Bug 253636 - SELinux in Permissive mode, using Webmin
Summary: SELinux in Permissive mode, using Webmin
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.0
Hardware: i686
OS: Linux
low
low
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-08-20 22:27 UTC by LannyM
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-09-04 19:46:07 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
/var/log/audit/audit.log (478.45 KB, text/plain)
2007-08-21 14:46 UTC, LannyM
no flags Details

Description LannyM 2007-08-20 22:27:28 UTC
Description of problem:
Problem with Webmin with SELinux in Permissive mode. Bug Report was requested.

Additional info:

var/webmin/sessiondb.pag, restorecon -v /var/webmin/sessiondb.pag. There is
currently no automatic way to allow this access. Instead, you can generate a
local policy module to allow this access - see FAQ - or you can disable SELinux
protection entirely for the application. Disabling SELinux protection is not
recommended. Please file a bug report against this package. Changing the
"nmbd_disable_trans" boolean to true will disable SELinux protection this
application: "setsebool -P nmbd_disable_trans=1."The following command will
allow this access:setsebool -P nmbd_disable_trans=1Additional InformationSource
Context:  user_u:system_r:nmbd_tTarget Context:  user_u:object_r:var_tTarget
Objects:  /var/webmin/sessiondb.pag [ file ]Affected RPM
Packages:  samba-3.0.23c-2 [application]Policy
RPM:  selinux-policy-2.4.6-30.el5Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  True
Enforcing Mode:  PermissivePlugin Name:  plugins.disable_transHost
Name:  dell2400.homelanPlatform:  Linux dell2400.homelan 2.6.18-8.el5 #1 SMP Thu
Mar 15 19:57:35 EDT 2007 i686 i686Alert Count:  1

Comment 1 Daniel Walsh 2007-08-21 13:03:43 UTC
I am not sure what this is reporting?  Could you attace the
/var/log/audit/audit.log?

This looks like samba tried to read /var/webmin/sessiiondb.pag?

Comment 2 LannyM 2007-08-21 14:46:07 UTC
Created attachment 161982 [details]
/var/log/audit/audit.log

/var/log/audit/audit.log

Comment 3 Daniel Walsh 2007-08-21 17:10:54 UTC
Ok, this looks like a leaked file descriptor(s).

miniserv.error
and
sessiondb.pag

Are being examined for access by many confined domains.  So something in the
bootup process is opening these files and not closing them before execing the
other apps.

Are you using something special in the boot process?



Comment 4 Daniel Walsh 2007-08-21 17:13:06 UTC
From googleing these, it looks like virtualmin has a problem.

Comment 5 LannyM 2007-08-21 19:27:10 UTC
Daniel: I am not aware of *anything* special in the boot process. Using GRUB, in
a Custom Install.  Lanny

Comment 6 Daniel Walsh 2007-08-22 12:50:19 UTC
Are you running virtualmin?

What package(s) owns miniserv.error and sessiondb.pag
They are leaking a file descriptor

Comment 7 LannyM 2007-08-24 13:50:25 UTC
Daniel: I do not believe virtualmin is installed. I installed Webmin and then
Usermin, and I have explored them, 2 or 3 times, but, I have not used them to
change anything. It looks like all the messages in the setroubleshoot browser
are related to things SELinux does not like, that Webmin is trying to do.
SELinux is in Permissive mode. Seems that this is being caused by Webmin, or,
SELinux reaction to Webmin. This is typical of messages in the setroubleshoot
browser:

Summary
    SELinux is preventing /sbin/iptables (iptables_t) "read write" to
    /var/webmin/sessiondb.pag (var_t).

[root@dell2400 ~]# rpm -qf /var/webmin/miniserv.error
file /var/webmin/miniserv.error is not owned by any package
[root@dell2400 ~]# rpm -qf /var/webmin/sessiondb.pag
file /var/webmin/sessiondb.pag is not owned by any package
[root@dell2400 ~]#

HTH, Lanny

Comment 8 Daniel Walsh 2007-08-24 13:58:21 UTC
Well then I would surmise that Webmin is opening these files and not closing the
descriptors.  Then later execing iptables.

Basically iptables knows nothing of sessiondb.pag, and adding SELinux rules to
handle this is just covering up a bug in webmin.

Comment 9 LannyM 2007-08-24 14:32:03 UTC
Daniel: I just moved this to the Webmin Bug Tracker on sourceforge.net. Thank
you, very much! Lanny


Note You need to log in before you can comment on or make changes to this bug.