I found a bug in Webmin when using Webmin with SELinux in Permissive Mode. The author of Webmin, asked me, in their bug tracker on SourceForge:> Ok, thanks ... I see the problem. Webmin opens the log file > /var/webmin/miniserv.error and connects STDERR to it, then runs other > commands like iptables, which inherits the STDERR file descriptor. > This is generally a good thing, as any error output from the iptables > command will go to that log file. > > But with selinux enabled, this fails as iptables doesn't have the > security context needed to write to that file. > Is there a chcon option or other command that can allow a file to be > written by any process? If so, I should update Webmin to run that on > the error log file.I replied that I'm a newbie and could he clarify, in newbie terms, what he would like me to find. He then replied:> Unfortunately I am a newbie when it comes to selinux too :-( > What I am looking for is a way to selinux that any process can write > to a file. I suspect that the chcon command can do this, but am not > sure how..SELinux people: Can you explain what he needs? <https://sourceforge.net/tracker/?func=detail&atid=117457&aid=1781101&group_id=17457> TIA! Lanny
On Thursday, August 30, 2007 4:50 PM -0500 Lanny Marcus <mailing-lists at computer2.com> wrote:> SELinux people: Can you explain what he needs?You might also want to direct your question to the SELinux people on their lists: <http://www.redhat.com/mailman/listinfo/fedora-selinux-list> <http://www.nsa.gov/selinux/info/list.cfm> (I'm curious to know what the solution is, though, so please follow up back here with anything you find!)
On 30 August 2007, Kenneth Porter <shiva at sewingwitch.com> wrote:> Message: 75<snip>> You might also want to direct your question to the SELinux people on > their lists: > > <http://www.redhat.com/mailman/listinfo/fedora-selinux-list> > <http://www.nsa.gov/selinux/info/list.cfm> > > (I'm curious to know what the solution is, though, so please follow up > back here with anything you find!)Ken: I looked at the NSA web site. I will ask him if he wants to ask for the information, or, if he wants me to ask for it. I will post back here, if/when I have more information! Lanny
On 30 August 2007, Kenneth Porter <shiva at sewingwitch.com> wrote: <snip>> You might also want to direct your question to the SELinux people on > their > lists: > > <http://www.redhat.com/mailman/listinfo/fedora-selinux-list> > <http://www.nsa.gov/selinux/info/list.cfm> > > (I'm curious to know what the solution is, though, so please follow up > back > here with anything you find!)I looked at the archives of the NSA list. Nothing shown since March 2007. The Fedora list is much more active. I think I will join that list, and post there, in the morning. I noticed a reference to this very recent article from Upstream, about SELinux, which possibly will be of interest to some of the people on the CentOS ML: <http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/>
On 30 August 2007, Kenneth Porter <shiva at sewingwitch.com> wrote:> Message: 75<snip>> You might also want to direct your question to the SELinux people on > their lists: > > <http://www.redhat.com/mailman/listinfo/fedora-selinux-list> > <http://www.nsa.gov/selinux/info/list.cfm> > > (I'm curious to know what the solution is, though, so please follow up > back here with anything you find!)Ken: I posted on the fedora-selinux-list Below is the reply from Daniel J. Walsh at Redhat. Lanny> This explanation and description of the problem are fine. We probably > need a custom policy for webmin to allow iptables to write to scripts > running as webmin, since catching stderr is important. There is no > file context that can be set to allow this. As I recall from the > original bug report, iptables was also trying to communicate with > another open file descriptor. This one I beleive should be closed on > exec.