[Mailman-Users] "create a new list" web interface

Todd Zullinger tmz at pobox.com
Sat Nov 15 01:04:49 CET 2008 

jewel.brueggeman-makda at washburn.edu wrote:
> By diabling SELinux altogether it worked.

If you don't want to keep SELinux disabled, it should be possible to
make mailman work without too much trouble.  I do know that the Red
Hat packages install mailman in locations that are more FHS compliant
to help ease the writing of the SELinux policy.  If you're installing
mailman from source, it might be a little messier.

FWIW, I installed mailman from the packages provided as part of CentOS
5 and did a little light testing.  I had to create a small SELinux
policy module to allow mailman to be able to play nicely with postfix
and have the web interface be able to create lists.  The audit2allow
tool made this fairly trivial (easier than the manual steps I'll
list below to recreate the SELinux module, in fact :).

So, the policy that was generated via audit2allow is:

module mailmanpostfix 1.0;

require {
	type mailman_mail_t;
	type mailman_archive_t;
	type postfix_etc_t;
	type mailman_cgi_t;
	class file { read getattr };
	class dir search;
}

#============= mailman_cgi_t ==============
allow mailman_cgi_t postfix_etc_t:dir search;
allow mailman_cgi_t postfix_etc_t:file { read getattr };

#============= mailman_mail_t ==============
allow mailman_mail_t mailman_archive_t:dir search;

If you put that in to a file, say mailmanpostfix.te, you can compile
it into a module and load it with just a few commands (all taken from
the audit2allow manpage):

# Compile the module
$ checkmodule -M -m -o mailmanpostfix.mod mailmanpostfix.te
# Create the package
$ semodule_package -o mailmanpostfix.pp -m mailmanpostfix.mod
# Load the module into the kernel
$ semodule -i mailmanpostfix.pp

Now, I don't claim to be enough of an SELinux guru to know whether
some of the generated policy could be tightened up, but I don't think
any of it looks egregiously incorrect.  It's also quite likely to be
more secure than disabling SELinux entirely. ;)

On another note, you also said that you needed to be root to make
genaliases work.  Is that perhaps because the permissions and
ownership on the aliases* files are not correct? The mailman install
manual details the proper permission and ownership commands you should
run:

http://www.gnu.org/software/mailman/mailman-install/node13.html

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The best leaders inspire by example. When that's not an option, brute
intimidation works pretty well, too.
    -- Demotivators (www.despair.com)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/mailman-users/attachments/20081114/a8aebf40/attachment.pgp>

More information about the Mailman-Users mailing list