Following the most recent kernel updates I restarted our outgoing SMTP MTA
which was recently reconfigured to DKIM sign messages using OpenDKIM. This
morning I discovered that Postfix had stopped on that server. Whether it is
related to the Postfix issue or not is yet to be determined but, in the
process of getting things restarted I ran across this error with Open DKIM:
# service opendkim restart
Stopping OpenDKIM Milter: [FAILED]
Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf:
refile:/etc/opendkim/TrustedHosts: dkimf_db_open(): Permission denied
[FAILED]
I check the permissions and ownership on the file and everything seems normal.
I then checked audit2why and got this:
audit2allow: error: no such option: --
[root@inet08 opendkim]# audit2why -l -a
type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_read_search } for
pid=15213 comm="opendkim" capability=2
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1399898848.286:2317): avc: denied { dac_override } for
pid=15213 comm="opendkim" capability=1
scontext=unconfined_u:system_r:dkim_milter_t:s0
tcontext=unconfined_u:system_r:dkim_milter_t:s0 tclass=capability
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
We have been using dkim for a little while now and our dmarc records indicate
that messages from our domains should be signed so this problem needed an
immediate fix or workaround. What I ended up with was this .te file that
generates an SEModule which at least gets the service running. What else it
opens us up to I am not sure so I would appreciate some commentary on how I
should proceed to obtain a permanent fix:
module localOpenDKIMmod 1.0;
require {
type dkim_milter_t;
class capability { dac_read_search dac_override };
}
#============= dkim_milter_t ==============
allow dkim_milter_t self:capability { dac_read_search dac_override };
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
