Re: Any issues running as root vs. opendkim? from Todd Lyons on 2014-07-30 (OpenDKIM Developers mailing list)

From: Todd Lyons <tlyons_at_ivenue.com>
Date: Wed, 30 Jul 2014 13:22:01 -0700

On Wed, Jul 30, 2014 at 12:51 PM, Steve Jenkins <steve_at_stevejenkins.com> wrote:
> My default opendkim.conf file has:
>
> UserID opendkim:opendkim
>
>
> But I'm attempting to help resolve this bug:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=891292
>
> Please refer to my comment #47.
>
> It is OK to run the opendkim process as root?

No, it's not ok to run as root. Basically, selinux wants root to be
the owner of pretty much everything /etc, so make everything be owned
by root:%{name}.

I am no selinux expert, but I think in order to fix your packaging,
the comment 36 addresses what to do with the files in the
/etc/opendkim/ subdirectory:

-%config(noreplace) %attr(640,%{name},%{name})
%{_sysconfdir}/%{name}/SigningTable
-%config(noreplace) %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}/KeyTable
-%config(noreplace) %attr(640,%{name},%{name})
%{_sysconfdir}/%{name}/TrustedHosts
+%config(noreplace) %attr(640,root,%{name}) %{_sysconfdir}/%{name}/SigningTable
+%config(noreplace) %attr(640,root,%{name}) %{_sysconfdir}/%{name}/KeyTable
+%config(noreplace) %attr(640,root,%{name}) %{_sysconfdir}/%{name}/TrustedHosts

Then per comment 37, make the keys subdirectories have root own them,
but group opendkim can read:
%dir %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}
%dir %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}/keys

Then make the default supplied keys have something accessible yet
group restricted the way that opendkim requires:

%config(noreplace) %attr(640,root,%{name}) %{_sysconfdir}/%{name}/keys/*.private
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/keys/*.txt

I think that the %post by default will include a restorecon so you
shouldn't have to mess with that manually.

Hopefully this will help a bit, or at least spark a bit of genius
among those who know selinux better than us. :-)

...Todd

-- 
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine

Received on Wed Jul 30 2014 - 20:22:21 PST

This archive was generated by hypermail 2.3.0 : Wed Jul 30 2014 - 20:27:01 PST