LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show HTML Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Re: Using SELINUX with LISTSERV on RHEL 7
"Helmke,Richard A" <[log in to unmask]>
Mon, 9 Jul 2018 13:47:35 +0000
text/plain (4 kB) , text/html (13 kB)
An administrator of the local Listserv team, Joe Irons, researched our problems with SELinux and has developed some additional steps to handle our implementation of the archives area and use of symlink as a pointer to that space (/listserv-lists/archives).

Joe writes:



After following the LSoft recommendations on SELinux we also needed to perform the following steps.

First we found the following command helpful in more easily determining what was being blocked



sealert -a /var/log/audit/audit.log > sealerts.txt



This will take a while to run but will then provide the process being blocked, the file it was attempting to access (although not the path), the last time it was blocked and suggestions on what security context to set.



Our biggest issue was that we use a symlink to point to our listserv archives folder and the normal SELinux commands do not take effect on symlinks. To change the security context of a symlink you need to add the -h flag to the chcon command, below is an example of what we ran



chcon -v -h --type=httpd_sys_content_t /listserv-archives



We also needed to make sure to write our security contexts to the SELinux config and then do a restorecon on the folders/files to make sure their context updated and carried over between reboots. Below are the two contexts we set.



semanage fcontext -a -t httpd_sys_rw_content_t "/listserv-lists/archives/upload(/.*)?"



This set RW status for the uploads folder and all its contents



semanage fcontext -a -t httpd_sys_content_t "/listserv-lists/archives(/.*)?"



Sets the status for the archives folder



After making the above changes we then ran



restorecon -v /listserv-lists/archives/*



This is what actually changed the context of the files after we set them in the SELinux config. One additional minor issue we saw was that the listserv update status on the main dashboard was unable to make an outgoing connection on port 80 to check for updates. The following commands cleared this up



grep "name_connect.*comm=\"wa\" dest=80" /var/log/audit/audit.log | audit2allow -M wa



semodule -i wa.pp

The above assumes that the error has happened recently and is present in the audit.log file.


From: LISTSERV Site Administrators' Forum <[log in to unmask]> On Behalf Of Kaminsky,Matthew
Sent: Monday, July 2, 2018 6:54 AM
To: [log in to unmask]
Subject: Re: Using SELINUX with LISTSERV on RHEL 7

We're using it here also. If I remember what we did, give the web process permission to go read your notebook files. I did not set this up myself but in conjunction with the box's admin so I don't know the full details, but that was the last major stumbling block once SELinux was enforced.

From: LISTSERV Site Administrators' Forum <[log in to unmask]<mailto:[log in to unmask]>> On Behalf Of Helmke,Richard A
Sent: Friday, June 29, 2018 9:16 AM
To: [log in to unmask]<mailto:[log in to unmask]>
Subject: Using SELINUX with LISTSERV on RHEL 7


I recently migrated a LISTSERV 16.0 system to a new host running RHEL 7.5 (Oracle Linux 7.5) and LISTSERV 16.5.  Everything seems to be functioning normally, but SELINUX was turned off.



Now that the migration is complete, we would like to turn SELINUX.  We started by running with SELINUX in 'permissive' mode for several weeks and then followed the steps outlined in the whitepaper "Using LISTSERV with Security-Enhanced Linux (SELinux)".  Many things work like receiving messages, posting and archiving, and distribution.  Some do not -- like being able to use the webinterface to read some archived messages.  We have run the the steps in the whitepaper several times over several days to 'update' the SELINUX rules without any noticeable change in behavioir.



I know the simple answer is "just don't run SELINUX".  However, I would like to take advantage of the extra layer of security.  If you are running SELINUX in 'enforcing' mode on RHEL 7.x, did you have to make any changes to the steps outlined in the whitepaper?



Rich Helmke

________________________________

To unsubscribe from the LSTSRV-L list, click the following link:
http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpeach.ease.lsoft.com%2Fscripts%2Fwa-PEACH.exe%3FSUBED1%3DLSTSRV-L%26A%3D1&data=02%7C01%7Ckaminsmj%40DREXEL.EDU%7C94dd48fe321348d35bf908d5ddc26ba1%7C3664e6fa47bd45a696708c4f080f8ca6%7C0%7C1%7C636658749457635828&sdata=NAgKZ%2BQOva4xoUTIKeT9M7lLEVonnM96k%2BlPBCktV0M%3D&reserved=0>

________________________________

To unsubscribe from the LSTSRV-L list, click the following link:
http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1

############################

To unsubscribe from the LSTSRV-L list:
write to: mailto:[log in to unmask]
or click the following link:
http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=LSTSRV-L&A=1
ATOM RSS1 RSS2
COMMUNITY.EMAILOGY.COM