Re: Any issues running as root vs. opendkim?

From: Steve Jenkins <steve_at_stevejenkins.com>
Date: Sat, 2 Aug 2014 12:15:27 -0700

On Sat, Aug 2, 2014 at 8:31 AM, Daniel Black <daniel.subs_at_internode.on.net>
wrote:

> looking at the bug /etc/opendkim/keys/default.private should be
> system_u:object_r:dkim_milter_private_key_t
>
> so restorecon /etc/opendkim/keys/default.private should show this.
>
> on F20
> $ fgrep -r dkim_milter /etc/selinux/
>
>
> /etc/selinux/targeted/contexts/files/file_contexts:/etc/mail/dkim-milter/keys(/.*)?
> system_u:object_r:dkim_milter_private_key_t:s0
>
> So F20 policy isn't really up to speed with
> https://github.com/TresysTechnology/refpolicy-contrib/blob/master/dkim.fc
>
> So a workaround the user:
>
> semanage fcontext -a -t dkim_milter_private_key_t "/etc/opendkim(/.*)?"
> semanage fcontext -a -t dkim_milter_private_key_t "/etc/opendkim.conf"
> restorecon -Rv /etc/opendkim.conf
> restorecon -Rv /etc/opendkim
>
>
>
> on /dev/urandom permission denied seems to need
> dev_read_rand(dkim_milter_t)
> (https://github.com/TresysTechnology/refpolicy-contrib/pull/1) - also
> needs fedora.
>
>
> opendkim-genkey probably should run some form of the following to ensure
> selinux permissions restorecon ${keyname} || true
>
>
> take a look at other
> https://github.com/TresysTechnology/refpolicy-contrib/blob/master/dkim.if
> /
> https://github.com/TresysTechnology/refpolicy-contrib/blob/master/dkim.fc
> to
> see if another labels/permissions are needed.
>
>
> http://pkgs.fedoraproject.org/cgit/selinux-policy.git/tree/policy-rawhide-contrib.patch
> has the fedora policy
>

Yikes, Daniel. That's awesome... but WAY over my head. :)

1) Can you make that comment on the Bugzilla report for the benefit of the
other guys on the bug?

2) Is there anything I should be doing on the package side to try and
address?

Thanks,

SteveJ
Received on Sat Aug 02 2014 - 19:15:43 PST