Re: [Mailman-Users] mm_cfg.py in /usr : SELinux problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 3, 2009, at 2:21 PM, Mark Sapiro wrote: Since the RedHat package already installs its own /etc/init.d/mailman, I think this is a good solution for the RedHat package. For the rest of us, we're pretty far from FHS compliance and presumably good security policy manager compliance anyway. Yes, sadly Mailman predates the FHS by a long shot. Mailman 3 will be FHS compliant. Barry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iQCVAwUBSdem5nEjvBPtnXfVAQItnQP9E0xfoIgFwzSXdHmkPyYqjkRmGgd/ZSil 1viNo0b8RlSSe+EHEN6ZgfzY/hqYpV4Idfc+gzklicMdYBBaEns3V7lg1NzP93No Odkowbnj/NBycyJvMaU32m03/65344inyjG5H05m0MKMUCoKjitWTeGRCOAgSzlK Z5D8ncI7AzE= =YHZX -END PGP SIGNATURE- -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] mm_cfg.py in /usr : SELinux problem
Daniel Novotny wrote: The solution I created is to create a new script called mailman-update-cfg'which contains the following: #!/usr/bin/python import py_compile py_compile.compile(/usr/lib/mailman/Mailman/mm_cfg.py) in the mm_cfg.py there's a note, that if you use SELinux, you have to run this script as root after you change the configuration what do you think about this? it's more of a work-around, but it can be a part of the mailman init script in /etc/init.d Since the RedHat package already installs its own /etc/init.d/mailman, I think this is a good solution for the RedHat package. For the rest of us, we're pretty far from FHS compliance and presumably good security policy manager compliance anyway. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] mm_cfg.py in /usr : SELinux problem
- Mark Sapiro m...@msapiro.net wrote: I understand your issue with mm_cfg. All I can suggest is symlinks might help. I thought the current RedHat package currently has a symlink /etc/mm_cfg.py - /usr/lib/mailman/Mailman/mm_cfg.py (or vice versa). Does this help? yes, the symlink is there, but nevertheless when mailman starts, python tries to compile the file to /usr/lib/mailman/Mailman because this is where the entire package is If the problem is strictly with mm_cfg.pyc, you may be able to make /usr/lib/mailman/Mailman/mm_cfg.pyc an empty file with mode (or (0400) so python won't try to write it. python will try to write it and fail and this triggers the SELinux AVC denial nevertheless If John Dennis is still at RedHat, he may be able to help as I think he's probably thought about this more than anyone. thanks for the contact, I will look if he's still here The solution I created is to create a new script called mailman-update-cfg'which contains the following: #!/usr/bin/python import py_compile py_compile.compile(/usr/lib/mailman/Mailman/mm_cfg.py) in the mm_cfg.py there's a note, that if you use SELinux, you have to run this script as root after you change the configuration what do you think about this? it's more of a work-around, but it can be a part of the mailman init script in /etc/init.d regards, Daniel Novotny -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
[Mailman-Users] mm_cfg.py in /usr : SELinux problem
hello, we are now having a problem, how to adapt mailman configuration (mm_cfg.py) to SELinux policy: it resides in /usr and the SELinux maintainer argues /usr should be read-only, which is not satisfied, when you change the configuration (and the .pyc file has to be generated in /usr/lib/mailman/Mailman/ , too) I have thought about the way to fix this problem: simply moving the file to /etc or /var is not enough, because it's part of the package Mailman and lots of files say from Mailman import mm_cfg any thoughts of this? thanks and regards, Daniel Novotny, Red Hat inc. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] mm_cfg.py in /usr : SELinux problem
Daniel Novotny wrote: we are now having a problem, how to adapt mailman configuration (mm_cfg.py) to SELinux policy: it resides in /usr and the SELinux maintainer argues /usr should be read-only, which is not satisfied, when you change the configuration (and the .pyc file has to be generated in /usr/lib/mailman/Mailman/ , too) I have thought about the way to fix this problem: simply moving the file to /etc or /var is not enough, because it's part of the package Mailman and lots of files say from Mailman import mm_cfg any thoughts of this? thanks and regards, Daniel Novotny, Red Hat inc. I thought RedHat were the experts on this. See http://mail.python.org/pipermail/mailman-developers/2004-October/017343.html. I understand your issue with mm_cfg. All I can suggest is symlinks might help. I thought the current RedHat package currently has a symlink /etc/mm_cfg.py - /usr/lib/mailman/Mailman/mm_cfg.py (or vice versa). Does this help? If the problem is strictly with mm_cfg.pyc, you may be able to make /usr/lib/mailman/Mailman/mm_cfg.pyc an empty file with mode (or (0400) so python won't try to write it. If John Dennis is still at RedHat, he may be able to help as I think he's probably thought about this more than anyone. -- Mark Sapiro m...@msapiro.netThe highway is for gamblers, San Francisco Bay Area, Californiabetter use your sense - B. Dylan -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
