On Wednesday, July 30, 2014 17:03:36 Scott Kitterman wrote:
> On Wednesday, July 30, 2014 13:26:39 Steve Jenkins wrote:
> > On Wed, Jul 30, 2014 at 1:22 PM, Todd Lyons <tlyons_at_ivenue.com> wrote:
> > > On Wed, Jul 30, 2014 at 12:51 PM, Steve Jenkins <steve_at_stevejenkins.com>
> > >
> > > wrote:
> > > > My default opendkim.conf file has:
> > > >
> > > > UserID opendkim:opendkim
> > > >
> > > >
> > > > But I'm attempting to help resolve this bug:
> > > >
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=891292
> > > >
> > > > Please refer to my comment #47.
> > > >
> > > > It is OK to run the opendkim process as root?
> > >
> > > No, it's not ok to run as root. Basically, selinux wants root to be
> > > the owner of pretty much everything /etc, so make everything be owned
> > > by root:%{name}.
> > >
> > > I am no selinux expert, but I think in order to fix your packaging,
> > > the comment 36 addresses what to do with the files in the
> > > /etc/opendkim/ subdirectory:
> > >
> > > -%config(noreplace) %attr(640,%{name},%{name})
> > > %{_sysconfdir}/%{name}/SigningTable
> > > -%config(noreplace) %attr(640,%{name},%{name})
> > > %{_sysconfdir}/%{name}/KeyTable
> > > -%config(noreplace) %attr(640,%{name},%{name})
> > > %{_sysconfdir}/%{name}/TrustedHosts
> > > +%config(noreplace) %attr(640,root,%{name})
> > > %{_sysconfdir}/%{name}/SigningTable
> > > +%config(noreplace) %attr(640,root,%{name})
> > > %{_sysconfdir}/%{name}/KeyTable
> > > +%config(noreplace) %attr(640,root,%{name})
> > > %{_sysconfdir}/%{name}/TrustedHosts
> > >
> > > Then per comment 37, make the keys subdirectories have root own them,
> > > but group opendkim can read:
> > > %dir %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}
> > > %dir %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}/keys
> > >
> > > Then make the default supplied keys have something accessible yet
> > > group restricted the way that opendkim requires:
> > >
> > > %config(noreplace) %attr(640,root,%{name})
> > > %{_sysconfdir}/%{name}/keys/*.private
> > > %config(noreplace) %attr(644,root,%{name})
> > > %{_sysconfdir}/%{name}/keys/*.txt
> > >
> > > I think that the %post by default will include a restorecon so you
> > > shouldn't have to mess with that manually.
> > >
> > > Hopefully this will help a bit, or at least spark a bit of genius
> > > among those who know selinux better than us. :-)
> >
> > Thanks, Todd.
> >
> > I think I have it figured out. It takes the ownership and permissions as
> > shown in Comment 36... but that's going to require an update to something
> > in the source -- the default keygen script that sets permission for the
> > default keys when OpenDKIM starts for the first time.
> >
> > Here's my updated contrib/init/redhat/opendkim-default-keygen.in
> >
> > https://github.com/stevejenkins/OpenDKIM-Fedora/blob/develop/contrib/init/
> > re dhat/opendkim-default-keygen.in
> >
> > Only difference is line 32: chmod should be 640, instead of 600.
> >
> > Can someone with commit privileges make that change to the OpenDKIM
> > source,
> > and then I'll just patch it for now in this Fedora build?
>
> Why is:
>
> root:opendkim 640
>
> better than:
>
> opendkim:opendkim 600 (or even 400)?
>
> root can read the file either way?
>
> I checked any my key files are:
>
> opendkim:opendkim 400
>
> I'm sure I did that manually though.
>
> Scott K
Nevermind. I read the bug.
I don't get SE Linux. It seems like an odd solution, but whatever.
I do think that no one but root needs write access is the correct answer. You
don't want the milter process to be able to change the key file.
Scott K
Received on Wed Jul 30 2014 - 21:12:14 PST