View Issue Details

IDProjectCategoryView StatusLast Update
0016299CentOS-7-OTHERpublic2019-12-25 08:39
ReporterTigerP 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0016299: opendmarc SElinux not complete
DescriptionJul 28 01:16:29 kari setroubleshoot: SELinux is preventing opendmarc from execute access on the file /usr/bin/bash. For complete SELinux messages run: sealert -l 20e14de5-5d48-4353-a779-60371ad0d964
Jul 28 01:16:29 kari python: SELinux is preventing opendmarc from execute access on the file /usr/bin/bash.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that opendmarc should be allowed execute access on the bash file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'opendmarc' --raw | audit2allow -M my-opendmarc#012# semodule -i my-opendmarc.pp#012
Steps To Reproduceinstall the opendmarc package.
Configure the ReportCommand in /etc/opendmarc.conf
Send an email from a domain that has ruf defined in the _dmarc Resource Record of the domain's DNS.
This should trigger the SELinux message and "pclose() exited with status 127" in the syslog.
Tagsselinux
abrt_hash
URL

Activities

tuxmaster

tuxmaster

2019-12-25 08:08

reporter   ~0035888

I have the same problem:
ausearch -c 'opendmarc' --raw
type=AVC msg=audit(1573851934.285:1612): avc: denied { execute } for pid=8849 comm="opendmarc" name="bash" dev="sda2" ino=790871 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1573851934.285:1612): arch=c000003e syscall=59 success=no exit=-13 a0=7fa5fa1e5cc9 a1=7fa5f3fd9dd0 a2=7fffa2792a68 a3=7fa5f3fff9d0 items=0 ppid=999 pid=8849 auid=4294967295 uid=478 gid=477 euid=478 suid=478 fsuid=478 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="opendmarc" exe="/usr/sbin/opendmarc" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=PROCTITLE msg=audit(1573851934.285:1612): proctitle=2F7573722F7362696E2F6F70656E646D617263002D63002F6574632F6F70656E646D6172632E636F6E66002D50002F7661722F72756E2F6F70656E646D6172632F6F70656E646D6172632E706964
type=AVC msg=audit(1573857058.530:1785): avc: denied { execute } for pid=14303 comm="opendmarc" name="bash" dev="sda2" ino=790871 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1573857058.530:1785): arch=c000003e syscall=59 success=no exit=-13 a0=7fa5fa1e5cc9 a1=7fa5f3fd9dd0 a2=7fffa2792a68 a3=7fa5f3fff9d0 items=0 ppid=999 pid=14303 auid=4294967295 uid=478 gid=477 euid=478 suid=478 fsuid=478 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="opendmarc" exe="/usr/sbin/opendmarc" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=PROCTITLE msg=audit(1573857058.530:1785): proctitle=2F7573722F7362696E2F6F70656E646D617263002D63002F6574632F6F70656E646D6172632E636F6E66002D50002F7661722F72756E2F6F70656E646D6172632F6F70656E646D6172632E706964
type=AVC msg=audit(1574531768.684:25398): avc: denied { execute } for pid=11713 comm="opendmarc" name="bash" dev="sda2" ino=790871 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1574531768.684:25398): arch=c000003e syscall=59 success=no exit=-13 a0=7fa5fa1e5cc9 a1=7fa5f8c08dd0 a2=7fffa2792a68 a3=7fa5f8c2e9d0 items=0 ppid=999 pid=11713 auid=4294967295 uid=478 gid=477 euid=478 suid=478 fsuid=478 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="opendmarc" exe="/usr/sbin/opendmarc" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=PROCTITLE msg=audit(1574531768.684:25398): proctitle=2F7573722F7362696E2F6F70656E646D617263002D63002F6574632F6F70656E646D6172632E636F6E66002D50002F7661722F72756E2F6F70656E646D6172632F6F70656E646D6172632E706964
type=AVC msg=audit(1576020042.224:20745): avc: denied { execute } for pid=21968 comm="opendmarc" name="bash" dev="sda2" ino=790871 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1576020042.224:20745): arch=c000003e syscall=59 success=no exit=-13 a0=7f7eafd73cc9 a1=7f7ead794dd0 a2=7ffdfb596e18 a3=7f7ead7ba9d0 items=0 ppid=1004 pid=21968 auid=4294967295 uid=478 gid=477 euid=478 suid=478 fsuid=478 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="opendmarc" exe="/usr/sbin/opendmarc" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=PROCTITLE msg=audit(1576020042.224:20745): proctitle=2F7573722F7362696E2F6F70656E646D617263002D63002F6574632F6F70656E646D6172632E636F6E66002D50002F7661722F72756E2F6F70656E646D6172632F6F70656E646D6172632E706964
type=AVC msg=audit(1576020877.768:20767): avc: denied { execute } for pid=22025 comm="opendmarc" name="bash" dev="sda2" ino=790871 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1576020877.768:20767): arch=c000003e syscall=59 success=no exit=-13 a0=7f7eafd73cc9 a1=7f7ead794dd0 a2=7ffdfb596e18 a3=7f7ead7ba9d0 items=0 ppid=1004 pid=22025 auid=4294967295 uid=478 gid=477 euid=478 suid=478 fsuid=478 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="opendmarc" exe="/usr/sbin/opendmarc" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=PROCTITLE msg=audit(1576020877.768:20767): proctitle=2F7573722F7362696E2F6F70656E646D617263002D63002F6574632F6F70656E646D6172632E636F6E66002D50002F7661722F72756E2F6F70656E646D6172632F6F70656E646D6172632E706964
type=AVC msg=audit(1576103594.842:23652): avc: denied { execute } for pid=29693 comm="opendmarc" name="bash" dev="sda2" ino=790871 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1576103594.842:23652): arch=c000003e syscall=59 success=no exit=-13 a0=7f7eafd73cc9 a1=7f7e9f7d8dd0 a2=7ffdfb596e18 a3=7f7e9f7fe9d0 items=0 ppid=1004 pid=29693 auid=4294967295 uid=478 gid=477 euid=478 suid=478 fsuid=478 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="opendmarc" exe="/usr/sbin/opendmarc" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=PROCTITLE msg=audit(1576103594.842:23652): proctitle=2F7573722F7362696E2F6F70656E646D617263002D63002F6574632F6F70656E646D6172632E636F6E66002D50002F7661722F72756E2F6F70656E646D6172632F6F70656E646D6172632E706964
type=AVC msg=audit(1576678557.896:44242): avc: denied { execute } for pid=5212 comm="opendmarc" name="bash" dev="sda2" ino=790871 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1576678557.896:44242): arch=c000003e syscall=59 success=no exit=-13 a0=7f7eafd73cc9 a1=7f7e9e7d6dd0 a2=7ffdfb596e18 a3=7f7e9e7fc9d0 items=0 ppid=1004 pid=5212 auid=4294967295 uid=478 gid=477 euid=478 suid=478 fsuid=478 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="opendmarc" exe="/usr/sbin/opendmarc" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=PROCTITLE msg=audit(1576678557.896:44242): proctitle=2F7573722F7362696E2F6F70656E646D617263002D63002F6574632F6F70656E646D6172632E636F6E66002D50002F7661722F72756E2F6F70656E646D6172632F6F70656E646D6172632E706964
type=AVC msg=audit(1576681472.797:44325): avc: denied { execute } for pid=7393 comm="opendmarc" name="bash" dev="sda2" ino=790871 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1576681472.797:44325): arch=c000003e syscall=59 success=no exit=-13 a0=7f7eafd73cc9 a1=7f7e9e7d6dd0 a2=7ffdfb596e18 a3=7f7e9e7fc9d0 items=0 ppid=1004 pid=7393 auid=4294967295 uid=478 gid=477 euid=478 suid=478 fsuid=478 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="opendmarc" exe="/usr/sbin/opendmarc" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=PROCTITLE msg=audit(1576681472.797:44325): proctitle=2F7573722F7362696E2F6F70656E646D617263002D63002F6574632F6F70656E646D6172632E636F6E66002D50002F7661722F72756E2F6F70656E646D6172632F6F70656E646D6172632E706964
type=AVC msg=audit(1576683012.297:44391): avc: denied { execute } for pid=9248 comm="opendmarc" name="bash" dev="sda2" ino=790871 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1576683012.297:44391): arch=c000003e syscall=59 success=no exit=-13 a0=7f7eafd73cc9 a1=7f7e9e7d6dd0 a2=7ffdfb596e18 a3=7f7e9e7fc9d0 items=0 ppid=1004 pid=9248 auid=4294967295 uid=478 gid=477 euid=478 suid=478 fsuid=478 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="opendmarc" exe="/usr/sbin/opendmarc" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=PROCTITLE msg=audit(1576683012.297:44391): proctitle=2F7573722F7362696E2F6F70656E646D617263002D63002F6574632F6F70656E646D6172632E636F6E66002D50002F7661722F72756E2F6F70656E646D6172632F6F70656E646D6172632E706964
type=AVC msg=audit(1577115887.729:59704): avc: denied { execute } for pid=16402 comm="opendmarc" name="bash" dev="sda2" ino=790871 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1577115887.729:59704): arch=c000003e syscall=59 success=no exit=-13 a0=7f7eafd73cc9 a1=7f7e9e7d6dd0 a2=7ffdfb596e18 a3=7f7e9e7fc9d0 items=0 ppid=1004 pid=16402 auid=4294967295 uid=478 gid=477 euid=478 suid=478 fsuid=478 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="opendmarc" exe="/usr/sbin/opendmarc" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=PROCTITLE msg=audit(1577115887.729:59704): proctitle=2F7573722F7362696E2F6F70656E646D617263002D63002F6574632F6F70656E646D6172632E636F6E66002D50002F7661722F72756E2F6F70656E646D6172632F6F70656E646D6172632E706964
type=AVC msg=audit(1577127249.285:60090): avc: denied { execute } for pid=23626 comm="opendmarc" name="bash" dev="sda2" ino=790871 scontext=system_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1577127249.285:60090): arch=c000003e syscall=59 success=no exit=-13 a0=7f7eafd73cc9 a1=7f7e9e7d6dd0 a2=7ffdfb596e18 a3=7f7e9e7fc9d0 items=0 ppid=1004 pid=23626 auid=4294967295 uid=478 gid=477 euid=478 suid=478 fsuid=478 egid=477 sgid=477 fsgid=477 tty=(none) ses=4294967295 comm="opendmarc" exe="/usr/sbin/opendmarc" subj=system_u:system_r:dkim_milter_t:s0 key=(null)
type=PROCTITLE msg=audit(1577127249.285:60090): proctitle=2F7573722F7362696E2F6F70656E646D617263002D63002F6574632F6F70656E646D6172632E636F6E66002D50002F7661722F72756E2F6F70656E646D6172632F6F70656E646D6172632E706964
TigerP

TigerP

2019-12-25 08:39

reporter   ~0035889

I was able to fix the issue with the following steps:
create a file my-opendmarc-all.te with the following content

module my-opendmarc-all 1.1;

require {
        type dkim_milter_t;
        type shell_exec_t;
        type postfix_public_t;
        type postfix_spool_t;
        type postfix_master_t;
        type postfix_etc_t;
        type postfix_postdrop_exec_t;
        type sendmail_exec_t;
        class file { execute execute_no_trans create getattr open read rename setattr unlink write };
        class sock_file { getattr write };
        class unix_stream_socket connectto;
        class dir { add_name remove_name search write };
        class process setrlimit;
}

#============= dkim_milter_t ==============
allow dkim_milter_t shell_exec_t:file { execute_no_trans execute };
allow dkim_milter_t postfix_master_t:unix_stream_socket connectto;
allow dkim_milter_t postfix_public_t:dir search;
allow dkim_milter_t postfix_public_t:sock_file { getattr write };
allow dkim_milter_t postfix_spool_t:dir { add_name remove_name write search };
allow dkim_milter_t postfix_spool_t:file { create getattr open read rename setattr unlink write };
allow dkim_milter_t postfix_etc_t:dir search;
allow dkim_milter_t postfix_etc_t:file { getattr open read };
allow dkim_milter_t postfix_postdrop_exec_t:file { execute open read execute_no_trans };
allow dkim_milter_t self:process setrlimit;
allow dkim_milter_t sendmail_exec_t:file { execute getattr open read execute_no_trans };

Then run the commands to install it:
checkmodule -M -m -o my-opendmarc-all.mod my-opendmarc-all.te
semodule_package -m my-opendmarc-all.mod -o my-opendmarc-all.pp
semodule -i my-opendmarc-all.pp

Issue History

Date Modified Username Field Change
2019-07-28 14:56 TigerP New Issue
2019-12-25 08:08 tuxmaster Note Added: 0035888
2019-12-25 08:39 TigerP Note Added: 0035889
2019-12-25 08:39 TigerP Tag Attached: selinux