-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lanny Marcus wrote: > I found a bug in Webmin. The author of Webmin is also a SELinux > newbie. (this is the first time I have enabled SELinux) > He would like me to post and try to find help, from > experienced SELinux users. He wrote: > >> Unfortunately I am a newbie when it comes to selinux too :-( >> What I am looking for is a way to selinux that any process can write >> to a file. I suspect that the chcon command can do this, but am not >> sure how.. > > Prior to the above, he wrote: >> Ok, thanks ... I see the problem. Webmin opens the log file >> /var/webmin/miniserv.error and connects STDERR to it, then runs other >> commands like iptables, which inherits the STDERR file descriptor. >> This is generally a good thing, as any error output from the iptables >> command will go to that log file. >> >> But with selinux enabled, this fails as iptables doesn't have the >> security context needed to write to that file. Is there a chcon option >> or other command that can allow a file to be written by any process? >> If so, I should update Webmin to run that on the error log file. > > This bug is at the below URL: > <https://sourceforge.net/tracker/?func=detail&atid=117457&aid=1781101&group_id=17457> > > If someone can explain, in simple terms, what needs to be done, that > will be greatly appreciated! TIA, Lanny > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list This explanation and description of the problem are fine. We probably need a custom policy for webmin to allow iptables to write to scripts running as webmin, since catching stderr is important. There is no file context that can be set to allow this. As I recall from the original bug report, iptables was also trying to communicate with another open file descriptor. This one I beleive should be closed on exec. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG2UWprlYvE4MpobMRAvGqAJ9meO4o+9xNfujEPxInoOYmweK6LQCeP5Vi vGbdEz40YSeDTRKvwFVayR8= =AYDf -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list