Red Hat Bugzilla – Bug 253636
SELinux in Permissive mode, using Webmin
Last modified: 2007-11-30 17:07:47 EST
Description of problem:
Problem with Webmin with SELinux in Permissive mode. Bug Report was requested.
var/webmin/sessiondb.pag, restorecon -v /var/webmin/sessiondb.pag. There is
currently no automatic way to allow this access. Instead, you can generate a
local policy module to allow this access - see FAQ - or you can disable SELinux
protection entirely for the application. Disabling SELinux protection is not
recommended. Please file a bug report against this package. Changing the
"nmbd_disable_trans" boolean to true will disable SELinux protection this
application: "setsebool -P nmbd_disable_trans=1."The following command will
allow this access:setsebool -P nmbd_disable_trans=1Additional InformationSource
Context: user_u:system_r:nmbd_tTarget Context: user_u:object_r:var_tTarget
Objects: /var/webmin/sessiondb.pag [ file ]Affected RPM
Packages: samba-3.0.23c-2 [application]Policy
RPM: selinux-policy-2.4.6-30.el5Selinux Enabled: TruePolicy Type: targetedMLS
Enforcing Mode: PermissivePlugin Name: plugins.disable_transHost
Name: dell2400.homelanPlatform: Linux dell2400.homelan 2.6.18-8.el5 #1 SMP Thu
Mar 15 19:57:35 EDT 2007 i686 i686Alert Count: 1
I am not sure what this is reporting? Could you attace the
This looks like samba tried to read /var/webmin/sessiiondb.pag?
Created attachment 161982 [details]
Ok, this looks like a leaked file descriptor(s).
Are being examined for access by many confined domains. So something in the
bootup process is opening these files and not closing them before execing the
Are you using something special in the boot process?
From googleing these, it looks like virtualmin has a problem.
Daniel: I am not aware of *anything* special in the boot process. Using GRUB, in
a Custom Install. Lanny
Are you running virtualmin?
What package(s) owns miniserv.error and sessiondb.pag
They are leaking a file descriptor
Daniel: I do not believe virtualmin is installed. I installed Webmin and then
Usermin, and I have explored them, 2 or 3 times, but, I have not used them to
change anything. It looks like all the messages in the setroubleshoot browser
are related to things SELinux does not like, that Webmin is trying to do.
SELinux is in Permissive mode. Seems that this is being caused by Webmin, or,
SELinux reaction to Webmin. This is typical of messages in the setroubleshoot
SELinux is preventing /sbin/iptables (iptables_t) "read write" to
[root@dell2400 ~]# rpm -qf /var/webmin/miniserv.error
file /var/webmin/miniserv.error is not owned by any package
[root@dell2400 ~]# rpm -qf /var/webmin/sessiondb.pag
file /var/webmin/sessiondb.pag is not owned by any package
Well then I would surmise that Webmin is opening these files and not closing the
descriptors. Then later execing iptables.
Basically iptables knows nothing of sessiondb.pag, and adding SELinux rules to
handle this is just covering up a bug in webmin.
Daniel: I just moved this to the Webmin Bug Tracker on sourceforge.net. Thank
you, very much! Lanny