Re: [qmailadmin] qmailadmin/apache how-to ???

Mon, 05 May 2008 11:28:04 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2008-05-04, at 0638, Maurizio Rottin wrote:

2008/5/3 D. Hilbig <[EMAIL PROTECTED]>:


Since it is a public webserver and SELinux is an additional layer of

security I would prefer not to disable it.  I guess it might be  
time to
learn more about SELinux.  I was hoping that someone has already  
written a

document on what needs to be changed.  Oh well...



qmail and qmailadmin are security-bug free, then selinux is a weak  
enhancement.


you forgot the word "IF" at the beginning of that sentence.


qmail itself has a history of over ten years with no verified security  
holes, and only two possible holes reported which are caused by 32/64- 
bit discrepancies. while that is a very strong track record, and while  
i do feel that qmail itself is the most secure MTA on the planet, i  
don't consider it "guaranteed" free of security holes, any more than i  
would any other program.




anyway you can meanwhile leave selinux activated but in "targeted" way
(not enforced),so that selinux will report any problem encountered but
won't stop the execution. This is a good way for debugging it and
create new rules; i've never found a written policy for
qmailadmin...(and be sure restorecond is on....chkconfig --list | grep
restorecond)



excellent advice... this keeps SELinux from interfering with the  
proper operation of the server, while giving you feedback about what  
which specific rules need to be written for your system.



doing a google search for "selinux howto" will give you a long list of  
web pages which will teach you how SELinux works. the guys on the  
fedora team really know this stuff cold, because they've been writing  
the tools for fedora 8 and fedora 9 to allow people to manage  
policies. the first pages i would read would be the ones they've  
written.



- --------------------------------------------------------
| John M. Simpson  --  KG4ZOW  --  Programmer At Large |
| http://www.jms1.net/                 <[EMAIL PROTECTED]> |
- --------------------------------------------------------
|   Hope for America  --  http://www.ronpaul2008.com/  |
- --------------------------------------------------------





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFIH1FyEB9RczMG/PsRAqzxAKDbhSWyFg0MrLr4x33XO1xWA1kZ/QCeKY2C
fJGsRgb8GUnrB5cmIdIhKbQ=
=0w4V
-----END PGP SIGNATURE-----

!DSPAM:481f5182120501977914725!
























					Reply via email to