On 01 September 2007, William Warren hescominsoon@emmanuelcomputerconsulting.com wrote:
Message: 3
<snip>
you can also go with webmin to configure this stuff..<G>
If you use Webmin, at this time, it is probably not a good idea to use SELinux with it. I have a very recent thread about this and there is a bug on Webmin. The SELinux folks are aware of it. Below is about SELinux. Lanny
This explanation and description of the problem are fine. We probably need a custom policy for webmin to allow iptables to write to scripts running as webmin, since catching stderr is important. There is no file context that can be set to allow this. As I recall from the original bug report, iptables was also trying to communicate with another open file descriptor. This one I beleive should be closed on exec.
I run selinux in permissive. Once i figure out how to write policy i'll put it back on active..<G>
Lanny Marcus wrote:
On 01 September 2007, William Warren hescominsoon@emmanuelcomputerconsulting.com wrote:
Message: 3
<snip>
you can also go with webmin to configure this stuff..<G>
If you use Webmin, at this time, it is probably not a good idea to use SELinux with it. I have a very recent thread about this and there is a bug on Webmin. The SELinux folks are aware of it. Below is about SELinux. Lanny
This explanation and description of the problem are fine. We probably need a custom policy for webmin to allow iptables to write to scripts running as webmin, since catching stderr is important. There is no file context that can be set to allow this. As I recall from the original bug report, iptables was also trying to communicate with another open file descriptor. This one I beleive should be closed on exec.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2007-09-03 at 16:07 -0400, William Warren wrote:
I run selinux in permissive. Once i figure out how to write policy i'll put it back on active..<G>
Lanny Marcus wrote:
On 01 September 2007, William Warren hescominsoon@emmanuelcomputerconsulting.com wrote:
Message: 3
<snip>
you can also go with webmin to configure this stuff..<G>
If you use Webmin, at this time, it is probably not a good idea to use SELinux with it. I have a very recent thread about this and there is a bug on Webmin. The SELinux folks are aware of it. Below is about SELinux. Lanny
This explanation and description of the problem are fine. We probably need a custom policy for webmin to allow iptables to write to scripts running as webmin, since catching stderr is important. There is no file context that can be set to allow this. As I recall from the original bug report, iptables was also trying to communicate with another open file descriptor. This one I beleive should be closed on exec.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Using audit2allow you should be able to take the SELinux denied messages and convert them into a policy. I've done that for syslog-ng in the past.
-
Lanny Marcus -
Timothy Selivanow -
William Warren