Your message dated Sun, 18 Sep 2022 08:38:14 +0000
with message-id <[email protected]>
and subject line Bug#900188: fixed in refpolicy 2:2.20220520-4
has caused the Debian Bug report #900188,
regarding selinux-policy-default: DKIM keys are not labelled correctly by
default
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
900188: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900188
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: normal
Dear Maintainer,
the opendkim package (2.11.0~alpha-10+dep9u1) suggests that signing keys
should be stored in /etc/dkimkeys and sets up secure permission for that
directory.
The SELinux policy does not include filecontext rules for this
directory. Therefore, the keys get labelled as etc_t, which is readable
from lots of domains. The correct label is dkim_milter_private_key_t,
which is much more restricted. This label is applied to
/etc/opendkim/keys and /var/db/dkim only. These paths do not seem to be
advertised by the opendkim package.
I chose to file this against selinux-policy-default, but this may also
be considered a bug in opendkim for not using a "standard" location by
default.
I did not tag this as a security issue since DAC prevents access to
the signing key by non-root processes, which seems to be good enough for
non-SELinux systems.
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
--- End Message ---
--- Begin Message ---
Source: refpolicy
Source-Version: 2:2.20220520-4
Done: Russell Coker <[email protected]>
We believe that the bug you reported is fixed in the latest version of
refpolicy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russell Coker <[email protected]> (supplier of updated refpolicy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 18 Sep 2022 12:48:43 +1000
Source: refpolicy
Architecture: source
Version: 2:2.20220520-4
Distribution: unstable
Urgency: medium
Maintainer: Debian SELinux maintainers <[email protected]>
Changed-By: Russell Coker <[email protected]>
Closes: 900188 962223
Changes:
refpolicy (2:2.20220520-4) unstable; urgency=medium
.
* Add label for /etc/dkimkeys Closes: #900188
* Allow chronyd_t to send unix datagrams to unconfined_t and gave it
dac_read_search Closes: #962223
* Allow firewalld_t to do netlink_netfilter_socket access, watch
firewalld_etc_rw_t dirs, and read generic certs
* Allow init_t to watch for reads on console_device_t for autorelabel
processing.
Checksums-Sha1:
cbe4344edd7a2580401f7830667def4f6b6127f1 2445 refpolicy_2.20220520-4.dsc
8edc76dadcca94e78d17e6e43fffc24f30496031 94484
refpolicy_2.20220520-4.debian.tar.xz
6b51b0c66bd841251d8bf9b9dc6c322d7f31ec8c 8494
refpolicy_2.20220520-4_amd64.buildinfo
Checksums-Sha256:
37179caeb327bc6d3682c31c7254eaec0be81d231012701146d2e4f0370abbd5 2445
refpolicy_2.20220520-4.dsc
d5f0805d251de5b0e3ff27cc6d6dd2a7a6a2b61f18f00eefaaf4c749b1643034 94484
refpolicy_2.20220520-4.debian.tar.xz
56eb98426b90aa4d05cf8d147eb4f9558a57c244f9d9a7626278cfd0d1fb7e7c 8494
refpolicy_2.20220520-4_amd64.buildinfo
Files:
c82c9e225b9800c93914fe294c4f1a67 2445 admin optional refpolicy_2.20220520-4.dsc
fb7e10f56c05d3cb3af24074d2408e0b 94484 admin optional
refpolicy_2.20220520-4.debian.tar.xz
45f49157fffac4e5d4223beb9f20f7b9 8494 admin optional
refpolicy_2.20220520-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEn31hncwG9XwCqmbH0UHNMPxLj3kFAmMm03sACgkQ0UHNMPxL
j3mB1RAA03KfhiqbRTXozjxcaa1QBiDz5pRCJer3EpBha+0LNcARm7VXGyE5HNUI
3jC81ZSi0NOlE0NfMJNyFvpqRA8w7pPnGvtzsvxbbL/FFXWaFKrccMAwZtPaxYFd
TxRNqacjOmjGspTZCIt2vTlc3SuwS7CISg6Pk55IGf5X92gI0BZX8Md8bwBLDrwA
ozeWXH8o/k5iKl9aj/iZhPrtUlMhjNdO/ICpR90O/iZbTrHjfdtvf7mkgmHnywF3
+tb7CtJIJGoXyWiGZry/Go/nZltnGDVZKXBDFLWxAROrl1JAcQp5BRINhamGYbSp
KBS91Y4+daJRr+3hy71cH9Yiev3yjlt3nFUOr4n98GdO42sMA+824xeiYQuuPHhh
QEYI/XQMopmFrZrAlLj05gjRlhheW+HgGatA24EZWaW7SEtubtGnluIpmN/wU4N5
LhIZK1N0dhcY8GSmkowr4yqgBzOsF8iX08sN0ub70BFQ68FZYtKqQIYsiMslI7uA
W671vT573ddpXaDmLJH4a7ia5CPrmsegtSNA8t7QQqmeoc0KHH4RwcPRYR78QitI
q+UjyQ/ESpjdSYqCIrJN61VSSOSWSYhdatutSkr3RYrSc3pVbr1FdT94At69XmvH
s8Q8NoMVDBOFeQZ0fByzDdFgS6nAEV8hiWAmAmHpwvVtxK9wbYM=
=6Yhc
-----END PGP SIGNATURE-----
--- End Message ---
