Ron White wrote:
> On Fri, 2010-04-30 at 03:39 -0400, W B Hacker wrote:
>> Ron White wrote:
>> *snip*
>>
>> This part should have a new thread of its own if it is to be pursued.
>>
>>> Moving on from that - today I turn my attention to Clamav and Exim and
>>> in particular SELinux on the Cent5 box. The installation was really easy
>>> but there are some issues with clam being able to access files in
>>> the /scan directory.
>>>
>>> This is a subject I know nothing about, but want to resist the
>>> temptation to do the defacto 'disable SELinux'. Luckily I have the
>>> weekend ahead to study and see if I can work it out. Wish me luck!
>>>
>> Not sure if it fits YOUR need, but we create a special group for our 'postal
>> workers' (Exim, ClamAV, SA, Dovecot, Prayer, et al), one OTHER THAN the
>> mail:mailnull or other legacy defaults.
>>
>> Group rights on the fs, and matching EUID:EGID in the DB keep all those players
>> *and no others* in the same ring-fence.
>>
>>
>> JM2CW
>>
>> Bill
>>
>>
> At the moment Bill that is mostly Chinese to me - I have some serious
> reading to do. I'll save this message in my notecase and hopefully it
> will be clear to me after I've had a look at 'the screwdrivers guide to
> SELinux' :-)
>
>
>
Last time *I* looked SELinux had been 'blessed' as a useful project and its
(better) security features adopted back into the mainstream (and not just of
Linux), after which I'm not sure it still justified a life of its own.
But - AFAIK - user and group rights still follow the Unix model, so common group
membership - with the appropriate mask - is an easy way to insure a .. well .
guess one would call it a ...'group' ... of players can share their toys w/o
fighting. More importantly - despite different 'owners' who may or may not also
be members of the 'group'
man chown
man chmod
etc...
Bill