The openarc package provides a milter implementing the Authenticated Receive Chain (ARC) email signing and verification method as described in RFC 8617. See also http://arc-spec.org/.
This software is very similar in behavior as that of OpenDKIM, in that:
- it can open and listen on a tcp or a unix socket in /run/openarc to which an MTA connects (e.g. sendmail or postfix)
- it must make outgoing DNS requests to look up keys in DNS TXT records.
When run without a policy, it fails with sendmail unable to connect to sockets of type var_run_t in /etc/openarc/openarc.sock.
At a minimum, we need to label /etc/openarc/* in a way that postfix and sendmail can connect. We've experimented with reusing dkim_milter_data_t , which does work:
/var/run/openarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/spool/postfix/var/run/openarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/spool/postfix/var/run/openarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
In addition, I note that the dkim-milter (not the opendkim package) also has a file context to protect it's private keys.
/etc/mail/dkim-milter/keys(/.*)? all files system_u:object_r:dkim_milter_private_key_t:s0
and runs in a context of dkim_milter_exec_t rather than unconfined_t.
This is being discussed in github PR contents upstream.
What's the best way to proceed?
Thanks,
Matt
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
