The openarc package provides a milter implementing the Authenticated
Receive Chain (ARC) email signing and verification method as described in
RFC 8617. See also
http://arc-spec.org/.
This software is very similar in behavior as that of OpenDKIM, in that:
- it can open and listen on a tcp or a unix socket in /run/openarc to
which an MTA connects (e.g. sendmail or postfix)
- it must make outgoing DNS requests to look up keys in DNS TXT records.
When run without a policy, it fails with sendmail unable to connect to
sockets of type var_run_t in /etc/openarc/openarc.sock.
At a minimum, we need to label /etc/openarc/* in a way that postfix and
sendmail can connect. We've experimented with reusing dkim_milter_data_t ,
which does work:
/var/run/openarc(/.*)?
gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/spool/postfix/var/run/openarc(/.*)?
gen_context(system_u:object_r:dkim_milter_data_t,s0)
In addition, I note that the dkim-milter (not the opendkim package) also
has a file context to protect it's private keys.
/etc/mail/dkim-milter/keys(/.*)? all files
system_u:object_r:dkim_milter_private_key_t:s0
and runs in a context of dkim_milter_exec_t rather than unconfined_t.
This is being discussed in github PR contents upstream.
https://github.com/trusteddomainproject/OpenARC/pull/103
What's the best way to proceed?
Thanks,
Matt