On Sat, Aug 27, 2011 at 2:00 AM, Daniel Black
<daniel.subs_at_internode.on.net> wrote:
> On Sat, 27 Aug 2011 03:30:18 AM Todd Lyons wrote:
>> On Fri, Aug 26, 2011 at 7:47 AM, Steve Jenkins <stevejenkins_at_gmail.com>
> wrote:
>> >> Very good point, I never noticed that. Steve, it's typical for a
>> >> package with an init script that requires some user customization of
>> >> startup parameters to:
>> >> 1. Create a %{sysconfdir}/sysconfig/%{name} file which will contain
>> >> simply: 2. And then in the init script, after you set any default
>> >> options,
>
> works for me...
>
>> > Yep. That's a great idea from Daniel. After 2.4.2-3 gets pushed out of
>> > the testing repos to the stable ones....
>> Understood.
> here too.
>
>
>> >> Ah, yeah, we need to handle selinux scenarios too. I hate SELinux. :-(
>
> Its good and generally painless provided the packagers do the work to things
> make it work :-)
> ...
>
>> > "I maintain in Fedora spamass-milter and milter-regex, and I also have
>> > local packages for smf-spf and smf-sav. I have SELinux policy for all
>> > of these, and wrote the milter policy in SELinux reference policy,
>> > which is what Fedora's SELinux policy is based on.
>> >
>> > "Please let me know if I can be of help."
>>
>> DING DING, we have a WINNER! I nominate him to help us unless Dan
>> beats him to it.
>
> I'd take this Fedora maintainer up on this. In essence its mainly a milter
> problem in general needs a distro wide solutoin.
>
> Sendmail and postfix need to be allowed to access selinux port contexts (
> http://wiki.centos.org/HowTos/SELinux section 5.4 ) OR opendkim needs to use
> setsockcreatecon ( http://www.nixway.net/index.php?manitem&mid=11729 ) before
> setting up the listening port (that sendmail/postfix can access though
> permissions defined on those packages).
>
> As selinux context is needed on unix sockets created by milters that the
> mailservers need to connect to as well. Given its opendkim that creates the
> linux socket it probably needs to be created in the right selinux context (
> setfscreatecon ) and restore it afterwards rather than the section 7 of the
> centos wiki.
>
> If the desired solution is to make opendkim selinux aware I can get some
> opendkim patches for making it selinux aware if you'd like.
>
> ref: http://www.spinics.net/lists/selinux/msg10746.html
>
> If some stricter selinux policies are attempted I'd get a context for the RSA
> private key that only opendkim can read.
>
> Given opendkim needs only to write a limited set of files
> (DiagnosticDirectory, QueryCache) perhaps some restrictions here to prevent an
> exploit making the most of a wide discressionaly access (group=mail).
>
> The paths used need to be planned out and documented in the config file
> though.
>
> Also need to take into the permissions opendkim uses - execute on sendmail
> (arf-dkim-reporting), reading of various map types (though libraries like lua
> and libdb is still just a file read).
>
> A couple of selinux booleans should exist to allow opendkim to connect to the
> various db types supported by opendbx and ldap.
>
> Network wise opendkim uses DNS to this needs a rule.
>
> I think that's most of the permissions covered.
>
>> I found a small bug and possibly a change that at least deserves
>> consideration. We have stats capability enabled by default in the
>> binary, but not in the config file:
>> 1. In opendkim.conf, the statistics directive is commented out. This
>> is good because the defined stats directory is /var/opendkim/stats,
>> which does not exist because /var/opendkim is not owned by the
>> opendkim package. This is what /var/spool/opendkim was created for,
>> so the path in the config file (even though it's commented out) should
>> be changed to /var/spool/opendkim.
>
> yep.
>
>> 2. In the same vein, the filename "stats" could be very confusing to
>> someone looking at this for the first time. I ask that you consider
>> naming it stats.txt to clearly indicate to people that it's just a
>> plain text file.
>
> agree.
>
>> 3. Since we enable stats by default, we should include the script and
>> readme for stats:
>> %doc contrib/stats/README.opendkim-reportstats
>> install contrib/stats/opendkim-reportstats to
>> %{prefix}/bin/opendkim-reportstats
>> modify the opendkim-reportstats to use the defaults you specify in #1
>> and #2 above. Use either or sed or awk or whatever you can to make
>> that work. I can give you simple command if necessary.
>
> README installed also references /var/db.. for keys too.
I've created a github to help me manage package updates moving
forward, and am using their simple Issues tool to record ideas shared
in this thread (which are great - thanks) and anything else I come up
with that needs fixing in future versions. I think that tool is open
for anyone to create new issues, so please feel free to comment on
existing issues or submit new ones there:
https://github.com/stevejenkins/OpenDKIM-Fedora/issues
Of course Bugzilla will still also work. But this is where I'll mainly
be writing down ideas of what I have to do next so I don't forget
them. :)
SteveJ
Received on Sat Aug 27 2011 - 19:06:11 PST