Re: [CentOS-docs] Mail / Web server guides
Woke up to a couple of problems with SELINUX this morning...
###
type=AVC msg=audit(1364240071.657:27): avc: denied { name_connect } for
pid=1851 comm="httpd" dest=143 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket
Invalid AVC allowed in current policy ***
type=AVC msg=audit(1364240397.817:30): avc: denied { name_connect } for
pid=1851 comm="httpd" dest=587 scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
Invalid AVC allowed in current policy ***
found 1 alerts in /var/log/audit/audit.log
SELinux is preventing /usr/libexec/dovecot/lmtp from write access on the
directory sieve.
* Plugin catchall (100. confidence) suggests
***
If you believe that lmtp should be allowed write access on the sieve
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep lmtp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
###
Im not sure whats wrong with the first two Invalid AVC's. httpd is what I
want to give access to pop_port_t (pop_port_t tcp 106, 109, 110, 143,
220, 993, 995, 1109) and smtp_port_t (smtp_port_t tcp 25, 465, 587)
The http.te looks like this
module httpd 1.0;
require {
type postfix_public_t;
type postfix_spool_t;
type pop_port_t;
type smtp_port_t;
type user_home_dir_t;
type user_home_t;
type httpd_t;
type postfix_spool_maildrop_t;
class process setrlimit;
class file { rename setattr read create write getattr open };
class dir { search write getattr remove_name add_name };
class fifo_file { write getattr open };
class tcp_socket name_connect;
}
#= httpd_t ==
allow httpd_t postfix_public_t:dir search;
allow httpd_t postfix_public_t:fifo_file { write getattr open };
allow httpd_t postfix_spool_maildrop_t:dir { write remove_name search
add_name };
allow httpd_t postfix_spool_maildrop_t:file { rename write getattr setattr
read create open };
allow httpd_t postfix_spool_t:dir search;
allow httpd_t pop_port_t:tcp_socket name_connect;
allow httpd_t smtp_port_t:tcp_socket name_connect;
allow httpd_t self:process setrlimit;
allow httpd_t user_home_dir_t:dir { getattr search };
allow httpd_t user_home_t:dir { getattr search write add_name };
allow httpd_t user_home_t:file { create read open };
##
the second dovecot issue, when I run
# grep lmtp /var/log/audit/audit.log | audit2allow -M mypol
I get:
module dovecot 1.0;
require {
type dovecot_etc_t;
type dovecot_t;
class dir write;
}
#= dovecot_t ==
allow dovecot_t dovecot_etc_t:dir write;
but when I try
# semodule -i mypol.pp
I get
libsepol.print_missing_requirements: dovecot's global requirements were not
met: type/attribute dovecot_etc_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule: Failed!
any ideas?
Kind regards,
Christian Salway
-Original Message-
From: centos-docs-boun...@centos.org [mailto:centos-docs-boun...@centos.org]
On Behalf Of Manuel Wolfshant
Sent: 25 March 2013 20:00
To: Mail list for wiki articles
Subject: Re: [CentOS-docs] Mail / Web server guides
On 03/25/2013 09:56 PM, Christian Salway wrote:
> [...]
> The only problem now is when I log into phpmyadmin, I get the
> following and I can't find a solution.
>
> Your PHP MySQL library version 5.1.61 differs from your MySQL server
> version 5.5.30. This may cause unpredictable behavior.
>
> # rpm -qa mysql*
> mysql55-libs-5.5.30-1.ius.el6.x86_64
> mysql55-5.5.30-1.ius.el6.x86_64
> mysqlclient16-5.1.61-1.ius.el6.x86_64
> mysql55-server-5.5.30-1.ius.el6.x86_64
>
You will keep seeing that warning for as long as phpmyadmin is compiled
against the stock mysql libs while the server runs a different mysql
version. Normally it's benign.
___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
___
CentOS-docs mailing list
CentOS-docs@centos.org
http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Mail / Web server guides
I didn't have that problem before when using remi :) --Original Message-- From: Manuel Wolfshant Sender: centos-docs-boun...@centos.org To: Mail list for wiki articles ReplyTo: Mail list for wiki articles Subject: Re: [CentOS-docs] Mail / Web server guides Sent: 25 Mar 2013 20:00 On 03/25/2013 09:56 PM, Christian Salway wrote: > [...] > The only problem now is when I log into phpmyadmin, I get the following and > I can't find a solution. > > Your PHP MySQL library version 5.1.61 differs from your MySQL server version > 5.5.30. This may cause unpredictable behavior. > > # rpm -qa mysql* > mysql55-libs-5.5.30-1.ius.el6.x86_64 > mysql55-5.5.30-1.ius.el6.x86_64 > mysqlclient16-5.1.61-1.ius.el6.x86_64 > mysql55-server-5.5.30-1.ius.el6.x86_64 > You will keep seeing that warning for as long as phpmyadmin is compiled against the stock mysql libs while the server runs a different mysql version. Normally it's benign. ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Mail / Web server guides
Ok, The scripts have been rewritten :) All packages are now downloaded from base or IUS (or rpmforge for perl-file-clamav) and I've left selinux enabled, writing some te files :) Changes have been uploaded http://www.itmanx.com/downloads/scripts.tar.gz The only problem now is when I log into phpmyadmin, I get the following and I can't find a solution. Your PHP MySQL library version 5.1.61 differs from your MySQL server version 5.5.30. This may cause unpredictable behavior. # rpm -qa mysql* mysql55-libs-5.5.30-1.ius.el6.x86_64 mysql55-5.5.30-1.ius.el6.x86_64 mysqlclient16-5.1.61-1.ius.el6.x86_64 mysql55-server-5.5.30-1.ius.el6.x86_64 Kind regards, Christian Salway -Original Message- From: centos-docs-boun...@centos.org [mailto:centos-docs-boun...@centos.org] On Behalf Of John R. Dennison Sent: 25 March 2013 13:17 To: centos-docs@centos.org Subject: Re: [CentOS-docs] Mail / Web server guides On Mon, Mar 25, 2013 at 10:41:31AM -, Christian Salway wrote: > > Firstly, "If such issues could possibly be resolved I feel these > scripts would be very beneficial to many users.", who better to help > out with that than you by the sounds of it. I've already worked this space and have had solutions in place for such provisioning for many, many years; I was not including myself in that "many users" category :) > Anyway, although I would love a perfect system the way CentOS org > intended it, there are many reasons why I have done the scripts the way I have. > Mainly because there is not always the documentation out there to be > able to achieve the centos perfect result, or the packages available > in the 'preferred' repos are out-of-date, so people like me find the 'best' > solution they can. But the point is... your solution leaves one wide-open for security problems down the road from 1) lack of policy enforcement and 2) unpackaged solutions that will, more than likely, end up missing some updates down the line. Especially when you are talking about such poor codebases as phpmyadmin with it's absolutely stellar record of no security issues. > selinux > I'm all about security but there just isn't any good documentation for > managing selinux! That's patently untrue. > If there was, SELINUX would still be enabled. For instance, how to > allow selinux to let pureftp and apache share the same files, show me > a simple guide on that! You mean like the one on the centos wiki or any of the documentation provided by Redhat and Fedora? Here's a list of links to get you started: http://wiki.centos.org/HowTos/SELinux http://wiki.centos.org/TipsAndTricks/SelinuxBooleans http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/ http://fedorasolved.org/security-solutions/selinux-module-building http://centoshelp.org/security/selinux-common-commands-troubleshooting There are, of course, many, many additional resources. Really... this endless loop I hear about lack of documentation might have been true a number of years ago but it is not the case, nor has it been the case for quite some time. > perl-File-Scan-ClamAV > I used http://wiki.apache.org/spamassassin/ClamAVPlugin to interact > ClamAV and spamassassin which mentions File::Scan::ClamAV but which > wasn't available in the repositories I had chosen, so clicking on the > link took me to cpan, which I then found a way to automate the install > off. I see no reason why it wasn't a good way of doing it as you get > the latest version and it's only an add-on module to perl. And it's unpackaged, therefore rpm/yum know absolutely nothing about it which may well lead to conflicts down the road. There is also the "it's unpackaged so therefore it may well lack in applied updates" issue. While _you_ may well be disciplined enough to check for and apply updates as necessary, the people that would be relying on your scripts may not be as disciplined - cookie cutter solutions such as _packaged_ applications are a better fit for most. perl-File-Scan-ClamAV is in rpmforge. If you are unhappy with the version they offer and you are willing to maintain it yourself then you can use cpanspec or cpan2rpm and create a binary rpm package; this process will use the sources available from cpan and build up an arch (i386/x86_64) or noarch binary package as necessary. > phpmyadmin > What is so wrong about downloading the latest html files direct from > the developers website? Nothing is 'installed' into the system and > the repositories rarely have the latest version. You are basically > asking the CentOS uses to stay in the dark from new and improved > versions of software until you 'have the time' to add them to the repositories! Because latest != greatest. Oh! Shiny! isn't generally worth
Re: [CentOS-docs] Mail / Web server guides
Hi Manuel, Great links for selinux. Thank you very much. Will be reading up on those now. Perhaps you would like to contribute to the scripts to alter them slightly to better suit an selinux environment? "So far I have seen exactly 4 people who really needed and took advantage of the features brought in by the newer mysql versions. But hey, maybe you are number 5" Wanted to use SHA2 which required at least version 5.5 I'm now looking into redoing the scripts, mainly to try to support all the comments received so far, namely, selinux and different repositories. Hopefully if I get it right, I can then write some wiki documents. ps. love the comeback " And yet despite most monkeys are able to read the selinux instruction" haha, made my morning :) Kind regards, Christian Salway -Original Message- From: centos-docs-boun...@centos.org [mailto:centos-docs-boun...@centos.org] On Behalf Of Manuel Wolfshant Sent: 25 March 2013 11:44 To: Mail list for wiki articles Subject: Re: [CentOS-docs] Mail / Web server guides On 03/25/2013 12:41 PM, Christian Salway wrote: > Hi John, > > Thank you for your feedback. > > Firstly, "If such issues could possibly be resolved I feel these > scripts would be very beneficial to many users.", who better to help > out with that than you by the sounds of it. > > Anyway, although I would love a perfect system the way CentOS org > intended it, there are many reasons why I have done the scripts the way I have. > Mainly because there is not always the documentation out there to be > able to achieve the centos perfect result, or the packages available > in the 'preferred' repos are out-of-date, so people like me find the 'best' > solution they can. > > selinux > I'm all about security but there just isn't any good documentation for > managing selinux! If there was, SELINUX would still be enabled. I beg to differ. There is plenty of documentation but people still think and act as they did 10 years ago when selinux was introduced, For those who really want to do things properly, there exist: - http://wiki.centos.org/HowTos/SELinux - http://wiki.centos.org/TipsAndTricks/SelinuxBooleans - http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/ Not to mention the plethora of docs available from the selinux creators/maintainers themselves such as the posts written by Dan Walsh ( http://danwalsh.livejournal.com/ ) and Dominick Grift ( http://selinux-mac.blogspot.ro/ ) Unfortunately real life has proven that quite often people prefer to blame selinux and lack of docs as a cover-up for not allocating the time to read and learn. >For > instance, how to allow selinux to let pureftp and apache share the > same files, show me a simple guide on that! There are several booleans related to ftp and httpd and properly turning the required bits on would make everybody happy. getsebool -a | grep "ftp\|httpd" will let most users figure things out easily. The tools described in the first 2 above mentioned links will teach those who want to learn. Incidentally pureftp is the ftp server that I use, too. But the reasoning is pure laziness from my part, it's running on a system that was first installed in the RH 7.2 era and I was ( I still am ) too lazy to transfer my custom settings to vsftpd. But I assure you, selinux is on and always has been. It's also true that I keep selinux on ever since I started using it , back in the Fedora 3 era, even if at times I had to spent 30 min to create custom policies ( and this still happens when I add packages from 3rd party repos... munin is my latest "friend" from this point of view). > perl-File-Scan-ClamAV > I used http://wiki.apache.org/spamassassin/ClamAVPlugin to interact > ClamAV and spamassassin which mentions File::Scan::ClamAV but which > wasn't available in the repositories I had chosen, Do you mean that you did not find http://pkgs.org/centos-6-rhel-6/repoforge-i386/perl-File-Scan-ClamAV-1.91-1. el6.rf.noarch.rpm.html ? > so clicking on the link took me > to cpan, which I then found a way to automate the install off. I see > no reason why it wasn't a good way of doing it as you get the latest > version and it's only an add-on module to perl. For what it's worth, there are several applications - such as cpanspec, available as package from EPEL, too - which allow almost automatic creation of rpm packages from CPAN modules and take almost no time for the process. For most modules it takes longer to download from CPAN than to create a rpm. > phpmyadmin > What is so wrong about downloading the latest html files direct from > the developers website? Nothing is 'installed' into the system and > the repositories rarely have the latest version. B
Re: [CentOS-docs] Mail / Web server guides
Hi John, Thank you for your feedback. Firstly, "If such issues could possibly be resolved I feel these scripts would be very beneficial to many users.", who better to help out with that than you by the sounds of it. Anyway, although I would love a perfect system the way CentOS org intended it, there are many reasons why I have done the scripts the way I have. Mainly because there is not always the documentation out there to be able to achieve the centos perfect result, or the packages available in the 'preferred' repos are out-of-date, so people like me find the 'best' solution they can. selinux I'm all about security but there just isn't any good documentation for managing selinux! If there was, SELINUX would still be enabled. For instance, how to allow selinux to let pureftp and apache share the same files, show me a simple guide on that! perl-File-Scan-ClamAV I used http://wiki.apache.org/spamassassin/ClamAVPlugin to interact ClamAV and spamassassin which mentions File::Scan::ClamAV but which wasn't available in the repositories I had chosen, so clicking on the link took me to cpan, which I then found a way to automate the install off. I see no reason why it wasn't a good way of doing it as you get the latest version and it's only an add-on module to perl. phpmyadmin What is so wrong about downloading the latest html files direct from the developers website? Nothing is 'installed' into the system and the repositories rarely have the latest version. You are basically asking the CentOS uses to stay in the dark from new and improved versions of software until you 'have the time' to add them to the repositories! UTC timezone The timezone script was for simplicity with my setup only and can obviously be removed. Although I'm sure a half-witted donkey can figure out how to change it. Remi over rpmforge I tried to install mysql from rpmforge but it just wasn't happening. Their mysql_libs are still old and thus causes a warning in phpmyadmin. Although CentOS may be a packaged managed system, most of the time the packages in the repositories are way behind, resulting in system administrators like myself having to install versions with security concerns, bugs or unavailable useful features that is just simply ridiculous, all because you want users to follow suit. If you would like to add your tweaks to the scripts, I would be more than happy to re-upload them to my downloads area... but something tells me the answer will be 'when I have time'. Nb. I'm just testing CentOS6.4 as it was just released, so these scripts might change again. Kind regards, Christian Salway -Original Message- From: centos-docs-boun...@centos.org [mailto:centos-docs-boun...@centos.org] On Behalf Of John R. Dennison Sent: 25 March 2013 05:53 To: centos-docs@centos.org Subject: Re: [CentOS-docs] Mail / Web server guides On Mon, Mar 25, 2013 at 04:59:08AM -, Christian Salway wrote: > http://www.itmanx.com/downloads/scripts.tar.gz I took a quick glance at your scripts as such a toolchain would prove _very_ useful to many. Your selinux.sh is an abysmal fail. It's so discouraging to see this type of nonsense still going on in 2013. There is NO REASON to disable selinux enforcement. You are also advocating the use of CPAN in your clamav.sh to install File-Scan-ClamAV from source. No, please, just... no. The use of CPAN, either directly via perl -MCPAN -e shell or the method you use to retrieve the tarball from the cpan archive system and then building it yourself, is _strongly_ discouraged on a package managed system. The module you are looking for is already prepackaged by rpmforge as perl-File-Scan-ClamAV and is available for both CentOS-5 and -6. I see you are also installing phymyadmin using a source kit install instead of using the version that is packaged by EPEL which doesn't make any sense to me considering your repositories.sh installs epel (although without priorities and you set it to enabled). Since you also install remi (why?) there may be conflicts between the two (unconfirmed, I coulnd't be paid enough to use remi on any box I care about). You blindly change the host's timezone to UTC? With no interaction from the user whether he/she wants this or not? (No, not everyone wants their boxes in UTC.) There may be other issues, but these are the ones that jumped out at me from a _very_ cursory review. I must admit, I was a little disappointed with things as they stand. CentOS is a packaged distribution and it's best to stay with components that are in package format instead of resorting to raw tarball installs. If such issues could possibkly be resolved I feel these scripts would be very beneficial to many users. John -- You may be deceived if you trust too much, but you will live in torment
Re: [CentOS-docs] Mail / Web server guides
Hi Ralph, I would love to write some guides but I just don't have the time at the moment (work commitments), but for those that would like the scripts and maybe write up some guides, you can download them from: http://www.itmanx.com/downloads/scripts.tar.gz This has been tested on a fresh install of CentOS 6.3 x64 minimal. Run the prerequisites.sh file (eg. sh prerequisites.sh) first just to make sure you have wget. Then run run.sh. You can see inside run.sh what it sets up. I have also made every file independent if you'd like to just install a particular feature. In the archive are also 3 files named newemail.sh, newwebsite.sh and newftpuser.sh to get you started post install. When I get more time, I will be happy to write up some guides. Kind regards, Christian Salway -Original Message- From: centos-docs-boun...@centos.org [mailto:centos-docs-boun...@centos.org] On Behalf Of Ralph Angenendt Sent: 24 March 2013 21:43 To: centos-docs@centos.org Subject: Re: [CentOS-docs] Mail / Web server guides On 12.03.2013 13:29, Christian Salway wrote: > Overall, this will give anyone the chance to run a mail server with > multi domain support and website hosting support on a CentOS system by > simply running a shell script which takes about 5 minutes. Hmmm. No. That is not really what we are looking for (although it sounds interesting). We're looking for documentation which enables the reader to *learn* and then implement things himself. Okay, if there is some copy & paste, there's nothing wrong with that :) But we don't want to supply shell scripts which are opaque to the causal user and then do something he cannot reproduce (or understand with his level of knowledge). > Let me know if you're interested and if so, how I go about writing it > into your wiki. If you can add to various parts of the wiki which already describe mail - or create new pages on things which aren't already covered - then that would be great. Regards, Ralph ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
[CentOS-docs] Mail / Web server guides
Hi, I have spent the last couple of weeks learning all about setting up CentOS as a mailing server, web server, MySQL server (which hasn't been easy because all of your guides are a little out of date). I have also written a few shell scripts to automate the whole process and was wondering if my guides would be useful to have on your wiki site. The guides focus on a base install of Centos 6.3 x64 minimal direct from an ISO downloaded from CentOS site. The server includes Postfix (w/ SSL/TLS, Virtual Users), Dovecot (SHA512-CRYPT passwords - would have liked BCRYPT but your current package from yum doesn't support it), Spamassassin, ClamAV, MySQL (5.5), Apache (w/ SSL), phpmyadmin, and roundcube. I will soon be adding MyRoundcube, sabredav to give shared calendar/contact support, as well as Funambol to give mobile sync support, although the developers guides are really outdated so no luck with that yet! Overall, this will give anyone the chance to run a mail server with multi domain support and website hosting support on a CentOS system by simply running a shell script which takes about 5 minutes. Let me know if you're interested and if so, how I go about writing it into your wiki. Kind regards, Christian Salway Director Tel: 44-1624-836806 Mob: 44-7624-339113 Fax: 44-7053-455813 ccsal...@itmanx.com -Original Message- From: centos-docs-boun...@centos.org [mailto:centos-docs-boun...@centos.org] On Behalf Of Manuel Wolfshant Sent: 12 March 2013 12:05 To: Mail list for wiki articles Subject: Re: [CentOS-docs] Suggesed wiki edits: On 03/11/2013 10:46 PM, Chris Pepper wrote: [various wiki modificiations suggested] Thank you for your suggestions, Chris. We revised and implemented most of the changes that you have sent via the list. manuel ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
