subject:"\[Mailman\-Users\] mm_cfg.py in \/usr \: SELinux problem"

Re: [Mailman-Users] mm_cfg.py in /usr : SELinux problem

2009-04-04 Thread Barry Warsaw


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Apr 3, 2009, at 2:21 PM, Mark Sapiro wrote:


Since the RedHat package already installs its own /etc/init.d/mailman,
I think this is a good solution for the RedHat package. For the rest
of us, we're pretty far from FHS compliance and presumably good
security policy manager compliance anyway.


Yes, sadly Mailman predates the FHS by a long shot.  Mailman 3 will be  
FHS compliant.


Barry

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)

iQCVAwUBSdem5nEjvBPtnXfVAQItnQP9E0xfoIgFwzSXdHmkPyYqjkRmGgd/ZSil
1viNo0b8RlSSe+EHEN6ZgfzY/hqYpV4Idfc+gzklicMdYBBaEns3V7lg1NzP93No
Odkowbnj/NBycyJvMaU32m03/65344inyjG5H05m0MKMUCoKjitWTeGRCOAgSzlK
Z5D8ncI7AzE=
=YHZX
-END PGP SIGNATURE-
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] mm_cfg.py in /usr : SELinux problem

2009-04-03 Thread Mark Sapiro

Daniel Novotny wrote:
>
>The solution I created is to create a new script called
>"mailman-update-cfg"'which contains the following:
>
>#!/usr/bin/python
>import py_compile
>
>py_compile.compile("/usr/lib/mailman/Mailman/mm_cfg.py")
>
>in the mm_cfg.py there's a note, that if you use SELinux,
>you have to run this script as root after you change
>the configuration
>
>what do you think about this? it's more of a work-around,
>but it can be a part of the mailman init script in /etc/init.d


Since the RedHat package already installs its own /etc/init.d/mailman,
I think this is a good solution for the RedHat package. For the rest
of us, we're pretty far from FHS compliance and presumably good
security policy manager compliance anyway.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] mm_cfg.py in /usr : SELinux problem

2009-04-02 Thread Daniel Novotny


- "Mark Sapiro"  wrote:

> I understand your issue with mm_cfg. All I can suggest is symlinks
> might help. I thought the current RedHat package currently has a
> symlink /etc/mm_cfg.py -> /usr/lib/mailman/Mailman/mm_cfg.py (or vice
> versa). Does this help?
yes, the symlink is there, but nevertheless when mailman starts,
python tries to compile the file to /usr/lib/mailman/Mailman 
because this is where the entire package is

> 
> If the problem is strictly with mm_cfg.pyc, you may be able to make
> /usr/lib/mailman/Mailman/mm_cfg.pyc an empty file with mode  (or
> (0400) so python won't try to write it.
python will try to write it and fail and this triggers the SELinux AVC denial
nevertheless

> 
> If John Dennis is still at RedHat, he may be able to help as I think
> he's probably thought about this more than anyone.
thanks for the contact, I will look if he's still here


The solution I created is to create a new script called
"mailman-update-cfg"'which contains the following:

#!/usr/bin/python
import py_compile

py_compile.compile("/usr/lib/mailman/Mailman/mm_cfg.py")

in the mm_cfg.py there's a note, that if you use SELinux,
you have to run this script as root after you change
the configuration

what do you think about this? it's more of a work-around,
but it can be a part of the mailman init script in /etc/init.d

 regards,
   Daniel Novotny

> 
> -- 
> Mark Sapiro The highway is for gamblers,
> San Francisco Bay Area, Californiabetter use your sense - B. Dylan
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] mm_cfg.py in /usr : SELinux problem

2009-04-01 Thread Mark Sapiro

Daniel Novotny wrote:
>
>we are now having a problem, how to adapt mailman configuration (mm_cfg.py)
>to SELinux policy:
>
>it resides in /usr and the SELinux maintainer argues /usr should be read-only,
>which is not satisfied, when you change the configuration (and the .pyc file
>has to be generated in /usr/lib/mailman/Mailman/ , too)
>
>I have thought about the way to fix this problem: simply moving the
>file to /etc or /var is not enough, because it's part of the package "Mailman"
>and lots of files say "from Mailman import mm_cfg"
>
>any thoughts of this?
> thanks and regards,
>
>   Daniel Novotny, Red Hat inc.

I thought RedHat were the experts on this. See
.

I understand your issue with mm_cfg. All I can suggest is symlinks
might help. I thought the current RedHat package currently has a
symlink /etc/mm_cfg.py -> /usr/lib/mailman/Mailman/mm_cfg.py (or vice
versa). Does this help?

If the problem is strictly with mm_cfg.pyc, you may be able to make
/usr/lib/mailman/Mailman/mm_cfg.pyc an empty file with mode  (or
(0400) so python won't try to write it.

If John Dennis is still at RedHat, he may be able to help as I think
he's probably thought about this more than anyone.

-- 
Mark Sapiro The highway is for gamblers,
San Francisco Bay Area, Californiabetter use your sense - B. Dylan

--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

[Mailman-Users] mm_cfg.py in /usr : SELinux problem

2009-04-01 Thread Daniel Novotny

hello,

we are now having a problem, how to adapt mailman configuration (mm_cfg.py)
to SELinux policy:

it resides in /usr and the SELinux maintainer argues /usr should be read-only,
which is not satisfied, when you change the configuration (and the .pyc file
has to be generated in /usr/lib/mailman/Mailman/ , too)

I have thought about the way to fix this problem: simply moving the
file to /etc or /var is not enough, because it's part of the package "Mailman"
and lots of files say "from Mailman import mm_cfg"

any thoughts of this?
 thanks and regards,

   Daniel Novotny, Red Hat inc.
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: http://wiki.list.org/x/QIA9

Re: [Mailman-Users] mm_cfg.py in /usr : SELinux problem

Re: [Mailman-Users] mm_cfg.py in /usr : SELinux problem

Re: [Mailman-Users] mm_cfg.py in /usr : SELinux problem

Re: [Mailman-Users] mm_cfg.py in /usr : SELinux problem

[Mailman-Users] mm_cfg.py in /usr : SELinux problem

5 matches

Site Navigation

Mail list logo

Footer information