Description of problem: Problem with Webmin with SELinux in Permissive mode. Bug Report was requested. Additional info: var/webmin/sessiondb.pag, restorecon -v /var/webmin/sessiondb.pag. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a bug report against this package. Changing the "nmbd_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P nmbd_disable_trans=1."The following command will allow this access:setsebool -P nmbd_disable_trans=1Additional InformationSource Context: user_u:system_r:nmbd_tTarget Context: user_u:object_r:var_tTarget Objects: /var/webmin/sessiondb.pag [ file ]Affected RPM Packages: samba-3.0.23c-2 [application]Policy RPM: selinux-policy-2.4.6-30.el5Selinux Enabled: TruePolicy Type: targetedMLS Enabled: True Enforcing Mode: PermissivePlugin Name: plugins.disable_transHost Name: dell2400.homelanPlatform: Linux dell2400.homelan 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686 i686Alert Count: 1
I am not sure what this is reporting? Could you attace the /var/log/audit/audit.log? This looks like samba tried to read /var/webmin/sessiiondb.pag?
Created attachment 161982 [details] /var/log/audit/audit.log /var/log/audit/audit.log
Ok, this looks like a leaked file descriptor(s). miniserv.error and sessiondb.pag Are being examined for access by many confined domains. So something in the bootup process is opening these files and not closing them before execing the other apps. Are you using something special in the boot process?
From googleing these, it looks like virtualmin has a problem.
Daniel: I am not aware of *anything* special in the boot process. Using GRUB, in a Custom Install. Lanny
Are you running virtualmin? What package(s) owns miniserv.error and sessiondb.pag They are leaking a file descriptor
Daniel: I do not believe virtualmin is installed. I installed Webmin and then Usermin, and I have explored them, 2 or 3 times, but, I have not used them to change anything. It looks like all the messages in the setroubleshoot browser are related to things SELinux does not like, that Webmin is trying to do. SELinux is in Permissive mode. Seems that this is being caused by Webmin, or, SELinux reaction to Webmin. This is typical of messages in the setroubleshoot browser: Summary SELinux is preventing /sbin/iptables (iptables_t) "read write" to /var/webmin/sessiondb.pag (var_t). [root@dell2400 ~]# rpm -qf /var/webmin/miniserv.error file /var/webmin/miniserv.error is not owned by any package [root@dell2400 ~]# rpm -qf /var/webmin/sessiondb.pag file /var/webmin/sessiondb.pag is not owned by any package [root@dell2400 ~]# HTH, Lanny
Well then I would surmise that Webmin is opening these files and not closing the descriptors. Then later execing iptables. Basically iptables knows nothing of sessiondb.pag, and adding SELinux rules to handle this is just covering up a bug in webmin.
Daniel: I just moved this to the Webmin Bug Tracker on sourceforge.net. Thank you, very much! Lanny