[DSE-Dev] Bug#900188: selinux-policy-default: DKIM keys are not labelled correctly by default
Sebastian Hamann
debian-bugs at ares-macrotechnology.com
Sun May 27 11:35:42 BST 2018
Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: normal
Dear Maintainer,
the opendkim package (2.11.0~alpha-10+dep9u1) suggests that signing keys
should be stored in /etc/dkimkeys and sets up secure permission for that
directory.
The SELinux policy does not include filecontext rules for this
directory. Therefore, the keys get labelled as etc_t, which is readable
from lots of domains. The correct label is dkim_milter_private_key_t,
which is much more restricted. This label is applied to
/etc/opendkim/keys and /var/db/dkim only. These paths do not seem to be
advertised by the opendkim package.
I chose to file this against selinux-policy-default, but this may also
be considered a bug in opendkim for not using a "standard" location by
default.
I did not tag this as a security issue since DAC prevents access to
the signing key by non-root processes, which seems to be good enough for
non-SELinux systems.
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
More information about the SELinux-devel
mailing list