[Mailman-Users] Archives, the "Forbidden Zone"
John Dennis
jdennis at redhat.com
Mon Nov 22 16:35:09 CET 2004
On Sun, 2004-11-21 at 15:07, Nathan Fiedler wrote:
[ SELinux permission problem snipped for brevity ]
FC3 installs with the SELinux "targeted" policy enabled by default. The
targeted policy is a restricted security policy that "targets" only the
most vulnerable system services rather than the entire system. Anytime
you see messages in your system log (/var/log/messages) with "'avc:
denied" it means the security policy has prohibited access and has
logged a warning. SELinux has much to offer in terms of enhanced
security in the day and age of rampant attacks by malicious intruders
however one of the downsides of SELinux is authoring a security policy
that both prevents invalid access but does not interfer with valid
operation of the system is challenging. This is one reason the current
security policy is "targeted", it applies only to system services that
make active use of network connections. Mailman was added to the list of
of system services under the protection of the SELinux targeted policy
in FC3.
Just prior to the freeze on FC3 we discovered a bug in the security
policy during our testing that prohibited access to archives, if my
memory serves me correctly it affected only private archives, this would
appear to be what you hit. The security policy was fixed. However you
may not have the latest security policy. I suggest you bring your system
up to date with RPM packages, in particular you will want to be sure
you're running the latest selinix-policy-targeted rpm. You also have the
option to disable SELinux using the system-config-security-level applet.
It is my belief that the GOLD master release of FC3 had the version of
the selinux targeted policy which fixed the access to private archives,
so it might be that you installed prior to the GOLD release, but I will
verify this so no else gets tripped up by this.
--
John Dennis <jdennis at redhat.com>
More information about the Mailman-Users
mailing list