I stepped through the (entire?) selinux authentication process with
mailman using audit2allow and the following work-around resolves
the issue locally. However, the local.te policies that result, or
their more restrictive equivalents, probably should be rolled in to
an updated selinux-policy-targeted rpm for CentOS or submitted to
the upstream maintainers for inclusion with the base.
1. Install selinux-policy-targeted-sources
2. Attempt to create a mailing list using mailman web interface.
3. Run # audit2allow -l -i /var/log/messages
4. Record policy change and edit:
/etc/selinux/targeted/src/policy/domains/misc/local.te
appropriately.
4. cd /etc/selinux/targeted/src/policy
5. make reload
6. Iterate steps 2 to 5 until step 2 works. In our case this
process required the following lines added to local.te
# needed to create a mailman list through web interface
allow mailman_cgi_t file_t:dir search;
allow mailman_cgi_t file_t:dir write;
allow mailman_cgi_t file_t:dir add_name;
allow mailman_cgi_t file_t:dir create;
allow mailman_cgi_t file_t:file create;
allow mailman_cgi_t file_t:file { getattr write };
allow mailman_cgi_t file_t:file read;
allow mailman_cgi_t file_t:lnk_file create;
# needed to allow web access to mailman archives
allow httpd_t file_t:dir { getattr search };
allow httpd_t file_t:lnk_file { getattr read };
allow httpd_t file_t:dir read;
allow httpd_t file_t:file getattr;
allow httpd_t file_t:file read;
7. http://<your server here>/mailman/create now works and web
archives are available to view (presuming that you have properly
reconfigured /etc/httpd/conf.d/mailman.conf for your mailman
server.
--
*** e-mail is not a secure channel ***
mailto:byrnejb.<token>@harte-lyne.ca
James B. Byrne Harte & Lyne Limited
vox: +1 905 561 1241 9 Brockley Drive
fax: +1 905 561 0757 Hamilton, Ontario
<token> = hal Canada L8E 3C3
