On 11/23/2009 2:21 PM, John R. Dennison wrote: > On Mon, Nov 23, 2009 at 01:59:40PM -0500, Robert Moskowitz wrote: >> >> It points you to: >> http://howtoforge.net/virtual-users-domains-postfix-courier-mysql-squirrelmail-fedora-10 >> >> Now granted this is for FC10, but I suspect it would be easy to fit into >> Centos. > > Please, for the love of god and country, do not follow garbage > like this. Under "1. Preliminary Note" is this text: > > "You should make sure that the firewall is off (at least for > now) and that SELinux is disabled (this is important!)". > > Documents that advocate disabling SELinux should be tossed > in a pile and set on fire. Documents that tell you to > disable your firewall with no mention in the remaining > portion of the document to reenable it post install or > how to properly configure it should join the burn pile. > +1... While SELinux can be a PITA at times, it's not going to go away anytime soon, so a smart sysadmin needs to learn to work with it rather then against it. HowTos that tell me to disable SELinux or a firewall are held at arms length and never to be followed literally. (They might contain some useful commands or configuration options... maybe.) (personal rant) You can do a lot of SELinux workarounds with brute-force egrep'ing of the audit log combined with audit2allow. It's not the best way to do it. If you have mislabeled files that are labeled with a generic var_t label, and you grant processes access to those files with blind acceptance of what audit2allow says, you're also granting access to every other file that is labeled as var_t. (Better choice would be to properly label the files that didn't get labeled correctly.) But even a brute-force application of audit2allow is still a step up from disabling SELinux entirely. (I have a love/hate relationship at times with SELinux. I need to spend another weekend reading up on it again and figuring out some of the things that I'm not sure about yet.)