Hi Manuel, Great links for selinux. Thank you very much. Will be reading up on those now. Perhaps you would like to contribute to the scripts to alter them slightly to better suit an selinux environment? "So far I have seen exactly 4 people who really needed and took advantage of the features brought in by the newer mysql versions. But hey, maybe you are number 5" Wanted to use SHA2 which required at least version 5.5 I'm now looking into redoing the scripts, mainly to try to support all the comments received so far, namely, selinux and different repositories. Hopefully if I get it right, I can then write some wiki documents. ps. love the comeback " And yet despite most monkeys are able to read the selinux instruction" haha, made my morning :) Kind regards, Christian Salway -----Original Message----- From: centos-docs-bounces at centos.org [mailto:centos-docs-bounces at centos.org] On Behalf Of Manuel Wolfshant Sent: 25 March 2013 11:44 To: Mail list for wiki articles Subject: Re: [CentOS-docs] Mail / Web server guides On 03/25/2013 12:41 PM, Christian Salway wrote: > Hi John, > > Thank you for your feedback. > > Firstly, "If such issues could possibly be resolved I feel these > scripts would be very beneficial to many users.", who better to help > out with that than you by the sounds of it. > > Anyway, although I would love a perfect system the way CentOS org > intended it, there are many reasons why I have done the scripts the way I have. > Mainly because there is not always the documentation out there to be > able to achieve the centos perfect result, or the packages available > in the 'preferred' repos are out-of-date, so people like me find the 'best' > solution they can. > > selinux > I'm all about security but there just isn't any good documentation for > managing selinux! If there was, SELINUX would still be enabled. I beg to differ. There is plenty of documentation but people still think and act as they did 10 years ago when selinux was introduced, For those who really want to do things properly, there exist: - http://wiki.centos.org/HowTos/SELinux - http://wiki.centos.org/TipsAndTricks/SelinuxBooleans - http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/ Not to mention the plethora of docs available from the selinux creators/maintainers themselves such as the posts written by Dan Walsh ( http://danwalsh.livejournal.com/ ) and Dominick Grift ( http://selinux-mac.blogspot.ro/ ) Unfortunately real life has proven that quite often people prefer to blame selinux and lack of docs as a cover-up for not allocating the time to read and learn. > For > instance, how to allow selinux to let pureftp and apache share the > same files, show me a simple guide on that! There are several booleans related to ftp and httpd and properly turning the required bits on would make everybody happy. getsebool -a | grep "ftp\|httpd" will let most users figure things out easily. The tools described in the first 2 above mentioned links will teach those who want to learn. Incidentally pureftp is the ftp server that I use, too. But the reasoning is pure laziness from my part, it's running on a system that was first installed in the RH 7.2 era and I was ( I still am ) too lazy to transfer my custom settings to vsftpd. But I assure you, selinux is on and always has been. It's also true that I keep selinux on ever since I started using it , back in the Fedora 3 era, even if at times I had to spent 30 min to create custom policies ( and this still happens when I add packages from 3rd party repos... munin is my latest "friend" from this point of view). > perl-File-Scan-ClamAV > I used http://wiki.apache.org/spamassassin/ClamAVPlugin to interact > ClamAV and spamassassin which mentions File::Scan::ClamAV but which > wasn't available in the repositories I had chosen, Do you mean that you did not find http://pkgs.org/centos-6-rhel-6/repoforge-i386/perl-File-Scan-ClamAV-1.91-1. el6.rf.noarch.rpm.html ? > so clicking on the link took me > to cpan, which I then found a way to automate the install off. I see > no reason why it wasn't a good way of doing it as you get the latest > version and it's only an add-on module to perl. For what it's worth, there are several applications - such as cpanspec, available as package from EPEL, too - which allow almost automatic creation of rpm packages from CPAN modules and take almost no time for the process. For most modules it takes longer to download from CPAN than to create a rpm. > phpmyadmin > What is so wrong about downloading the latest html files direct from > the developers website? Nothing is 'installed' into the system and > the repositories rarely have the latest version. Beside that fact the CentOS is a rpm-based distro and your suggestion administers it as if it was slackware ? Incidentally phpmyadmin is one of the best maintained packages , its Fedora maintainer is extremely active and responsive. Not to mention that he also offers help for his packages via IRC > You are basically asking the > CentOS uses to stay in the dark from new and improved versions of > software until you 'have the time' to add them to the repositories! It's quite the opposite. The repositories are places where the software lands after at least a bit of testing is done. What you suggest here is the gentoo approach, always hunt for the latest and shiniest. Which might or might not work, depending on the phase of the moon. > > UTC timezone > The timezone script was for simplicity with my setup only and can > obviously be removed. Although I'm sure a half-witted donkey can > figure out how to change it. And yet despite most monkeys are able to read the selinux instructions and rely on selinux to add an additional layer of security for the server, you recommend to turn it off instead of teaching how to adjust it to fit your bill. > > Remi over rpmforge > I tried to install mysql from rpmforge but it just wasn't happening. > Their mysql_libs are still old and thus causes a warning in phpmyadmin. Most people can and should rely on the mysql packages provided by the distribution itself. Or they can go with IUS if a newer mysql version is needed. So far I have seen exactly 4 people who really needed and took advantage of the features brought in by the newer mysql versions. But hey, maybe you are number 5... In this case please try to use the packages from IUS and provide feedback so more users can benefit from your experience. > Although CentOS may be a packaged managed system, most of the time the > packages in the repositories are way behind, http://wiki.centos.org/FAQ/General#head-472ce8446ebcfc82ca1800f775ba0e629ac8 35c7 was written exactly to explain the reasoning for this situation... > resulting in system > administrators like myself having to install versions with security > concerns, bugs ... and https://access.redhat.com/security/updates/backporting deals with this . > or unavailable useful features that is just simply ridiculous, all > because you want users to follow suit. If you want( or need ) to compile the shiniest latest apps and use them, you are more than welcome to do that but you have chosen the incorrect distribution. Suggesting everyone to follow your way which is exactly against the policy of the distribution is a bit irresponsible and should by no means be endorsed in the centos wiki. manuel, happy selinux user since 2004 _______________________________________________ CentOS-docs mailing list CentOS-docs at centos.org http://lists.centos.org/mailman/listinfo/centos-docs