Testing various software updates to my RedHat 8 servers and came across a new issue.
I realize its my own headache, but my agency really likes SELinux and we run it in enforcing mode as much as we can
My template system I use to clone VirtualMin servers has for a long time had /var/usermin set to the SELinux context of var_t while the corresponding directory /var/webmin has the context of var_log_t (as well as all the files in each directory). This never caused me any issues (not sure I even noticed) until today when I applied a bunch of RedHat updates along with updating webmin and usermin and virtualmin; now there is an issue with the miniserv.pid file used by usermin.
Note again this was not an issue last week or last month – and is not an issue with the similar miniserv.pid file used by webmin. In researching this, I came across an actual webmin rule distributed by RedHat/Centos in the SELinux policies targeting /var/webmin !! I was very surprised and excited to see that as I did not know it was there.
Sadly there is not a similar context rule for /var/usermin
so … for now I just relabeled /var/usermin to match /var/webmin with
chcon --type=var_log_t --recursive /var/usermin
for completeness I should post another way to adjust it (assuming /var/webmin is correct):
chcon --recursive --reference=/var/webmin /var/usermin
of course to make things ‘stick’, I really should create a local policy (and apply it), to mimic the policy already in place for /var/webmin with
semanage fcontext --add --type=var_log_t “/var/usermin(/.*)?”
restorecon -R /var/usermin
OR … as today’s issue is about just the PID file, I wonder if a redesign is in order?? That is, have the PID file stored in /var/run, or a subdirectory such as /var/run/webmin and /var/run/usermin ???
But that could be much more work; since /var/webmin is set to var_log_t already, /var/usermin I believe should match it
As this took me some time to diagnose, I wanted to share in case it can help others !!