Re: Any issues running as root vs. opendkim?

From: Steve Jenkins <steve_at_stevejenkins.com>
Date: Wed, 30 Jul 2014 13:34:36 -0700

On Wed, Jul 30, 2014 at 1:22 PM, Todd Lyons <tlyons_at_ivenue.com> wrote:

> Then per comment 37, make the keys subdirectories have root own them,
> but group opendkim can read:
> %dir %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}
> %dir %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}/keys
>

Did you mean:

%dir %attr(640,root,%{name}) %{_sysconfdir}/%{name}
%dir %attr(640,root,%{name}) %{_sysconfdir}/%{name}/keys

Also, I see most directories are at least root executable. Any reason those
shouldn't be:

%dir %attr(740,root,%{name}) %{_sysconfdir}/%{name}
%dir %attr(740,root,%{name}) %{_sysconfdir}/%{name}/keys

Then make the default supplied keys have something accessible yet
> group restricted the way that opendkim requires:
>
> %config(noreplace) %attr(640,root,%{name})
> %{_sysconfdir}/%{name}/keys/*.private
> %config(noreplace) %attr(644,root,%{name})
> %{_sysconfdir}/%{name}/keys/*.txt
>

Can't do this in the spec file, because these files don't exist until first
run. But the keygen file I posted earlier will address, and I can patch
this time.


> I think that the %post by default will include a restorecon so you
> shouldn't have to mess with that manually.
>

That went over my head. :)


> Hopefully this will help a bit, or at least spark a bit of genius
> among those who know selinux better than us. :-)
>

Thx again for your always brilliant input. :)

SJ
Received on Wed Jul 30 2014 - 20:34:50 PST

This archive was generated by hypermail 2.3.0 : Wed Jul 30 2014 - 20:36:01 PST