3

I have installed opendkim on CentOS 6 and set the TemporaryDirectory to /var/tmp in the opendkim.conf configuration file. After restarting the service and trying to send an email I get an error in the postfix log that reads

opendkim[27392]: F2C3E20509: dkim_eoh(): resource unavailable: can't create temporary file at /var/tmp/dkim.F2C3E20509.FiOvYB: Permission denied

So, I looked into the permissions of the tmp folder (ls -l /var/) and they are

drwxrwxrwt.  2 root root 4096 Nov 23 20:42 tmp

As I understand this, everbody should be able to write into the /var/tmp folder. Why is a Permission denied error message returned?

Chloe
  • 1,094
  • 4
  • 16
  • 34
seyfe
  • 141
  • 1
  • 4
  • When I change the TemporaryDirectory to just `/tmp` I get the same error message (only with `/tmp` as the path) – seyfe Nov 24 '15 at 22:23
  • It's an SELinux error. Check your `/var/log/audit/audit.log`. _"type=AVC msg=audit(1483830362.695:363445): avc: denied { write } for pid=23193 comm="opendkim" name="tmp" dev=xvde ino=9109 scontext=unconfined_u:system_r:dki m_milter_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir"_ Sorry I don't know how to fix it yet. – Chloe Jan 07 '17 at 23:08
  • `# ls -dZ /var/tmp` yields `drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp` – Chloe Jan 07 '17 at 23:14

3 Answers3

0

From my experience, this is caused by a missing SELinux policy. You can get the error detailing the missing permissions from the audit log, and use that to generate an SELinux module package with:

grep opendkim /var/log/audit/audit.log | audit2allow -M opendkim

The -M option designates the name of the module package, you can name it something else if you like. That command will generate two files: opendkim.pp, which is the actual selinux module package, and opendkim.te, a text file showing you which policies the module package contains.

If the policies look good, then import the module package with:

semodule -i opendkim.pp
Dedgar
  • 11
  • 1
  • That policy says it can write to root directories. That seems a little too permissive! Is there another way that is more specific? `#!!!! The source type 'dkim_milter_t' can write to a 'dir' of the following types: # dkim_milter_data_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t` – Chloe Jan 07 '17 at 23:11
  • Strange, I imported the module and it _still_ doesn't work! – Chloe Jan 07 '17 at 23:54
0
  • The Updated answer *

Go to /etc/opendkim.conf and change this line:

TemporaryDirectory /var/tmp

to:

TemporaryDirectory /var/run/opendkim

And restart your mail services (for example

# service opendkim restart
# chkconfig opendkim on
# service postfix restart
Dennis
  • 9
  • 2
0

The question already had a solution here

There is no need to allow OpenDKIM to write to any other directories. Just write to the default temporary directory, /var/run/opendkim, which should already exist and have the correct SELinux context to allow it to be written to.

(And here is a solution to avoid this problem in SELinux way.)

So. Very old thread that defies resolution. And about few days ago, i find this thread since ive got a same problem and solved by use Dedgar's solution.

And you can try below what if you really want to set Temporary to /var/tmp

log looks like:

opendkim[46233]: E9A563F480: dkim_eoh(): resource unavailable: can't create temporary file at /var/tmp/dkim.E9A563F480.IjgWhi: Permission denied

And as Chloe said. it's an SELinux error becauseeverbody should be able to write into the /var/tmp folder

Check log file # grep opendkim /var/log/audit/audit.log Got:

...
type=SYSCALL msg=audit(1484968513.231:1415886): arch=c000003e syscall=2 success=no exit=-13 a0=7fc21e6e4910 a1=c2 a2=180 a3=0 items=0 ppid=46231 pid=14906 auid=500 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=3274 comm="opendkim" exe=2F7573722F7362696E2F6F70656E646B696D202864656C6574656429 subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)
type=AVC msg=audit(1484968573.318:1415887): avc:  denied  { write } for  pid=14916 comm="opendkim" name="tmp" dev=dm-0 ino=129564 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
...

As Dedgar said, it seems like opendkim missing a policy which can create file from tmp file. So first, check dir type

# ll -Zd /var/tmp/
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /var/tmp/

then check if opendkim have permission to access /var/tmp

# ll -Z /usr/sbin/opendkim 
-rwxr-xr-x. root root system_u:object_r:dkim_milter_exec_t:s0 /usr/sbin/opendkim
# sesearch -A -s dkim_milter_t| grep tmp_t

Output may looks like:

... allow daemon puppet_tmp_t : file { ioctl read write getattr lock append } ; allow dkim_milter_t tmp_t : file { write create unlink open } ; allow dkim_milter_t tmp_t : dir { write add_name remove_name } ; allow domain tmp_t : dir { getattr search open } ; ...

Notice of the line 

allow dkim_milter_t tmp_t : file { write create unlink open } ; 
allow dkim_milter_t tmp_t : dir { write add_name remove_name } ;

It almost tell use dkim_milter_t have permission to access directories with type tmp_t like /var/tmp,

But most case we don't have this line output or this conf doesn't work at all or other case...

So, we need to add a policy that give permission to policy dkim_milter_t which opendkim use to access file or dirs have type tmp_t. And most simple way is using audit2allow like Dedgar put:

grep opendkim /var/log/audit/audit.log | audit2allow -M opendkim
semodule -i opendkim.pp

it will generate a SELinux policy to do things before. But not surely know it won't work in Chloe's case. Put my opendkim.te :

module opendkim 1.0;

require {
        type tmp_t;
        type dkim_milter_t;
        class dir { write remove_name add_name };
        class file { write create unlink open };
}
allow dkim_milter_t tmp_t:dir { write remove_name add_name };
allow dkim_milter_t tmp_t:file { write create unlink open };

And what if you need regenerate file(opendkim.pp for this) manually.

checkmodule -M -m -o opendkim.mod opendkim.te
semodule_package -o opendkim.pp -m opendkim.mod

And semodule -i opendkim.pp for what you need.

Community
  • 1
Se ven
  • 101
  • 1