On 15 Nov 2020, at 22:18, Stephen J. Turnbull wrote:
I don't
see why access to archives would cause a security issue,
FWIW:
1. SELinux doesn't know about specific security issues, it assumes that
nothing is safe unless explicitly allowed.
2. On RHEL7 and its derivatives, the default SELinux policy includes a
module for mailman's executable and data files which *in my experience*
just works without modification when mailman is installed from an
official RPM. It's even documented, if the policy docs are installed:
# apropos mailman |grep selinux
mailman_cgi_selinux (8) - Security Enhanced Linux Policy for the
mailman_cgi processes
mailman_mail_selinux (8) - Security Enhanced Linux Policy for the
mailman_mail processes
mailman_queue_selinux (8) - Security Enhanced Linux Policy for the
mailman_queue processes
It would certainly be possible to break that by assigning the wrong
SELinux labels to the mailman files, perhaps by installing from the
unpackaged source. Fixing that sort of error is probably simple, but it
would depend on what specifically was done. A simple 'restorecon -Rv /'
will fix a lot of issues, but it isn't instantaneous and stomps on any
customization that hasn't been written into the persistent policy.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
