[Mailman-Users] Archives, the "Forbidden Zone"
John Dennis
jdennis at redhat.com
Mon Nov 22 17:44:03 CET 2004
On Sun, 2004-11-21 at 15:43, Nathan Fiedler wrote:
> It turns out the problem was simple and so was the solution. When
> importing my existing list data and archives from another machine, I did
> not know to update the selinux context labels appropriately. Thus, the
> kernel was unable to determine if the apache user was allowed to access
> the files. Normally it should be, but without the labels it wouldn't
> succeed.
>
> To correct the labels, I ran both of these commands as root:
>
> # fixfiles relabel
> # restorecon -Rv /var/lib/mailman
I'm glad you got this problem fixed. I'm also relieved it was not a bug
in the security policy after all, we did try pretty hard to make sure
the policy shipped without problems but our testing centered around new
installations and didn't take into account copying in foreign files.
This sounds like something that needs documentation.
restorecon is the right tool to relabel files to their defaults in
specific directories. fixfiles would have relabeled the entire system
and is not generally recommended.
It may have helped if you had been the user mailman when you copied the
files as opposed to root, but there are many issues that impinge. Was
the operation a move or a copy? Did destination file previously exist?
Would you have had permission as mailman to read the files? etc. Rather
than enumeration all the possible considerations when dealing with files
and directories under the protection of SELinux the most expedient path
is to copy the files and relabel the files using restorecon, just as you
did.
--
John Dennis <jdennis at redhat.com>
More information about the Mailman-Users
mailing list