On Wed, 16 Mar 2005 23:15:11 +0000 Deim ?goston <ago@xxxxxx>
> I don't want to complain. But if I read it clearly - and assume I
> do - this opens the gate to mailman to write every file on the
> disks. Wouldn't it be muche more wise to only allow the required
> dirs/files? Eg.:
>
> allow mailman_cgi_t mailman_spool_t:file { getattr write};
>
> etc.
On my system adding this line gives this result:
allow mailman_cgi_t mailman_spool_t:file { getattr write};
/usr/bin/checkpolicy: error(s) encountered while parsing
configuration
make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
Perhaps your suggested modification was incomplete? Are there
contingent alterations required elesewhere to get this to work?
My original note provided the means to successfully allow mailman
to create lists within SELinux as shipped on CentOS4. It is
incomplete however in that other mailman web based functionality
remains impaired or inoperative. I am attempting to determine if
which are strictly SELinux issues and which are simple httpd.conf
issues.
It appears that to access web archives the following lines are also
necessary in local.te:
allow httpd_t file_t:dir { getattr search };
allow httpd_t file_t:lnk_file { getattr read };
So the entire setup for mailman in
/etc/selinux/targeted/src/policy/domains/misc/local.te presently
looks like this:
allow mailman_cgi_t file_t:dir search;
allow mailman_cgi_t file_t:dir write;
allow mailman_cgi_t file_t:dir add_name;
allow mailman_cgi_t file_t:dir create;
allow mailman_cgi_t file_t:file create;
allow mailman_cgi_t file_t:file { getattr write};
allow mailman_cgi_t file_t:file read;
allow mailman_cgi_t file_t:lnk_file create;
allow httpd_t file_t:dir { getattr search };
allow httpd_t file_t:lnk_file { getattr read };
Regards,
Jim
--
*** e-mail is not a secure channel ***
mailto:byrnejb.<token>@harte-lyne.ca
James B. Byrne Harte & Lyne Limited
vox: +1 905 561 1241 9 Brockley Drive
fax: +1 905 561 0757 Hamilton, Ontario
<token> = hal Canada L8E 3C3
