Yeah, that should be root,%{name}. My bad. As far as the directory,
it might be better to be 750 instead.
...Todd
On Wed, Jul 30, 2014 at 1:34 PM, Steve Jenkins <steve_at_stevejenkins.com> wrote:
> On Wed, Jul 30, 2014 at 1:22 PM, Todd Lyons <tlyons_at_ivenue.com> wrote:
>>
>> Then per comment 37, make the keys subdirectories have root own them,
>> but group opendkim can read:
>> %dir %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}
>> %dir %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}/keys
>
>
> Did you mean:
>
> %dir %attr(640,root,%{name}) %{_sysconfdir}/%{name}
> %dir %attr(640,root,%{name}) %{_sysconfdir}/%{name}/keys
>
> Also, I see most directories are at least root executable. Any reason those
> shouldn't be:
>
> %dir %attr(740,root,%{name}) %{_sysconfdir}/%{name}
> %dir %attr(740,root,%{name}) %{_sysconfdir}/%{name}/keys
>
>> Then make the default supplied keys have something accessible yet
>> group restricted the way that opendkim requires:
>>
>> %config(noreplace) %attr(640,root,%{name})
>> %{_sysconfdir}/%{name}/keys/*.private
>> %config(noreplace) %attr(644,root,%{name})
>> %{_sysconfdir}/%{name}/keys/*.txt
>
>
> Can't do this in the spec file, because these files don't exist until first
> run. But the keygen file I posted earlier will address, and I can patch this
> time.
>
>>
>> I think that the %post by default will include a restorecon so you
>> shouldn't have to mess with that manually.
>
>
> That went over my head. :)
>
>>
>> Hopefully this will help a bit, or at least spark a bit of genius
>> among those who know selinux better than us. :-)
>
>
> Thx again for your always brilliant input. :)
>
> SJ
>
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine
Received on Thu Jul 31 2014 - 02:41:42 PST