Bill Cole writes: > On 15 Nov 2020, at 22:18, Stephen J. Turnbull wrote:
> > I don't see why access to archives would cause a security issue, Thanks for the reply! Also FWIW, I'm explaining here why I don't think this is a Mailman issue. If there is a vulnerability in our distribution, and the SELinux policy is pointing it out, we (I think I speak for all the core devs here ;-) want to fix it. > FWIW: > > 1. SELinux doesn't know about specific security issues, it assumes that > nothing is safe unless explicitly allowed. Yes, I was already aware that that is the "theoretically correct" policy, and had guessed that SELinux follows it. > 2. On RHEL7 and its derivatives, the default SELinux policy includes a > module for mailman's executable and data files which *in my experience* > just works without modification when mailman is installed from an > official RPM. Aha. Now *that* is *very* useful information! So I assume that would also apply to sufficiently recent CentOS, and most likely to Fedora. And it's something to look up on Debian and Ubuntu. Many thanks! Regards, Steve It's even documented, if the policy docs are installed: > > # apropos mailman |grep selinux > mailman_cgi_selinux (8) - Security Enhanced Linux Policy for the > mailman_cgi processes > mailman_mail_selinux (8) - Security Enhanced Linux Policy for the > mailman_mail processes > mailman_queue_selinux (8) - Security Enhanced Linux Policy for the > mailman_queue processes > > It would certainly be possible to break that by assigning the wrong > SELinux labels to the mailman files, perhaps by installing from the > unpackaged source. Fixing that sort of error is probably simple, but it > would depend on what specifically was done. A simple 'restorecon -Rv /' > will fix a lot of issues, but it isn't instantaneous and stomps on any > customization that hasn't been written into the persistent policy. > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire > ------------------------------------------------------ > Mailman-Users mailing list -- mailman-users@python.org > To unsubscribe send an email to mailman-users-le...@python.org > https://mail.python.org/mailman3/lists/mailman-users.python.org/ > Mailman FAQ: http://wiki.list.org/x/AgA3 > Security Policy: http://wiki.list.org/x/QIA9 > Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ > https://mail.python.org/archives/list/mailman-users@python.org/ > ------------------------------------------------------ Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
