Re: Any issues running as root vs. opendkim?
This message
: [
Message body
] [ More options (
top
,
bottom
) ]
Related messages
: [
Next message
] [
Previous message
] [
In reply to
] [
Next in thread
] [
Replies
]
Contemporary messages sorted
: [
by date
] [
by thread
] [
by subject
] [
by author
] [
by messages with attachments
]
From
: Steve Jenkins <
steve_at_stevejenkins.com
>
Date
: Sat, 2 Aug 2014 12:15:27 -0700
On Sat, Aug 2, 2014 at 8:31 AM, Daniel Black <daniel.subs_at_internode.on.net>
wrote:
> looking at the bug /etc/opendkim/keys/default.private should be
> system_u:object_r:dkim_milter_private_key_t
>
> so restorecon /etc/opendkim/keys/default.private should show this.
>
> on F20
> $ fgrep -r dkim_milter /etc/selinux/
>
>
> /etc/selinux/targeted/contexts/files/file_contexts:/etc/mail/dkim-milter/keys(/.*)?
> system_u:object_r:dkim_milter_private_key_t:s0
>
> So F20 policy isn't really up to speed with
>
https://github.com/TresysTechnology/refpolicy-contrib/blob/master/dkim.fc
>
> So a workaround the user:
>
> semanage fcontext -a -t dkim_milter_private_key_t "/etc/opendkim(/.*)?"
> semanage fcontext -a -t dkim_milter_private_key_t "/etc/opendkim.conf"
> restorecon -Rv /etc/opendkim.conf
> restorecon -Rv /etc/opendkim
>
>
>
> on /dev/urandom permission denied seems to need
> dev_read_rand(dkim_milter_t)
> (
https://github.com/TresysTechnology/refpolicy-contrib/pull/1
) - also
> needs fedora.
>
>
> opendkim-genkey probably should run some form of the following to ensure
> selinux permissions restorecon ${keyname} || true
>
>
> take a look at other
>
https://github.com/TresysTechnology/refpolicy-contrib/blob/master/dkim.if
> /
>
https://github.com/TresysTechnology/refpolicy-contrib/blob/master/dkim.fc
> to
> see if another labels/permissions are needed.
>
>
>
http://pkgs.fedoraproject.org/cgit/selinux-policy.git/tree/policy-rawhide-contrib.patch
> has the fedora policy
>
Yikes, Daniel. That's awesome... but WAY over my head. :)
1) Can you make that comment on the Bugzilla report for the benefit of the
other guys on the bug?
2) Is there anything I should be doing on the package side to try and
address?
Thanks,
SteveJ
Received on
Sat Aug 02 2014 - 19:15:43 PST
This message
: [
Message body
]
Next message
:
Daniel Black: "Re: Any issues running as root vs. opendkim?"
Previous message
:
Daniel Black: "security bugs"
In reply to
:
Daniel Black: "Re: Any issues running as root vs. opendkim?"
Next in thread
:
Daniel Black: "Re: Any issues running as root vs. opendkim?"
Reply
:
Daniel Black: "Re: Any issues running as root vs. opendkim?"
Contemporary messages sorted
: [
by date
] [
by thread
] [
by subject
] [
by author
] [
by messages with attachments
]
This archive was generated by
hypermail 2.3.0
: Sat Aug 02 2014 - 19:18:00 PST