James B. Byrne wrote:
>The relevant question is: Is this worse than no SELinux at all?
>Should I turn off SELinux until the packages that are essential to
>my client's business are properly configured to work with SELinux
>on CentOS?
>
>
No, you don't. Right know you weaken the maximum available security but
that's much far better than not SELinux at all.
>that I, in my ignorance, fail to appreciate. IS SELinux LESS
>secure than a non-SELinux enabled OS if the policies are not
>
>
Definetly not. SELinux is a complementary to DAC not overriding those.
Eg.: you don't have write permissions to a directory but SELinux enables
it you will still fail. There's RSBAC on the ground too - another
security patch but unofficial - where you can disable DAC but that's not
the story with SELinux, AFAIK.
>I have dug around in the contexts files and this is what I have
>found:
>
>
>
[lots of things]
Yes, it seems that the guys at RedHat thought about the usage of mailman.
>>allow mailman_cgi_t mailman_archive_t:dir write;
>>allow mailman_cgi_t mailman_archive_t:dir add_name;
>>allow mailman_cgi_t mailman_archive_t:dir create;
>>allow mailman_cgi_t mailman_archive_t:file create;
>>allow mailman_cgi_t mailman_archive_t:file { getattr write };
>>allow mailman_cgi_t mailman_archive_t:lnk_file create;
>>The first error I receive is:
>>
>> File "/usr/lib/mailman/Mailman/Archiver/Archiver.py", line 95, in
>>InitVars
>> os.mkdir(self.archive_dir()+'.mbox', 02775)
>>OSError: [Errno 13] Permission denied:
>>'/var/lib/mailman/archives/private/test1.mbox'
>>
>>
I think that the context of Archiver.py differs from mailman_cgi_t
that's the problem. But I have to go right now.
I will take a look at it tomorrow if I can.
>>Now, do I need to add something regarding mailman_cgi_t and
>>mailman_archive_t somewhere else in some other file?
>>
>>
>>
Yes, to go towards the best solution you can achieve.
But don't worry. That"s much secure than no SELinux at all.
bye,
Ago
