On Wed, Jul 30, 2014 at 12:51 PM, Steve Jenkins <steve_at_stevejenkins.com> wrote:
> My default opendkim.conf file has:
>
> UserID opendkim:opendkim
>
>
> But I'm attempting to help resolve this bug:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=891292
>
> Please refer to my comment #47.
>
> It is OK to run the opendkim process as root?
No, it's not ok to run as root. Basically, selinux wants root to be
the owner of pretty much everything /etc, so make everything be owned
by root:%{name}.
I am no selinux expert, but I think in order to fix your packaging,
the comment 36 addresses what to do with the files in the
/etc/opendkim/ subdirectory:
-%config(noreplace) %attr(640,%{name},%{name})
%{_sysconfdir}/%{name}/SigningTable
-%config(noreplace) %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}/KeyTable
-%config(noreplace) %attr(640,%{name},%{name})
%{_sysconfdir}/%{name}/TrustedHosts
+%config(noreplace) %attr(640,root,%{name}) %{_sysconfdir}/%{name}/SigningTable
+%config(noreplace) %attr(640,root,%{name}) %{_sysconfdir}/%{name}/KeyTable
+%config(noreplace) %attr(640,root,%{name}) %{_sysconfdir}/%{name}/TrustedHosts
Then per comment 37, make the keys subdirectories have root own them,
but group opendkim can read:
%dir %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}
%dir %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}/keys
Then make the default supplied keys have something accessible yet
group restricted the way that opendkim requires:
%config(noreplace) %attr(640,root,%{name}) %{_sysconfdir}/%{name}/keys/*.private
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/keys/*.txt
I think that the %post by default will include a restorecon so you
shouldn't have to mess with that manually.
Hopefully this will help a bit, or at least spark a bit of genius
among those who know selinux better than us. :-)
...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine
Received on Wed Jul 30 2014 - 20:22:21 PST