Changeing configuration of ispconfig user
With the current configuration there is always an error message from the selinux package when the system gets updated:
vmail homedir /var/vmail or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts, /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin.
getmail homedir /etc/getmail or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts, /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin.
ispconfig homedir /usr/local/ispconfig or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts, /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin.
ispapps homedir /var/www/apps or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts, /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin.
I think it would be a good idea to change the login shell. (I am not aware that those users would need a shell.)
Even if in the current situation we are not able to use selinux it would already be a small step in making the servers more secure.
And another sidenote: All web* users are currently created with /bin/false. Maybe we can switch them to /sbin/nologin as well. (But I am not so sure about this.)