dac_read_search dac_override }; } #============= dkim_milter_t =============allow dkim_milter_t self:capability { dac_read_search dac_override }; -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On 05/12/2014 09:17 AM, James B. Byrne wrote:> Following the most recent kernel updates I restarted our outgoing SMTP MTA > which was recently reconfigured to DKIM sign messages using OpenDKIM. This > morning I discovered that Postfix had stopped on that server. Whether it is > related to the Postfix issue or not is yet to be determined but, in the > process of getting things restarted I ran across this error with Open DKIM: > > # service opendkim restart > Stopping OpenDKIM Milter: [FAILED] > Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: > refile:/etc/opendkim/TrustedHosts: dkimf_db_open(): Permission denied > [FAILED] > > I check the permissions and ownership on the file and everything seems normal. > I then checked audit2why and got this: > > audit2allow: error: no such option: -- > [root at inet08 opendkim]# audit2why -l -a > type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_read_search } for > pid=15213 comm="opendkim" capability=2 > scontext=unconfined_u:system_r:dkim_milter_t:s0 > tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_override } for > pid=15213 comm="opendkim" capability=1 > scontext=unconfined_u:system_r:dkim_milter_t:s0 > tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > > > We have been using dkim for a little while now and our dmarc records indicate > that messages from our domains should be signed so this problem needed an > immediate fix or workaround. What I ended up with was this .te file that > generates an SEModule which at least gets the service running. What else it > opens us up to I am not sure so I would appreciate some commentary on how I > should proceed to obtain a permanent fix: > > > > module localOpenDKIMmod 1.0; > > require { > type dkim_milter_t; > class capability { dac_read_search dac_override }; > } > > #============= dkim_milter_t =============> allow dkim_milter_t self:capability { dac_read_search dac_override }; > > >dac_read_search and dac_override are usually bad to add. They typically mean the permission flags on the file in question is two tight for a root process to read/use. Loosing up the group/other permissions would probably allow a root process to read the object without requiring these capabities.