Download as
Browse Code »

Commit 4c305895e0fe3c8c29f2bbf349c83b03bdab093e

Authored by Antonio Terceiro
1 parent be380d4f
Exists in master and in 90 other branches 3.x, add_sisp_to_chef, add_super_archives_plugin, api_for_colab, automates_core_packing, backup, backup_not_prod, cdtc_configuration, changes_in_buttons_on_content_panel, colab_automated_login, colab_spb_plugin_recipe, colab_widgets_settings, design_validation, dev-lappis, dev_env_minimal, disable_email_dev, docs, fix_breadcrumbs_position, fix_categories_software_link, fix_edit_institution, fix_edit_software_with_another_license, fix_get_license_info, fix_gitlab_assets_permission, fix_list_style_inside_article, fix_list_style_on_folder_elements, fix_members_pagination, fix_merge_request_url, fix_models_translations, fix_no_license, fix_software_api, fix_software_block_migration, fix_software_communities_translations, fix_software_communities_unit_test, fix_style_create_institution_admin_panel, fix_superarchives_imports, fix_sym_links_noosfero, focus_search_field_theme, gov-user-refactoring, gov-user-refactoring-rails4, header_fix, institution_modal_on_rating, kalibro-conf-refactoring, kalibro-processor-package, lxc_settings, margin_fix, mezuro_cookbook, performance, prezento, r3, refactor_download_block, refactor_software_communities, refactor_software_for_sisp, register_page, release-process, release-process-v2, remove-unused-images, remove_backup_emails, remove_broken_theme, remove_secondary_email_from_user, remove_sisp_buttons, removing_super_archives_email, review_message, scope2method, signals_user_noosfero, sisp_catalog_header, sisp_colab_config, sisp_dev, sisp_dev_master, sisp_simple_version, software_as_organization, software_catalog_style_fix, software_communities_html_refactor, software_infos_api, spb_minimal_env, spb_to_rails4, spec_refactor, stable-4.1, stable-4.2, stable-4.x, stable-devel, support_docs, syslog, temp_soft_comm_refactoring, theme_header, theme_javascript_refactory, thread_dropdown, thread_page, update_search_by_categories, update_software_api, update_softwares_boxes

Adjust setup to SELinux targetet policy 

With this, all tests pass locally. Without, some tests fail, in special:

- most reverse proxy connections are denied by default. Fixed with
  `setsebool httpd_can_network_connect 1`
- nginx could't connect to the mailman fcgiwrap socket
- postfix couldn't run postfix-to-mailman-centos.py because it was
  previously under /etc
- postfix-to-mailman.py couldn't write to the mailman data directories
Showing 9 changed files with 363 additions and 148 deletions   Show diff stats
cookbooks/basics/files/default/selinux-install-module 0 → 100644
  Diff comments   View file @4c30589
... ... @@ -0,0 +1,24 @@
  1 +#!/bin/sh
  2 +
  3 +# MANAGED WITH CHEF; DO NOT CHANGE BY HAND
  4 +
  5 +set -e
  6 +
  7 +if [ $# -ne 1 ]; then
  8 + echo "usage: $0 MODULE.te"
  9 + exit 1
  10 +fi
  11 +
  12 +input="$1"
  13 +
  14 +directory=$(dirname "$input")
  15 +
  16 +cd $directory
  17 +
  18 +module=$(basename --suffix=.te "$input")
  19 +
  20 +rm -f ${module}.mod ${module}.pp
  21 +
  22 +checkmodule -M -m -o ${module}.mod ${module}.te
  23 +semodule_package -o ${module}.pp -m ${module}.mod
  24 +semodule -i ${module}.pp
... ...
cookbooks/basics/recipes/default.rb
  Diff comments   View file @4c30589
... ... @@ -11,6 +11,18 @@ cookbook_file '/etc/selinux/config' do
11 11 mode 0644
12 12 end
13 13 execute 'setenforce Enforcing'
  14 +execute 'setsebool httpd_can_network_connect 1'
  15 +# directory for local type enforcements
  16 +directory '/etc/selinux/local' do
  17 + owner 'root'
  18 + group 'root'
  19 + mode '0755'
  20 +end
  21 +cookbook_file '/usr/local/bin/selinux-install-module' do
  22 + owner 'root'
  23 + group 'root'
  24 + mode '0755'
  25 +end
14 26  
15 27 package 'vim'
16 28 package 'bash-completion'
... ...
cookbooks/mailman/files/centos/master.cf 0 → 100644
  Diff comments   View file @4c30589
... ... @@ -0,0 +1,128 @@
  1 +# MANAGED WITH CHEF; DO NOT CHANGE BY HAND
  2 +#
  3 +# Postfix master process configuration file. For details on the format
  4 +# of the file, see the master(5) manual page (command: "man 5 master").
  5 +#
  6 +# Do not forget to execute "postfix reload" after editing this file.
  7 +#
  8 +# ==========================================================================
  9 +# service type private unpriv chroot wakeup maxproc command + args
  10 +# (yes) (yes) (yes) (never) (100)
  11 +# ==========================================================================
  12 +smtp inet n - n - - smtpd
  13 +#smtp inet n - n - 1 postscreen
  14 +#smtpd pass - - n - - smtpd
  15 +#dnsblog unix - - n - 0 dnsblog
  16 +#tlsproxy unix - - n - 0 tlsproxy
  17 +#submission inet n - n - - smtpd
  18 +# -o syslog_name=postfix/submission
  19 +# -o smtpd_tls_security_level=encrypt
  20 +# -o smtpd_sasl_auth_enable=yes
  21 +# -o smtpd_reject_unlisted_recipient=no
  22 +# -o smtpd_client_restrictions=$mua_client_restrictions
  23 +# -o smtpd_helo_restrictions=$mua_helo_restrictions
  24 +# -o smtpd_sender_restrictions=$mua_sender_restrictions
  25 +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  26 +# -o milter_macro_daemon_name=ORIGINATING
  27 +#smtps inet n - n - - smtpd
  28 +# -o syslog_name=postfix/smtps
  29 +# -o smtpd_tls_wrappermode=yes
  30 +# -o smtpd_sasl_auth_enable=yes
  31 +# -o smtpd_reject_unlisted_recipient=no
  32 +# -o smtpd_client_restrictions=$mua_client_restrictions
  33 +# -o smtpd_helo_restrictions=$mua_helo_restrictions
  34 +# -o smtpd_sender_restrictions=$mua_sender_restrictions
  35 +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  36 +# -o milter_macro_daemon_name=ORIGINATING
  37 +#628 inet n - n - - qmqpd
  38 +pickup unix n - n 60 1 pickup
  39 +cleanup unix n - n - 0 cleanup
  40 +qmgr unix n - n 300 1 qmgr
  41 +#qmgr unix n - n 300 1 oqmgr
  42 +tlsmgr unix - - n 1000? 1 tlsmgr
  43 +rewrite unix - - n - - trivial-rewrite
  44 +bounce unix - - n - 0 bounce
  45 +defer unix - - n - 0 bounce
  46 +trace unix - - n - 0 bounce
  47 +verify unix - - n - 1 verify
  48 +flush unix n - n 1000? 0 flush
  49 +proxymap unix - - n - - proxymap
  50 +proxywrite unix - - n - 1 proxymap
  51 +smtp unix - - n - - smtp
  52 +relay unix - - n - - smtp
  53 +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
  54 +showq unix n - n - - showq
  55 +error unix - - n - - error
  56 +retry unix - - n - - error
  57 +discard unix - - n - - discard
  58 +local unix - n n - - local
  59 +virtual unix - n n - - virtual
  60 +lmtp unix - - n - - lmtp
  61 +anvil unix - - n - 1 anvil
  62 +scache unix - - n - 1 scache
  63 +#
  64 +# ====================================================================
  65 +# Interfaces to non-Postfix software. Be sure to examine the manual
  66 +# pages of the non-Postfix software to find out what options it wants.
  67 +#
  68 +# Many of the following services use the Postfix pipe(8) delivery
  69 +# agent. See the pipe(8) man page for information about ${recipient}
  70 +# and other message envelope options.
  71 +# ====================================================================
  72 +#
  73 +# maildrop. See the Postfix MAILDROP_README file for details.
  74 +# Also specify in main.cf: maildrop_destination_recipient_limit=1
  75 +#
  76 +#maildrop unix - n n - - pipe
  77 +# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
  78 +#
  79 +# ====================================================================
  80 +#
  81 +# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
  82 +#
  83 +# Specify in cyrus.conf:
  84 +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
  85 +#
  86 +# Specify in main.cf one or more of the following:
  87 +# mailbox_transport = lmtp:inet:localhost
  88 +# virtual_transport = lmtp:inet:localhost
  89 +#
  90 +# ====================================================================
  91 +#
  92 +# Cyrus 2.1.5 (Amos Gouaux)
  93 +# Also specify in main.cf: cyrus_destination_recipient_limit=1
  94 +#
  95 +#cyrus unix - n n - - pipe
  96 +# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
  97 +#
  98 +# ====================================================================
  99 +#
  100 +# Old example of delivery via Cyrus.
  101 +#
  102 +#old-cyrus unix - n n - - pipe
  103 +# flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
  104 +#
  105 +# ====================================================================
  106 +#
  107 +# See the Postfix UUCP_README file for configuration details.
  108 +#
  109 +#uucp unix - n n - - pipe
  110 +# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
  111 +#
  112 +# ====================================================================
  113 +#
  114 +# Other external delivery methods.
  115 +#
  116 +#ifmail unix - n n - - pipe
  117 +# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
  118 +#
  119 +#bsmtp unix - n n - - pipe
  120 +# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
  121 +#
  122 +#scalemail-backend unix - n n - 2 pipe
  123 +# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
  124 +# ${nexthop} ${user} ${extension}
  125 +#
  126 +mailman unix - n n - - pipe
  127 + flags=FR user=mailman:mailman argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  128 + ${nexthop} ${user}
... ...
cookbooks/mailman/files/centos/postfix-to-mailman-centos.py
View file @be380d4
... ... @@ -1,133 +0,0 @@
1   -#! /usr/bin/env python
2   -
3   -# Configuration variables - Change these for your site if necessary.
4   -MailmanHome = "/var/lib/mailman"; # Mailman home directory.
5   -MailmanOwner = "postmaster@example.com"; # Postmaster and abuse mail recipient.
6   -MailmanScripts = "/usr/lib/mailman"; # Where mailman scripts reside
7   -
8   -# End of configuration variables.
9   -
10   -# postfix-to-mailman-2.1.py (to be installed as postfix-to-mailman.py)
11   -#
12   -# Interface mailman to a postfix with a mailman transport. Does not require
13   -# the creation of _any_ aliases to connect lists to your mail system.
14   -#
15   -# Dax Kelson, dkelson@gurulabs.com, Sept 2002.
16   -# coverted from qmail to postfix interface
17   -# Jan 2003: Fixes for Mailman 2.1
18   -# Thanks to Simen E. Sandberg <senilix@gallerbyen.net>
19   -# Feb 2003: Change the suggested postfix transport to support VERP
20   -# Thanks to Henrique de Moraes Holschuh <henrique.holschuh@ima.sp.gov.br>
21   -#
22   -# This script was originally qmail-to-mailman.py by:
23   -# Bruce Perens, bruce@perens.com, March 1999.
24   -# This is free software under the GNU General Public License.
25   -#
26   -# This script is meant to be called from ~mailman/postfix-to-mailman.py.
27   -# It catches all mail to a virtual domain, eg "lists.example.com".
28   -# It looks at the recipient for each mail message and decides if the mail is
29   -# addressed to a valid list or not, and bounces the message with a helpful
30   -# suggestion if it's not addressed to a list. It decides if it is a posting,
31   -# a list command, or mail to the list administrator, by checking for the
32   -# -admin, -owner, and -request addresses. It will recognize a list as soon
33   -# as the list is created, there is no need to add _any_ aliases for any list.
34   -# It recognizes mail to postmaster, mailman-owner, abuse, mailer-daemon, root,
35   -# and owner, and routes those mails to MailmanOwner as defined in the
36   -# configuration variables, above.
37   -#
38   -# INSTALLATION:
39   -#
40   -# Install this file as ~mailman/postfix-to-mailman.py
41   -#
42   -# To configure a virtual domain to connect to mailman, edit Postfix thusly:
43   -#
44   -# /etc/postfix/main.cf:
45   -# relay_domains = ... lists.example.com
46   -# transport_maps = hash:/etc/postfix/transport
47   -# mailman_destination_recipient_limit = 1
48   -#
49   -# /etc/postfix/transport:
50   -# lists.example.com mailman:
51   -#
52   -# /etc/postfix/master.cf
53   -# mailman unix - n n - - pipe
54   -# flags=FR user=mailman:mailman
55   -# argv=/var/mailman/postfix-to-mailman.py ${nexthop} ${user}
56   -#
57   -#
58   -# Replace list.example.com above with the name of the domain to be connected
59   -# to Mailman. Note that _all_ mail to that domain will go to Mailman, so you
60   -# don't want to put the name of your main domain here. Typically a virtual
61   -# domain lists.domain.com is used for Mailman, and domain.com for regular
62   -# email.
63   -#
64   -
65   -import sys, os, re, string
66   -
67   -def main():
68   - os.nice(5) # Handle mailing lists at non-interactive priority.
69   - # delete this if you wish
70   -
71   - os.chdir(MailmanHome + "/lists")
72   -
73   - try:
74   - local = sys.argv[2]
75   - except:
76   - # This might happen if we're not using Postfix
77   - sys.stderr.write("LOCAL not set?\n")
78   - sys.exit(1)
79   -
80   - local = string.lower(local)
81   - local = re.sub("^mailman-","",local)
82   -
83   - names = ("root", "postmaster", "mailer-daemon", "mailman-owner", "owner",
84   - "abuse")
85   - for i in names:
86   - if i == local:
87   - os.execv("/usr/sbin/sendmail",
88   - ("/usr/sbin/sendmail", MailmanOwner))
89   - sys.exit(0)
90   -
91   - type = "post"
92   - types = (("-admin$", "admin"),
93   - ("-owner$", "owner"),
94   - ("-request$", "request"),
95   - ("-bounces$", "bounces"),
96   - ("-confirm$", "confirm"),
97   - ("-join$", "join"),
98   - ("-leave$", "leave"),
99   - ("-subscribe$", "subscribe"),
100   - ("-unsubscribe$", "unsubscribe"))
101   -
102   - for i in types:
103   - if re.search(i[0],local):
104   - type = i[1]
105   - local = re.sub(i[0],"",local)
106   -
107   - if os.path.exists(local):
108   - os.execv(MailmanScripts + "/mail/mailman",
109   - (MailmanScripts + "/mail/mailman", type, local))
110   - else:
111   - bounce()
112   - sys.exit(75)
113   -
114   -def bounce():
115   - bounce_message = """\
116   -TO ACCESS THE MAILING LIST SYSTEM: Start your web browser on
117   -http://%s/
118   -That web page will help you subscribe or unsubscribe, and will
119   -give you directions on how to post to each mailing list.\n"""
120   - sys.stderr.write(bounce_message % (sys.argv[1]))
121   - sys.exit(1)
122   -
123   -try:
124   - sys.exit(main())
125   -except SystemExit, argument:
126   - sys.exit(argument)
127   -
128   -except Exception, argument:
129   - info = sys.exc_info()
130   - trace = info[2]
131   - sys.stderr.write("%s %s\n" % (sys.exc_type, argument))
132   - sys.stderr.write("Line %d\n" % (trace.tb_lineno))
133   - sys.exit(75) # Soft failure, try again later.
cookbooks/mailman/files/centos/postfix-to-mailman.py 0 → 100755
  Diff comments   View file @4c30589
... ... @@ -0,0 +1,133 @@
  1 +#! /usr/bin/env python
  2 +
  3 +# Configuration variables - Change these for your site if necessary.
  4 +MailmanHome = "/var/lib/mailman"; # Mailman home directory.
  5 +MailmanOwner = "postmaster@example.com"; # Postmaster and abuse mail recipient.
  6 +MailmanScripts = "/usr/lib/mailman"; # Where mailman scripts reside
  7 +
  8 +# End of configuration variables.
  9 +
  10 +# postfix-to-mailman-2.1.py (to be installed as postfix-to-mailman.py)
  11 +#
  12 +# Interface mailman to a postfix with a mailman transport. Does not require
  13 +# the creation of _any_ aliases to connect lists to your mail system.
  14 +#
  15 +# Dax Kelson, dkelson@gurulabs.com, Sept 2002.
  16 +# coverted from qmail to postfix interface
  17 +# Jan 2003: Fixes for Mailman 2.1
  18 +# Thanks to Simen E. Sandberg <senilix@gallerbyen.net>
  19 +# Feb 2003: Change the suggested postfix transport to support VERP
  20 +# Thanks to Henrique de Moraes Holschuh <henrique.holschuh@ima.sp.gov.br>
  21 +#
  22 +# This script was originally qmail-to-mailman.py by:
  23 +# Bruce Perens, bruce@perens.com, March 1999.
  24 +# This is free software under the GNU General Public License.
  25 +#
  26 +# This script is meant to be called from ~mailman/postfix-to-mailman.py.
  27 +# It catches all mail to a virtual domain, eg "lists.example.com".
  28 +# It looks at the recipient for each mail message and decides if the mail is
  29 +# addressed to a valid list or not, and bounces the message with a helpful
  30 +# suggestion if it's not addressed to a list. It decides if it is a posting,
  31 +# a list command, or mail to the list administrator, by checking for the
  32 +# -admin, -owner, and -request addresses. It will recognize a list as soon
  33 +# as the list is created, there is no need to add _any_ aliases for any list.
  34 +# It recognizes mail to postmaster, mailman-owner, abuse, mailer-daemon, root,
  35 +# and owner, and routes those mails to MailmanOwner as defined in the
  36 +# configuration variables, above.
  37 +#
  38 +# INSTALLATION:
  39 +#
  40 +# Install this file as ~mailman/postfix-to-mailman.py
  41 +#
  42 +# To configure a virtual domain to connect to mailman, edit Postfix thusly:
  43 +#
  44 +# /etc/postfix/main.cf:
  45 +# relay_domains = ... lists.example.com
  46 +# transport_maps = hash:/etc/postfix/transport
  47 +# mailman_destination_recipient_limit = 1
  48 +#
  49 +# /etc/postfix/transport:
  50 +# lists.example.com mailman:
  51 +#
  52 +# /etc/postfix/master.cf
  53 +# mailman unix - n n - - pipe
  54 +# flags=FR user=mailman:mailman
  55 +# argv=/var/mailman/postfix-to-mailman.py ${nexthop} ${user}
  56 +#
  57 +#
  58 +# Replace list.example.com above with the name of the domain to be connected
  59 +# to Mailman. Note that _all_ mail to that domain will go to Mailman, so you
  60 +# don't want to put the name of your main domain here. Typically a virtual
  61 +# domain lists.domain.com is used for Mailman, and domain.com for regular
  62 +# email.
  63 +#
  64 +
  65 +import sys, os, re, string
  66 +
  67 +def main():
  68 + os.nice(5) # Handle mailing lists at non-interactive priority.
  69 + # delete this if you wish
  70 +
  71 + os.chdir(MailmanHome + "/lists")
  72 +
  73 + try:
  74 + local = sys.argv[2]
  75 + except:
  76 + # This might happen if we're not using Postfix
  77 + sys.stderr.write("LOCAL not set?\n")
  78 + sys.exit(1)
  79 +
  80 + local = string.lower(local)
  81 + local = re.sub("^mailman-","",local)
  82 +
  83 + names = ("root", "postmaster", "mailer-daemon", "mailman-owner", "owner",
  84 + "abuse")
  85 + for i in names:
  86 + if i == local:
  87 + os.execv("/usr/sbin/sendmail",
  88 + ("/usr/sbin/sendmail", MailmanOwner))
  89 + sys.exit(0)
  90 +
  91 + type = "post"
  92 + types = (("-admin$", "admin"),
  93 + ("-owner$", "owner"),
  94 + ("-request$", "request"),
  95 + ("-bounces$", "bounces"),
  96 + ("-confirm$", "confirm"),
  97 + ("-join$", "join"),
  98 + ("-leave$", "leave"),
  99 + ("-subscribe$", "subscribe"),
  100 + ("-unsubscribe$", "unsubscribe"))
  101 +
  102 + for i in types:
  103 + if re.search(i[0],local):
  104 + type = i[1]
  105 + local = re.sub(i[0],"",local)
  106 +
  107 + if os.path.exists(local):
  108 + os.execv(MailmanScripts + "/mail/mailman",
  109 + (MailmanScripts + "/mail/mailman", type, local))
  110 + else:
  111 + bounce()
  112 + sys.exit(75)
  113 +
  114 +def bounce():
  115 + bounce_message = """\
  116 +TO ACCESS THE MAILING LIST SYSTEM: Start your web browser on
  117 +http://%s/
  118 +That web page will help you subscribe or unsubscribe, and will
  119 +give you directions on how to post to each mailing list.\n"""
  120 + sys.stderr.write(bounce_message % (sys.argv[1]))
  121 + sys.exit(1)
  122 +
  123 +try:
  124 + sys.exit(main())
  125 +except SystemExit, argument:
  126 + sys.exit(argument)
  127 +
  128 +except Exception, argument:
  129 + info = sys.exc_info()
  130 + trace = info[2]
  131 + sys.stderr.write("%s %s\n" % (sys.exc_type, argument))
  132 + sys.stderr.write("Line %d\n" % (trace.tb_lineno))
  133 + sys.exit(75) # Soft failure, try again later.
... ...
cookbooks/mailman/files/centos/spb_mailman.te 0 → 100644
  Diff comments   View file @4c30589
... ... @@ -0,0 +1,15 @@
  1 +# MANAGED WITH CHEF; DO NOT CHANGE BY HAND
  2 +
  3 +module spb_mailman 1.0;
  4 +
  5 +require {
  6 + type var_run_t;
  7 + type httpd_t;
  8 + type initrc_t;
  9 + class sock_file write;
  10 + class unix_stream_socket connectto;
  11 +}
  12 +
  13 +#============= httpd_t ==============
  14 +allow httpd_t initrc_t:unix_stream_socket connectto;
  15 +allow httpd_t var_run_t:sock_file write;
... ...
cookbooks/mailman/files/centos/spb_postfix_mailman.te 0 → 100644
  Diff comments   View file @4c30589
... ... @@ -0,0 +1,20 @@
  1 +# MANAGED WITH CHEF; DO NOT CHANGE BY HAND
  2 +
  3 +module spb_postfix_mailman 1.0;
  4 +
  5 +require {
  6 + type postfix_etc_t;
  7 + type mailman_log_t;
  8 + type postfix_pipe_t;
  9 + type mailman_data_t;
  10 + class dir { write remove_name getattr search add_name };
  11 + class file { rename execute read create write getattr open append };
  12 +}
  13 +
  14 +#============= postfix_pipe_t ==============
  15 +
  16 +allow postfix_pipe_t mailman_data_t:dir search;
  17 +allow postfix_pipe_t mailman_data_t:dir { write remove_name getattr add_name };
  18 +allow postfix_pipe_t mailman_data_t:file { rename write getattr read create open };
  19 +allow postfix_pipe_t mailman_log_t:file { read getattr open append };
  20 +allow postfix_pipe_t postfix_etc_t:file execute;
... ...
cookbooks/mailman/recipes/default.rb
  Diff comments   View file @4c30589
... ... @@ -49,25 +49,29 @@ execute &#39;compile-postfix-transport&#39; do
49 49 action :nothing
50 50 end
51 51  
52   -cookbook_file '/etc/postfix/postfix-to-mailman-centos.py' do
  52 +# FIXME remove this after 2015-05-01
  53 +file '/etc/postfix/postfix-to-mailman-centos.py' do
  54 + action :delete
  55 +end
  56 +
  57 +cookbook_file '/usr/lib/mailman/bin/postfix-to-mailman.py' do
53 58 owner 'root'
54 59 group 'root'
55 60 mode 0755
56 61 end
57 62  
58   -ruby_block 'configure-mailman-transport' do
59   - block do
60   - lines = [
61   - 'mailman unix - n n - - pipe',
62   - ' flags=FR user=mailman:mailman',
63   - ' argv=/etc/postfix/postfix-to-mailman-centos.py ${nexthop} ${user}',
64   - ]
65   - File.open('/etc/postfix/master.cf', 'a') do |f|
66   - lines.each do |line|
67   - f.puts line
68   - end
69   - end
70   - end
71   - only_if { !system('grep', '^mailman', '/etc/postfix/master.cf')}
  63 +#######################################################################
  64 +# SELinux: allow Postfix pipe process to write to Mailman data
  65 +#######################################################################
  66 +cookbook_file '/etc/selinux/local/spb_postfix_mailman.te' do
  67 + notifies :run, 'execute[selinux-postfix-mailman]'
  68 +end
  69 +execute 'selinux-postfix-mailman' do
  70 + command 'selinux-install-module /etc/selinux/local/spb_postfix_mailman.te'
  71 + action :nothing
72 72 end
  73 +#######################################################################
73 74  
  75 +cookbook_file '/etc/postfix/master.cf' do
  76 + notifies :reload, 'service[postfix]'
  77 +end
... ...
cookbooks/mailman/recipes/webui.rb
  Diff comments   View file @4c30589
... ... @@ -8,6 +8,18 @@ end
8 8 package 'fcgiwrap'
9 9 package 'spawn-fcgi'
10 10  
  11 +#######################################################################
  12 +# SELinux: allow nginx to connect to the fcgiwrap socket
  13 +#######################################################################
  14 +cookbook_file '/etc/selinux/local/spb_mailman.te' do
  15 + notifies :run, 'execute[selinux-mailman]'
  16 +end
  17 +execute 'selinux-mailman' do
  18 + command 'selinux-install-module /etc/selinux/local/spb_mailman.te'
  19 + action :nothing
  20 +end
  21 +#######################################################################
  22 +
11 23 hostname = node['config']['lists_hostname']
12 24 template "/etc/nginx/conf.d/#{hostname}.conf" do
13 25 source 'mailman.conf.erb'
... ...