On Wednesday, July 30, 2014 13:26:39 Steve Jenkins wrote:
> On Wed, Jul 30, 2014 at 1:22 PM, Todd Lyons <tlyons_at_ivenue.com> wrote:
> > On Wed, Jul 30, 2014 at 12:51 PM, Steve Jenkins <steve_at_stevejenkins.com>
> >
> > wrote:
> > > My default opendkim.conf file has:
> > >
> > > UserID opendkim:opendkim
> > >
> > >
> > > But I'm attempting to help resolve this bug:
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=891292
> > >
> > > Please refer to my comment #47.
> > >
> > > It is OK to run the opendkim process as root?
> >
> > No, it's not ok to run as root. Basically, selinux wants root to be
> > the owner of pretty much everything /etc, so make everything be owned
> > by root:%{name}.
> >
> > I am no selinux expert, but I think in order to fix your packaging,
> > the comment 36 addresses what to do with the files in the
> > /etc/opendkim/ subdirectory:
> >
> > -%config(noreplace) %attr(640,%{name},%{name})
> > %{_sysconfdir}/%{name}/SigningTable
> > -%config(noreplace) %attr(640,%{name},%{name})
> > %{_sysconfdir}/%{name}/KeyTable
> > -%config(noreplace) %attr(640,%{name},%{name})
> > %{_sysconfdir}/%{name}/TrustedHosts
> > +%config(noreplace) %attr(640,root,%{name})
> > %{_sysconfdir}/%{name}/SigningTable
> > +%config(noreplace) %attr(640,root,%{name})
> > %{_sysconfdir}/%{name}/KeyTable
> > +%config(noreplace) %attr(640,root,%{name})
> > %{_sysconfdir}/%{name}/TrustedHosts
> >
> > Then per comment 37, make the keys subdirectories have root own them,
> > but group opendkim can read:
> > %dir %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}
> > %dir %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}/keys
> >
> > Then make the default supplied keys have something accessible yet
> > group restricted the way that opendkim requires:
> >
> > %config(noreplace) %attr(640,root,%{name})
> > %{_sysconfdir}/%{name}/keys/*.private
> > %config(noreplace) %attr(644,root,%{name})
> > %{_sysconfdir}/%{name}/keys/*.txt
> >
> > I think that the %post by default will include a restorecon so you
> > shouldn't have to mess with that manually.
> >
> > Hopefully this will help a bit, or at least spark a bit of genius
> > among those who know selinux better than us. :-)
>
> Thanks, Todd.
>
> I think I have it figured out. It takes the ownership and permissions as
> shown in Comment 36... but that's going to require an update to something
> in the source -- the default keygen script that sets permission for the
> default keys when OpenDKIM starts for the first time.
>
> Here's my updated contrib/init/redhat/opendkim-default-keygen.in
>
> https://github.com/stevejenkins/OpenDKIM-Fedora/blob/develop/contrib/init/re
> dhat/opendkim-default-keygen.in
>
> Only difference is line 32: chmod should be 640, instead of 600.
>
> Can someone with commit privileges make that change to the OpenDKIM source,
> and then I'll just patch it for now in this Fedora build?
Why is:
root:opendkim 640
better than:
opendkim:opendkim 600 (or even 400)?
root can read the file either way?
I checked any my key files are:
opendkim:opendkim 400
I'm sure I did that manually though.
Scott K
Received on Wed Jul 30 2014 - 21:03:49 PST