Re: Mail / Web server guides

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Manuel,

Great links for selinux. Thank you very much. Will be reading up on those
now.

Perhaps you would like to contribute to the scripts to alter them slightly
to better suit an selinux environment?


"So far I have seen exactly 4 people who really needed and took advantage of
the features brought in by the newer mysql versions. But hey, maybe you are
number 5"
Wanted to use SHA2 which required at least version 5.5


I'm now looking into redoing the scripts, mainly to try to support all the
comments received so far, namely, selinux and different repositories.
Hopefully if I get it right, I can then write some wiki documents.

ps. love the comeback " And yet despite most monkeys are able to read the
selinux instruction" haha, made my morning :)

Kind regards,
Christian Salway

-----Original Message-----
From: centos-docs-bounces@xxxxxxxxxx [mailto:centos-docs-bounces@xxxxxxxxxx]
On Behalf Of Manuel Wolfshant
Sent: 25 March 2013 11:44
To: Mail list for wiki articles
Subject: Re:  Mail / Web server guides

On 03/25/2013 12:41 PM, Christian Salway wrote:
> Hi John,
>
> Thank you for your feedback.
>
> Firstly, "If such issues could possibly be resolved I feel these 
> scripts would be very beneficial to many users.", who better to help 
> out with that than you by the sounds of it.
>
> Anyway, although I would love a perfect system the way CentOS org 
> intended it, there are many reasons why I have done the scripts the way I
have.
> Mainly because there is not always the documentation out there to be 
> able to achieve the centos perfect result, or the packages available 
> in the 'preferred' repos are out-of-date, so people like me find the
'best'
> solution they can.
>
> selinux
> I'm all about security but there just isn't any good documentation for 
> managing selinux!  If there was, SELINUX would still be enabled.
     I beg to differ. There is plenty of documentation but people still
think and act as they did 10 years ago when selinux was introduced, For
those who really want to do things properly, there exist:
- http://wiki.centos.org/HowTos/SELinux
- http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
-
http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/
     Not to mention the plethora of docs available from the selinux
creators/maintainers themselves  such as the posts written by Dan Walsh (
http://danwalsh.livejournal.com/ ) and Dominick Grift (
http://selinux-mac.blogspot.ro/ )
     Unfortunately real life has proven that quite often people prefer to
blame selinux and lack of docs as a cover-up for not allocating the time to
read and learn.

>    For
> instance, how to allow selinux to let pureftp and apache share the 
> same files, show me a simple guide on that!
     There are several booleans related to ftp and httpd and properly
turning the required bits on would make everybody happy. getsebool -a | grep
"ftp\|httpd" will let most users figure things out easily. The tools
described in the first 2 above mentioned links will teach those who want to
learn.
     Incidentally pureftp is the ftp server that I use, too. But the
reasoning is pure laziness from my part, it's running on a system that was
first installed in the RH 7.2 era and I was ( I still am ) too lazy to
transfer my custom settings to vsftpd. But I assure you, selinux is on and
always has been. It's also true that I keep selinux on ever since I started
using it , back in the Fedora 3 era, even if at times I had to spent 30 min
to create custom policies ( and this still happens when I add packages from
3rd party repos... munin is my latest "friend" from this point of view).


> perl-File-Scan-ClamAV
> I used http://wiki.apache.org/spamassassin/ClamAVPlugin to interact 
> ClamAV and spamassassin which mentions File::Scan::ClamAV but which 
> wasn't available in the repositories I had chosen,
     Do you mean that you did not find
http://pkgs.org/centos-6-rhel-6/repoforge-i386/perl-File-Scan-ClamAV-1.91-1.
el6.rf.noarch.rpm.html
?

>   so clicking on the link took me
> to cpan, which I then found a way to automate the install off.  I see 
> no reason why it wasn't a good way of doing it as you get the latest 
> version and it's only an add-on module to perl.

     For what it's worth, there are several applications - such as cpanspec,
available as package from EPEL, too  - which allow almost automatic creation
of rpm packages from CPAN modules and take almost no time for the process.
For most modules it takes longer to download from CPAN than to create a rpm.


> phpmyadmin
> What is so wrong about downloading the latest html files direct from 
> the developers website?  Nothing is 'installed' into the system and 
> the repositories rarely have the latest version.
     Beside that fact the CentOS is a rpm-based distro and your suggestion
administers it as if it was slackware ?
     Incidentally phpmyadmin is one of the best maintained packages , its
Fedora maintainer is extremely active and responsive. Not to mention that he
also offers help for his packages via IRC


>    You are basically asking the
> CentOS uses to stay in the dark from new and improved versions of 
> software until you 'have the time' to add them to the repositories!
     It's quite the opposite. The repositories are places where the software
lands after at least a bit of testing is done. What you suggest here is the
gentoo approach, always hunt for the latest and shiniest. 
Which might or might not work, depending on the phase of the moon.



>
> UTC timezone
> The timezone script was for simplicity with my setup only and can 
> obviously be removed.  Although I'm sure a half-witted donkey can 
> figure out how to change it.
     And yet despite most monkeys are able to read the selinux instructions
and rely on selinux to add an additional layer of security for the server,
you recommend to turn it off instead of teaching how to adjust it to fit
your bill.


>
> Remi over rpmforge
> I tried to install mysql from rpmforge but it just wasn't happening.  
> Their mysql_libs are still old and thus causes a warning in phpmyadmin.
     Most people can and should rely on the mysql packages provided by the
distribution itself. Or they can go with IUS if a newer mysql version is
needed. So far I have seen exactly 4 people who really needed and took
advantage of the features brought in by the newer mysql versions. But hey,
maybe you are number 5... In this case please try to use the packages from
IUS and provide feedback so more users can benefit from your experience.



> Although CentOS may be a packaged managed system, most of the time the 
> packages in the repositories are way behind,
http://wiki.centos.org/FAQ/General#head-472ce8446ebcfc82ca1800f775ba0e629ac8
35c7
was written exactly to explain the reasoning for this situation...
>   resulting in system
> administrators like myself having to install versions with security 
> concerns, bugs
... and https://access.redhat.com/security/updates/backporting deals with
this .

>   or unavailable useful features that is just simply ridiculous, all 
> because you want users to follow suit.
     If you want( or need ) to compile the shiniest latest apps and use
them, you are more than welcome to do that but you have chosen the incorrect
distribution. Suggesting everyone to follow your way which is exactly
against the policy of the distribution is a bit irresponsible and should by
no means be endorsed in the centos wiki.


     manuel, happy selinux user since 2004
_______________________________________________
CentOS-docs mailing list
CentOS-docs@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos-docs

_______________________________________________
CentOS-docs mailing list
CentOS-docs@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos-docs




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Users]     [CentOS Virtualization]     [Linux Media]     [Asterisk]     [Netdev]     [X.org]     [Xfree86]     [Linux USB]     [Project Hail Cloud Computing]

  Powered by Linux