On 11/23/2009 2:21 PM, John R. Dennison wrote:
On Mon, Nov 23, 2009 at 01:59:40PM -0500, Robert Moskowitz wrote:
It points you to: http://howtoforge.net/virtual-users-domains-postfix-courier-mysql-squirrelma...
Now granted this is for FC10, but I suspect it would be easy to fit into Centos.
Please, for the love of god and country, do not follow garbage like this. Under "1. Preliminary Note" is this text:
"You should make sure that the firewall is off (at least for now) and that SELinux is disabled (this is important!)".
Documents that advocate disabling SELinux should be tossed in a pile and set on fire. Documents that tell you to disable your firewall with no mention in the remaining portion of the document to reenable it post install or how to properly configure it should join the burn pile.
+1... While SELinux can be a PITA at times, it's not going to go away anytime soon, so a smart sysadmin needs to learn to work with it rather then against it. HowTos that tell me to disable SELinux or a firewall are held at arms length and never to be followed literally. (They might contain some useful commands or configuration options... maybe.)
(personal rant)
You can do a lot of SELinux workarounds with brute-force egrep'ing of the audit log combined with audit2allow. It's not the best way to do it. If you have mislabeled files that are labeled with a generic var_t label, and you grant processes access to those files with blind acceptance of what audit2allow says, you're also granting access to every other file that is labeled as var_t. (Better choice would be to properly label the files that didn't get labeled correctly.)
But even a brute-force application of audit2allow is still a step up from disabling SELinux entirely.
(I have a love/hate relationship at times with SELinux. I need to spend another weekend reading up on it again and figuring out some of the things that I'm not sure about yet.)