983551 – SELinux blocks OpenDMARC (<-> Postfix)

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 983551 - SELinux blocks OpenDMARC (<-> Postfix)

Summary: SELinux blocks OpenDMARC (<-> Postfix)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	905304
TreeView+	depends on / blocked

Reported:	2013-07-11 12:56 UTC by Patrick
Modified:	2014-05-15 14:52 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.7.19-228.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-21 10:45:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1598	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-11-20 21:39:24 UTC

Description Patrick 2013-07-11 12:56:55 UTC

Description of problem:
SELinux does not yet have a policy for OpenDMARC so it generates AVCs

Version-Release number of selected component (if applicable):
OpenDMARC 1.1.3 (based on https://bugzilla.redhat.com/show_bug.cgi?id=905304)

$ rpm -qa | grep selinux
selinux-policy-3.7.19-195.el6_4.12.noarch
libselinux-2.0.94-5.3.el6_4.1.x86_64
libselinux-python-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-targeted-3.7.19-195.el6_4.12.noarch
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64

How reproducible:
Install OpenDMARC 1.1.3, configure it, configure milter in Postfix, start OpenDMARC, reload Postfix, send test message to Postfix server, see AVCs being generated

Steps to Reproduce:
1. install and configure OpenDMARC, Postfix
2. send test email to Postfix server
3. see AVCs being generated

Actual results:
OpenDMARC is blocked and interaction between Postfix and OpenDMARC is blocked. 

Expected results:
No blockage, everything working, more spam defeated.

Additional info:

OpenDMARC is another new anti-spam with the Internet's 800 pound gorilla's already using it (Google, Facebook, etc.). Currently it is not yet available in any Fedora or EPEL repo (review in progress in bz905304). Lacking an SELinux policy will prevent OpenDMARC from working properly. To prevent this I am submitting this report in the hopes that when OpenDMARC shows up in Fedora & EPEL it will work out of the box right away.

OpenDMARC works pretty much the same as OpenDKIM so perhaps that policy can be used as a basis to save some time.

The OpenDMARC default config uses the following files, directories and commands:

Config file /etc/opendmarc.conf
BaseDirectory /var/run/opendmarc
HistoryFile /var/spool/opendmarc/opendmarc.dat
IgnoreHosts /etc/opendmarc/ignore.hosts
PidFile /var/run/opendmarc.pid
ReportCommand /usr/sbin/sendmail -t
Socket /var/run/opendmarc/opendmarc.sock
Socket inet:8893@localhost
SyslogFacility mail (must be able to log to /var/log/maillog)
TemporaryDirectory /var/tmp
UserID  opendmarc:mail


The AVCs I found thus far (using socket /var/run/opendmarc/opendmarc.sock):

type=AVC msg=audit(1373546882.708:293036): avc:  denied  { write } for  pid=18947 comm="smtpd" name="opendmarc.sock" dev=vda2 ino=5376619 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file

type=AVC msg=audit(1373546882.708:293036): avc:  denied  { connectto } for  pid=18947 comm="smtpd" path="/var/run/opendmarc/opendmarc.sock" scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket

type=AVC msg=audit(1373546883.814:293038): avc:  denied  { connectto } for  pid=18977 comm="cleanup" path="/var/run/opendmarc/opendmarc.sock" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket

type=AVC msg=audit(1373546873.676:293034): avc:  denied  { read } for  pid=18971 comm="sendmail" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir

If you need more information please let me know. Thanks!

Comment 2 Milos Malik 2013-07-12 09:49:31 UTC

We also need a policy for opendmarc:

# service opendmarc status
opendmarc is stopped
# service opendmarc start
Starting OpenDMARC Milter: [  OK  ]
# service opendmarc status
opendmarc (pid  16994) is running...
# ps -efZ | grep dmarc
unconfined_u:system_r:initrc_t:s0 498    16994     1  0 05:46 ?        00:00:00 /usr/sbin/opendmarc -c /etc/opendmarc.conf -P /var/run/opendmarc/opendmarc.pid
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 17007 12434  0 05:46 pts/0 00:00:00 grep dmarc
#

Comment 3 Patrick Laimbock 2013-07-19 14:28:14 UTC

Testing an SELinux policy is preferably done on EL6 since that's what my mailserver runs on. So it would be most appreciated if you could make a policy available for EL6 first or in addition to one for Fedora. Thanks!

Comment 4 Miroslav Grepl 2013-07-23 14:15:08 UTC

Could you try to execute

# chcon -t dkim_milter_exec_t /usr/sbin/opendmarc
# chcon -R -t dkim_milter_data_t /var/run/opendmarc /var/spool/opendmarc

and re-test it.

Thank you.

Comment 5 Patrick Laimbock 2013-07-23 18:58:16 UTC

Hi Miroslav. Here are the results:

Old: 
$ ls -Z /usr/sbin/opendmarc
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/opendmarc
$ ls -Z /var/spool/opendmarc/
-rw-rw----. opendmarc mail unconfined_u:object_r:var_spool_t:s0 opendmarc.dat

Change:
$ sudo chcon -t dkim_milter_exec_t /usr/sbin/opendmarc
$ chcon -R -t dkim_milter_data_t /var/run/opendmarc /var/spool/opendmarc

New:
$ ls -Z /usr/sbin/opendmarc
-rwxr-xr-x. root root system_u:object_r:dkim_milter_exec_t:s0 /usr/sbin/opendmarc
$ ls -Z /var/run/opendmarc /var/spool/opendmarc
-rw-rw----. opendmarc mail unconfined_u:object_r:dkim_milter_data_t:s0 opendmarc.dat

When sending mail I no longer see any AVCs in enforced or in permissive mode in /var/log/audit/audit.log.

Please note that I could only test it with opendmarc using a socket.

Comment 6 Miroslav Grepl 2013-07-24 05:23:20 UTC

I added to Fedora

commit fa78971ce5af7886b1a5f799b558ca38a4086411
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jul 24 07:21:15 2013 +0200

    Add support for OpenDMARC

and will back port.

Thank you for testing.

Comment 14 errata-xmlrpc 2013-11-21 10:45:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.