1757950 – SELinux prevents opendkim from executing sendmail

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1757950 - SELinux prevents opendkim from executing sendmail

Summary: SELinux prevents opendkim from executing sendmail

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	31
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	nknazeko
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-02 19:42 UTC by Göran Uddeborg
Modified:	2019-10-29 01:27 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-10-29 01:27:58 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Göran Uddeborg 2019-10-02 19:42:30 UTC

Description of problem:
When opendkim finds a mail with an invalid signature, it tries to send another mail reporting about the failure.  SELinux doesn't allow this, however, as the dkim_milter_t domain isn't allowed to execute or getattr on sendmail_exec_t.  The result is the warning mail is never sent.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.4-35.fc31.noarch


How reproducible:
Every mail with a broken dkim signature


Steps to Reproduce:
1. Configure sendmail to use opendkim
2. Give it a mail with a broken dkim signature


Actual results:
No warning mail, and three AVCs:

time->Tue Oct  1 19:41:39 2019
type=AVC msg=audit(1569951699.612:151930): avc:  denied  { execute } for  pid=919260 comm="sh" name="sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0
----
time->Tue Oct  1 19:41:39 2019
type=AVC msg=audit(1569951699.613:151931): avc:  denied  { getattr } for  pid=919260 comm="sh" path="/usr/sbin/sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0
----
time->Tue Oct  1 19:41:39 2019
type=AVC msg=audit(1569951699.613:151932): avc:  denied  { getattr } for  pid=919260 comm="sh" path="/usr/sbin/sendmail.sendmail" dev="dm-0" ino=117424600 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file permissive=0


Expected results:
No AVCs and a warning mail.


Additional info:
This is kind of a follow up to bug 1716937.  There I reported an AVC in an earlier stage in the reporting.  When that was fixed this problem showed up.  I reopened that bugzilla, but thinking about it a second time, that in a way trying to report more than one problem in one bugzilla.  That is probably not a good idea, and here I'm opening this separate bugzilla instead for the later problem.  Tested with the F31 version of the policy.

Comment 1 nknazeko 2019-10-04 12:12:29 UTC

PR for Fedora: https://github.com/fedora-selinux/selinux-policy-contrib/pull/147

Comment 2 Lukas Vrabec 2019-10-04 16:00:52 UTC

commit 43323aaffb63c88d7f95a8e216434e6f3d95a528 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Nikola Knazekova <nknazeko>
Date:   Fri Oct 4 13:17:01 2019 +0200

    Allow dkim to execute sendmail
    
    Allow DomainKeys Identified Mail, an email authentication method, to execute Sendmail.
    
    Fixed Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1757950

Comment 3 Fedora Update System 2019-10-22 19:32:45 UTC

FEDORA-2019-7ef1fde499 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499

Comment 4 Fedora Update System 2019-10-23 15:44:44 UTC

selinux-policy-3.14.4-38.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7ef1fde499

Comment 5 Fedora Update System 2019-10-26 16:59:32 UTC

FEDORA-2019-7d65c50fd6 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6

Comment 6 Fedora Update System 2019-10-27 04:02:56 UTC

selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6

Comment 7 Fedora Update System 2019-10-29 01:27:58 UTC

selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.