Johnny Hughes wrote:
>On Wed, 2005-03-16 at 13:41 -0600, Marc Powell wrote:
>
>
>>>-----Original Message-----
>>>From: centos-bounces@xxxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxxx]
>>>
>>>
>>On
>>
>>
>>>Behalf Of James B. Byrne
>>>Sent: Wednesday, March 16, 2005 1:26 PM
>>>To: CentOS discussion and information list
>>>Subject: Re: [Centos] CentOS4 SELinux and Mailman
>>>
>>>I have stepped through the selinux authentication process with
>>>mailman and the following work-around resolves the issue locally.
>>>However, this or its equivalent probably should be rolled in to an
>>>updated selinux-policy-targeted rpm for CentOS.
>>>
>>>1. Install selinux-policy-targeted-sources
>>>
>>>2. edit /etc/selinux/targeted/src/policy/domains/misc/local.te
>>>
>>>3. Add the following lines to local.te
>>>
>>>allow mailman_cgi_t file_t:dir search;
>>>allow mailman_cgi_t file_t:dir write;
>>>allow mailman_cgi_t file_t:dir add_name;
>>>allow mailman_cgi_t file_t:dir create;
>>>allow mailman_cgi_t file_t:file create;
>>>allow mailman_cgi_t file_t:file { getattr write };
>>>allow mailman_cgi_t file_t:file read;
>>>allow mailman_cgi_t file_t:lnk_file create;
>>>
>>>
I don't want to complain. But if I read it clearly - and assume I do -
this opens the gate to mailman to write every file on the disks.
Wouldn't it be muche more wise to only allow the required dirs/files?
Eg.:
allow mailman_cgi_t mailman_spool_t:file { getattr write};
etc.
Just my 0.2$.
bye,
Ago
