On 05/12/2014 09:17 AM, James B. Byrne wrote:
> Following the most recent kernel updates I restarted our outgoing SMTP MTA
> which was recently reconfigured to DKIM sign messages using OpenDKIM. This
> morning I discovered that Postfix had stopped on that server. Whether it is
> related to the Postfix issue or not is yet to be determined but, in the
> process of getting things restarted I ran across this error with Open DKIM:
>
> # service opendkim restart
> Stopping OpenDKIM Milter: [FAILED]
> Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf:
> refile:/etc/opendkim/TrustedHosts: dkimf_db_open(): Permission denied
> [FAILED]
>
> I check the permissions and ownership on the file and everything seems normal.
> I then checked audit2why and got this:
>
> audit2allow: error: no such option: --
> [root@inet08 opendkim]# audit2why -l -a
> type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_read_search } for
> pid=15213 comm="opendkim" capability=2
> scontext=unconfined_u:system_r:dkim_milter_t:s0
> tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this access.
>
> type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_override } for
> pid=15213 comm="opendkim" capability=1
> scontext=unconfined_u:system_r:dkim_milter_t:s0
> tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
> Was caused by:
> Missing type enforcement (TE) allow rule.
>
> You can use audit2allow to generate a loadable module to allow
> this access.
>
>
>
> We have been using dkim for a little while now and our dmarc records indicate
> that messages from our domains should be signed so this problem needed an
> immediate fix or workaround. What I ended up with was this .te file that
> generates an SEModule which at least gets the service running. What else it
> opens us up to I am not sure so I would appreciate some commentary on how I
> should proceed to obtain a permanent fix:
>
>
>
> module localOpenDKIMmod 1.0;
>
> require {
> type dkim_milter_t;
> class capability { dac_read_search dac_override };
> }
>
> #============= dkim_milter_t ==============
> allow dkim_milter_t self:capability { dac_read_search dac_override };
>
>
>
dac_read_search and dac_override are usually bad to add. They typically
mean the permission flags on the file in question is two tight for a
root process to read/use.
Loosing up the group/other permissions would probably allow a root
process to read the object without requiring these capabities.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
