Skip to Content.
Sympa Menu

en - Re: [sympa-users] Sympa and SELinux

Subject: The mailing list for listmasters using Sympa

List archive

Re: [sympa-users] Sympa and SELinux

Chronological Thread  
    < Chronological >       < Thread >
  • From: Olivier Salaün <address@concealed>
  • To: Liam Kirsher <address@concealed>
  • Cc: sympa-users <address@concealed>
  • Subject: Re: [sympa-users] Sympa and SELinux
  • Date: Fri, 14 Dec 2007 11:11:18 +0100
Hi Liam,

We're not SELinux experts at all, however it would probably be valuable to end up with an entry in the Sympa FAQ (http://www.sympa.org/wiki/faq) dealing with this topic. You already provide lots of precious informations and interesting questions in your previous message. Therefore you might be the right person to initialize the new SELinux FAQ entry ;-)

Then hopefully, other users may help to reach the goal of either running Sympa in the "Enforcing" policy or creating an appropriate policy.

Thanks.

Liam Kirsher a écrit :
Before I re-invent the wheel, I thought I would ask how other admins are
dealing with Sympa on SELinux.

I'm installing the most recent Sympa on a CentOS 5 (virtual) server. Sympa runs fine if I set SELinux to Permissive, but I would rather have
it set at Enforcing, which is the default.

1. I needed to install the Sympa dir in /var/www/... instead of
/home/sympa. I did that, and it got me part of the way, however --
2. mod_fastcgi will not run! The httpd error log shows streaming error
messages like this:
[Thu Dec 13 16:34:59 2007] [crit] (98)Address already in use: FastCGI:
can't create server "/var/www/sympa/bin/wwsympa.fcgi": bind() failed
[/tmp/fcgi_ipc/5c72a3608fa619be35c88ae7951189f9]
[Thu Dec 13 16:34:59 2007] [error] (13)Permission denied: FastCGI:
unlink() failed to remove socket file
"/tmp/fcgi_ipc/5c72a3608fa619be35c88ae7951189f9" for server
"/var/www/sympa/bin/wwsympa.fcgi"

The audit.log shows a variety of denied messages:
type=AVC msg=audit(1197497913.299:2213): avc: denied { ioctl } for [...]
tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file

I tried changing the selinux settings on the /tmp/fcgi_ipc directory,
but that was not enough. It's more complicated than just that, since I
think selinux is controlling reading and writing to sockets, writing to
the log file, etc. What's more, the actual executable is perl. Anyway,
this is all pretty confusing. I ran audit2allow -m and got:
module fcgi 1.0;
[...]
allow httpd_t httpd_tmp_t:sock_file { create setattr unlink write };
But I'm not sure if that will do what I want it to do. Maybe it would
be better to create an entirely new policy for sympa rather than trying
to jigger the httpd policy...?

Has anyone created a sympa selinux policy, or can give me a pointer on
how to do it


Archive powered by MHonArc 2.6.19+.

Top of Page