Webmin bug, with SELinux in Permissive Mode
Daniel J Walsh
dwalsh at redhat.com
Sat Sep 1 10:57:45 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Lanny Marcus wrote:
> I found a bug in Webmin. The author of Webmin is also a SELinux
> newbie. (this is the first time I have enabled SELinux)
> He would like me to post and try to find help, from
> experienced SELinux users. He wrote:
>
>> Unfortunately I am a newbie when it comes to selinux too :-(
>> What I am looking for is a way to selinux that any process can write
>> to a file. I suspect that the chcon command can do this, but am not
>> sure how..
>
> Prior to the above, he wrote:
>> Ok, thanks ... I see the problem. Webmin opens the log file
>> /var/webmin/miniserv.error and connects STDERR to it, then runs other
>> commands like iptables, which inherits the STDERR file descriptor.
>> This is generally a good thing, as any error output from the iptables
>> command will go to that log file.
>>
>> But with selinux enabled, this fails as iptables doesn't have the
>> security context needed to write to that file. Is there a chcon option
>> or other command that can allow a file to be written by any process?
>> If so, I should update Webmin to run that on the error log file.
>
> This bug is at the below URL:
> <https://sourceforge.net/tracker/?func=detail&atid=117457&aid=1781101&group_id=17457>
>
> If someone can explain, in simple terms, what needs to be done, that
> will be greatly appreciated! TIA, Lanny
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This explanation and description of the problem are fine. We probably
need a custom policy for webmin to allow iptables to write to scripts
running as webmin, since catching stderr is important. There is no
file context that can be set to allow this. As I recall from the
original bug report, iptables was also trying to communicate with
another open file descriptor. This one I beleive should be closed on exec.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG2UWprlYvE4MpobMRAvGqAJ9meO4o+9xNfujEPxInoOYmweK6LQCeP5Vi
vGbdEz40YSeDTRKvwFVayR8=
=AYDf
-----END PGP SIGNATURE-----
More information about the selinux
mailing list