Re: Any issues running as root vs. opendkim?

From: Daniel Black <daniel.subs_at_internode.on.net>
Date: Sun, 03 Aug 2014 01:31:20 +1000

On 31/07/14 05:51, Steve Jenkins wrote:
> My default opendkim.conf file has:
>
> UserID opendkim:opendkim
>
>
> But I'm attempting to help resolve this bug:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=891292
>
> Please refer to my comment #47.
>
> It is OK to run the opendkim process as root?
>
> Thanks,
>
> SteveJ


looking at the bug /etc/opendkim/keys/default.private should be
system_u:object_r:dkim_milter_private_key_t

so restorecon /etc/opendkim/keys/default.private should show this.

on F20
$ fgrep -r dkim_milter /etc/selinux/

/etc/selinux/targeted/contexts/files/file_contexts:/etc/mail/dkim-milter/keys(/.*)?
    system_u:object_r:dkim_milter_private_key_t:s0

So F20 policy isn't really up to speed with
https://github.com/TresysTechnology/refpolicy-contrib/blob/master/dkim.fc

So a workaround the user:

semanage fcontext -a -t dkim_milter_private_key_t "/etc/opendkim(/.*)?"
semanage fcontext -a -t dkim_milter_private_key_t "/etc/opendkim.conf"
restorecon -Rv /etc/opendkim.conf
restorecon -Rv /etc/opendkim



on /dev/urandom permission denied seems to need
dev_read_rand(dkim_milter_t)
(https://github.com/TresysTechnology/refpolicy-contrib/pull/1) - also
needs fedora.


opendkim-genkey probably should run some form of the following to ensure
selinux permissions restorecon ${keyname} || true


take a look at other
https://github.com/TresysTechnology/refpolicy-contrib/blob/master/dkim.if /
https://github.com/TresysTechnology/refpolicy-contrib/blob/master/dkim.fc to
see if another labels/permissions are needed.

http://pkgs.fedoraproject.org/cgit/selinux-policy.git/tree/policy-rawhide-contrib.patch
has the fedora policy
Received on Sat Aug 02 2014 - 15:31:36 PST