Bug 253636 - SELinux in Permissive mode, using Webmin
SELinux in Permissive mode, using Webmin
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
i686 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-20 18:27 EDT by LannyM
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-04 15:46:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/var/log/audit/audit.log (478.45 KB, text/plain)
2007-08-21 10:46 EDT, LannyM
no flags Details

  None (edit)
Description LannyM 2007-08-20 18:27:28 EDT
Description of problem:
Problem with Webmin with SELinux in Permissive mode. Bug Report was requested.

Additional info:

var/webmin/sessiondb.pag, restorecon -v /var/webmin/sessiondb.pag. There is
currently no automatic way to allow this access. Instead, you can generate a
local policy module to allow this access - see FAQ - or you can disable SELinux
protection entirely for the application. Disabling SELinux protection is not
recommended. Please file a bug report against this package. Changing the
"nmbd_disable_trans" boolean to true will disable SELinux protection this
application: "setsebool -P nmbd_disable_trans=1."The following command will
allow this access:setsebool -P nmbd_disable_trans=1Additional InformationSource
Context:  user_u:system_r:nmbd_tTarget Context:  user_u:object_r:var_tTarget
Objects:  /var/webmin/sessiondb.pag [ file ]Affected RPM
Packages:  samba-3.0.23c-2 [application]Policy
RPM:  selinux-policy-2.4.6-30.el5Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  True
Enforcing Mode:  PermissivePlugin Name:  plugins.disable_transHost
Name:  dell2400.homelanPlatform:  Linux dell2400.homelan 2.6.18-8.el5 #1 SMP Thu
Mar 15 19:57:35 EDT 2007 i686 i686Alert Count:  1
Comment 1 Daniel Walsh 2007-08-21 09:03:43 EDT
I am not sure what this is reporting?  Could you attace the
/var/log/audit/audit.log?

This looks like samba tried to read /var/webmin/sessiiondb.pag?
Comment 2 LannyM 2007-08-21 10:46:07 EDT
Created attachment 161982 [details]
/var/log/audit/audit.log

/var/log/audit/audit.log
Comment 3 Daniel Walsh 2007-08-21 13:10:54 EDT
Ok, this looks like a leaked file descriptor(s).

miniserv.error
and
sessiondb.pag

Are being examined for access by many confined domains.  So something in the
bootup process is opening these files and not closing them before execing the
other apps.

Are you using something special in the boot process?

Comment 4 Daniel Walsh 2007-08-21 13:13:06 EDT
From googleing these, it looks like virtualmin has a problem.
Comment 5 LannyM 2007-08-21 15:27:10 EDT
Daniel: I am not aware of *anything* special in the boot process. Using GRUB, in
a Custom Install.  Lanny
Comment 6 Daniel Walsh 2007-08-22 08:50:19 EDT
Are you running virtualmin?

What package(s) owns miniserv.error and sessiondb.pag
They are leaking a file descriptor
Comment 7 LannyM 2007-08-24 09:50:25 EDT
Daniel: I do not believe virtualmin is installed. I installed Webmin and then
Usermin, and I have explored them, 2 or 3 times, but, I have not used them to
change anything. It looks like all the messages in the setroubleshoot browser
are related to things SELinux does not like, that Webmin is trying to do.
SELinux is in Permissive mode. Seems that this is being caused by Webmin, or,
SELinux reaction to Webmin. This is typical of messages in the setroubleshoot
browser:

Summary
    SELinux is preventing /sbin/iptables (iptables_t) "read write" to
    /var/webmin/sessiondb.pag (var_t).

[root@dell2400 ~]# rpm -qf /var/webmin/miniserv.error
file /var/webmin/miniserv.error is not owned by any package
[root@dell2400 ~]# rpm -qf /var/webmin/sessiondb.pag
file /var/webmin/sessiondb.pag is not owned by any package
[root@dell2400 ~]#

HTH, Lanny
Comment 8 Daniel Walsh 2007-08-24 09:58:21 EDT
Well then I would surmise that Webmin is opening these files and not closing the
descriptors.  Then later execing iptables.

Basically iptables knows nothing of sessiondb.pag, and adding SELinux rules to
handle this is just covering up a bug in webmin.
Comment 9 LannyM 2007-08-24 10:32:03 EDT
Daniel: I just moved this to the Webmin Bug Tracker on sourceforge.net. Thank
you, very much! Lanny

Note You need to log in before you can comment on or make changes to this bug.