How do I modify SELinux to allow OpenDKIM to write to /var/tmp?

Chloe asked:

I tried this answer (http://serverfault.com/a/744756/123651) but it still gives an error.

Jan 7 23:56:33 ip-172-31-15-65 opendkim[24223]: AF15521407: dkim_eoh(): resource unavailable: can’t create temporary file at /var/tmp/dkim.AF15521407.ennuJK: Permission denied

Here are some of the audit.log

type=AVC msg=audit(1483827348.024:363280): avc:  denied  { write } for  pid=22334 comm="opendkim" name="tmp" dev=xvde ino=40961 scontext=unconfined_u:system_r:dkim_milter_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1483827348.024:363280): arch=c000003e syscall=2 success=no exit=-13 a0=7f7eecd1f910 a1=c2 a2=180 a3=0 items=0 ppid=22035 pid=22334 auid=0 uid=495 gid=495 euid=495 suid=495 fsuid=495 egid=495 sgid=495 fsgid=495 tty=(none) ses=4038 comm="opendkim" exe="/usr/sbin/opendkim" subj=unconfined_u:system_r:dkim_milter_t:s0 key=(null)

# cat opendkim.te

module opendkim 1.0;

require {
        type tmp_t;
        type dkim_milter_t;
        class dir write;
}

#============= dkim_milter_t ==============
#!!!! The source type 'dkim_milter_t' can write to a 'dir' of the following types:
# dkim_milter_data_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t

allow dkim_milter_t tmp_t:dir write;

# semodule -i opendkim.pp

# ls -ldZ /var/tmp
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /var/tmp

# service opendkim restart
Stopping OpenDKIM Milter:                                  [  OK  ]
Starting OpenDKIM Milter:                                  [  OK  ]

I don’t know what else to try.

Reference: I used this guide: https://www.rosehosting.com/blog/how-to-install-and-integrate-opendkim-with-postfix-on-a-centos-6-vps/

CentOS release 6.8 (Final)

My answer:


There is no need to allow OpenDKIM to write to any other directories. Just write to the default temporary directory, /var/run/opendkim, which should already exist and have the correct SELinux context to allow it to be written to.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.