James B. Byrne wrote:
>I stepped through the (entire?) selinux authentication process with
>mailman using audit2allow and the following work-around resolves
>the issue locally. However, the local.te policies that result, or
>their more restrictive equivalents, probably should be rolled in to
>an updated selinux-policy-targeted rpm for CentOS or submitted to
>the upstream maintainers for inclusion with the base.
>
>1. Install selinux-policy-targeted-sources
>
>2. Attempt to create a mailing list using mailman web interface.
>
>3. Run # audit2allow -l -i /var/log/messages
>
>4. Record policy change and edit:
> /etc/selinux/targeted/src/policy/domains/misc/local.te
> appropriately.
>
>4. cd /etc/selinux/targeted/src/policy
>
>5. make reload
>
>6. Iterate steps 2 to 5 until step 2 works. In our case this
>process required the following lines added to local.te
>
># needed to create a mailman list through web interface
>allow mailman_cgi_t file_t:dir search;
>allow mailman_cgi_t file_t:dir write;
>allow mailman_cgi_t file_t:dir add_name;
>allow mailman_cgi_t file_t:dir create;
>allow mailman_cgi_t file_t:file create;
>allow mailman_cgi_t file_t:file { getattr write };
>allow mailman_cgi_t file_t:file read;
>allow mailman_cgi_t file_t:lnk_file create;
># needed to allow web access to mailman archives
>allow httpd_t file_t:dir { getattr search };
>allow httpd_t file_t:lnk_file { getattr read };
>allow httpd_t file_t:dir read;
>allow httpd_t file_t:file getattr;
>allow httpd_t file_t:file read;
>
>
Man. You open your system to everyone who cracks apache server. Open
for reading but that's enough. OK, there are DAC rules too but that's
too open.
Maybe one of us should create a mailman policy. I will look what can I
do on weekend - Saturday will be working day in Hungary this weekend so
if I don't manage to find time in Sunday don't wait for me.
bye,
Ago
