1716937 – SELinux prevents opendkim from executing /usr/bin/bash

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1716937 - SELinux prevents opendkim from executing /usr/bin/bash

Summary: SELinux prevents opendkim from executing /usr/bin/bash

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	30
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-06-04 12:28 UTC by Göran Uddeborg
Modified:	2019-10-02 19:44 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-10-02 19:44:21 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
AVC:s in permissive mode (8.13 KB, text/plain) 2019-06-12 20:38 UTC, Göran Uddeborg	no flags	Details
View All

Description Göran Uddeborg 2019-06-04 12:28:21 UTC

Description of problem:
SELinux is preventing opendkim from execute access on the file /usr/bin/bash.

Additional Information:
Source Context                system_u:system_r:dkim_milter_t:SystemLow
Target Context                system_u:object_r:shell_exec_t:SystemLow
Target Objects                /usr/bin/bash [ file ]
Source                        opendkim
Source Path                   opendkim
Port                          <Unknown>
Host                          mimmi
Source RPM Packages           
Target RPM Packages           bash-4.3.43-4.fc25.x86_64
Policy RPM                    selinux-policy-3.14.3-38.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     mimmi
Platform                      Linux mimmi 5.0.13-300.fc30.x86_64 #1 SMP Mon May
                              6 00:39:45 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-06-04 11:00:02 CEST
Last Seen                     2019-06-04 11:00:02 CEST
Local ID                      dc7f0947-0fe1-4cec-8033-f30b85348ef0

Raw Audit Messages
type=AVC msg=audit(1559638802.661:1750): avc:  denied  { execute } for  pid=9699 comm="opendkim" name="bash" dev="dm-0" ino=117309473 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.3-38.fc30.noarch
opendkim-2.11.0-0.8.fc30.x86_64


How reproducible:
Happened once so far, but I have only been running opendkim for a while, so I don't know how often it happens.


Additional info:
Journal entries from the time this happened:

jun 04 11:00:02 mimmi sendmail[9697]: STARTTLS=server, relay=bob.bthstudent.se [193.11.190.196], version=TLSv1.2, verify=NO, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
jun 04 11:00:02 mimmi sendmail[9697]: x54902wd009697: from=<tp-sv-bounces.se>, size=5654, class=-30, nrcpts=1, msgid=<23798.13066.635806.234189.HOWL>, proto=ESMTPS, daemon=MTA, relay=bob.bthstudent.se [193.11.190.196]
jun 04 11:00:02 mimmi opendkim[1906]: x54902wd009697: bob.bthstudent.se [193.11.190.196] not internal
jun 04 11:00:02 mimmi opendkim[1906]: x54902wd009697: not authenticated
jun 04 11:00:02 mimmi opendkim[1906]: x54902wd009697: external host bob.bthstudent.se attempted to send as uddeborg.se
jun 04 11:00:02 mimmi sendmail[9697]: x54902wd009697: Milter insert (1): header: Authentication-Results:  mimmi.uddeborg.se;\n\tdkim=fail reason="signature verification failed" (1024-bit key) header.d=uddeborg.se header.i= header.b="B3TbD9mn"
jun 04 11:00:02 mimmi audit[9699]: AVC avc:  denied  { execute } for  pid=9699 comm="opendkim" name="bash" dev="dm-0" ino=117309473 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
jun 04 11:00:02 mimmi opendkim[1906]: x54902wd009697: popen(): Cannot allocate memory
jun 04 11:00:02 mimmi opendkim[1906]: x54902wd009697: bad signature data
jun 04 11:00:02 mimmi sendmail[9697]: x54902wd009697: Milter insert (1): header: DKIM-Filter:  OpenDKIM Filter v2.11.0 mimmi.uddeborg.se x54902wd009697

Comment 1 Lukas Vrabec 2019-06-10 15:55:02 UTC

Hi, 

Are you able to reproduce it? 

Thanks,
Lukas.

Comment 2 Göran Uddeborg 2019-06-12 20:38:31 UTC

Created attachment 1579919 [details]
AVC:s in permissive mode

Yes!  After some failed attempts I've finally managed to reproduce it.  It happens when I receive an email with an DKIM signature that is INvalid.  It doesn't happen too often, thus a bit hard to find.

Anyway, when I found this, I could reproduce it by sending myself an intentionally broken message.  What Opendkim tries to do is to send postmaster a message reporting about the failure.  It executes the system call

execve("/bin/sh", ["sh", "-c", "/usr/sbin/sendmail -t -fpostmaster"], ["LANG=sv_SE.utf8", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin", "HOME=/var/run/opendkim", "LOGNAME=opendkim", "USER=opendkim", "INVOCATION_ID=1173df22a0f6463b8c630ac1ae70a61a", "JOURNAL_STREAM=9:39867", "OPTIONS=-x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid", "DKIM_SELECTOR=default", "DKIM_KEYDIR=/etc/opendkim/keys"] <unfinished ...>

This is the call that fails in enforcing mode.  Obviously, it will shortly after that try to exec the sendmail binary too, which would also have failed.

I put my machine in permissive mode, and repeated the experiment.  I got the ng AVC:s in the attached file.  I guess not all those should be allowed.  My understanding is that dkim_milter_t should be allowed to execute shell_exec_t and sendmail_exec_t, and to transition into the sendmail_t domain.  But I'm sure you know this better than I do!

Comment 3 Lukas Vrabec 2019-06-14 20:50:08 UTC

commit 36d8b45d3923aa95555125258ba53e5fb43a376f (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Fri Jun 14 22:49:53 2019 +0200

    Allow dkim_milter_t to use shell BZ(1716937)

Comment 4 Göran Uddeborg 2019-06-14 21:14:24 UTC

So far so good, but that still doesn't allow it to transition into sendmail_t when later executing sendmail, does it?

Comment 5 Fedora Update System 2019-06-18 11:32:03 UTC

FEDORA-2019-9da5c35472 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472

Comment 6 Fedora Update System 2019-06-19 01:02:56 UTC

selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472

Comment 7 Fedora Update System 2019-06-20 02:54:47 UTC

selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Göran Uddeborg 2019-06-25 19:24:29 UTC

I don't understand why, but I can't see any difference.  I have the following installed:

selinux-policy-3.14.3-39.fc30.noarch
selinux-policy-targeted-3.14.3-39.fc30.noarch
selinux-policy-devel-3.14.3-39.fc30.noarch
selinux-policy-sandbox-3.14.3-39.fc30.noarch
selinux-policy-doc-3.14.3-39.fc30.noarch

When I give sendmail a mail with a broken signature, I still get this AVC:

type=AVC msg=audit(1561490481.576:346018): avc:  denied  { execute } for  pid=29243 comm="opendkim" name="bash" dev="dm-0" ino=117309473 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0

Comment 9 Lukas Vrabec 2019-07-01 20:02:44 UTC

commit 2a22f41f1795f6f53324f330b3632b376c2f1430 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jul 1 22:02:00 2019 +0200

    Allow dkim_milter_t domain to execute shell BZ(17116937)

Comment 10 Fedora Update System 2019-07-10 12:46:34 UTC

FEDORA-2019-9c513c4cf8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8

Comment 11 Fedora Update System 2019-07-11 00:50:35 UTC

selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9c513c4cf8

Comment 12 Göran Uddeborg 2019-07-11 10:15:47 UTC

With 3.14.3-40.fc30 it comes further.  The original AVC is gone now.  But opendkim still fails when it tries to execute sendmail in order to actually report the failure.  (See comment 2 for what the shell being executed will try to do.)

time->Thu Jul 11 11:57:39 2019
type=AVC msg=audit(1562839059.337:557821): avc:  denied  { execute } for  pid=17358 comm="sh" name="sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0
----
time->Thu Jul 11 11:57:39 2019
type=AVC msg=audit(1562839059.337:557822): avc:  denied  { getattr } for  pid=17358 comm="sh" path="/usr/sbin/sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0
----
time->Thu Jul 11 11:57:39 2019
type=AVC msg=audit(1562839059.337:557823): avc:  denied  { getattr } for  pid=17358 comm="sh" path="/usr/sbin/sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0

Comment 13 Fedora Update System 2019-07-13 01:06:51 UTC

selinux-policy-3.14.3-40.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Göran Uddeborg 2019-07-13 08:59:10 UTC

Not fully resolved yet as indicated above, so I reopen.  (Let me know if you prefer a separate bugzilla for the remaining problems.)

Comment 15 Lukas Vrabec 2019-07-16 20:23:42 UTC

commit 9250a22c9745056b5175bcdc0edef65662a61b77 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jul 16 22:23:20 2019 +0200

    Allow dkim-milter to send e-mails BZ(1716937)

Comment 16 Fedora Update System 2019-07-19 08:01:32 UTC

FEDORA-2019-b156bd756a has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b156bd756a

Comment 17 Fedora Update System 2019-07-20 00:59:55 UTC

selinux-policy-3.14.3-41.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b156bd756a

Comment 18 Göran Uddeborg 2019-07-20 13:31:50 UTC

With 3.14.3-41.fc30 I still see the following AVCs.  To my eyes, it looks very similar to what it looked before.  (As a consequence, the warning mail is still not sent.)

time->Sat Jul 20 15:16:35 2019
type=AVC msg=audit(1563628595.286:155244): avc:  denied  { execute } for  pid=26909 comm="sh" name="sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0
----
time->Sat Jul 20 15:16:35 2019
type=AVC msg=audit(1563628595.286:155245): avc:  denied  { getattr } for  pid=26909 comm="sh" path="/usr/sbin/sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0
----
time->Sat Jul 20 15:16:35 2019
type=AVC msg=audit(1563628595.286:155246): avc:  denied  { getattr } for  pid=26909 comm="sh" path="/usr/sbin/sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0

Comment 19 Fedora Update System 2019-07-21 15:28:17 UTC

selinux-policy-3.14.3-41.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Göran Uddeborg 2019-07-21 17:52:31 UTC

As before, reopening since not fully resolved.

Comment 21 Göran Uddeborg 2019-10-02 19:44:21 UTC

Closing again.  I reopened since the functionality wasn't there yet.  But since this is because of other problems later in the process, I created a separate bug 1757950 to take care of those.

Note You need to log in before you can comment on or make changes to this bug.