Re: Recommend Mail Server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 11/23/2009 2:21 PM, John R. Dennison wrote:
> On Mon, Nov 23, 2009 at 01:59:40PM -0500, Robert Moskowitz wrote:
>>
>> It points you to:
>> http://howtoforge.net/virtual-users-domains-postfix-courier-mysql-squirrelmail-fedora-10
>>
>> Now granted this is for FC10, but I suspect it would be easy to fit into
>> Centos.
>
> 	Please, for the love of god and country, do not follow garbage
> 	like this.  Under "1. Preliminary Note" is this text:
>
> 	"You should make sure that the firewall is off (at least for
> 	now) and that SELinux is disabled (this is important!)".
>
> 	Documents that advocate disabling SELinux should be tossed
> 	in a pile and set on fire.  Documents that tell you to
> 	disable your firewall with no mention in the remaining
> 	portion of the document to reenable it post install or
> 	how to properly configure it should join the burn pile.
>

+1... While SELinux can be a PITA at times, it's not going to go away 
anytime soon, so a smart sysadmin needs to learn to work with it rather 
then against it.  HowTos that tell me to disable SELinux or a firewall 
are held at arms length and never to be followed literally.  (They might 
contain some useful commands or configuration options... maybe.)

(personal rant)

You can do a lot of SELinux workarounds with brute-force egrep'ing of 
the audit log combined with audit2allow.  It's not the best way to do 
it.  If you have mislabeled files that are labeled with a generic var_t 
label, and you grant processes access to those files with blind 
acceptance of what audit2allow says, you're also granting access to 
every other file that is labeled as var_t.  (Better choice would be to 
properly label the files that didn't get labeled correctly.)

But even a brute-force application of audit2allow is still a step up 
from disabling SELinux entirely.

(I have a love/hate relationship at times with SELinux.  I need to spend 
another weekend reading up on it again and figuring out some of the 
things that I'm not sure about yet.)
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux