Skip to content

Fix SELinux labeling for Usermin runtime data#135

Merged
jcameron merged 3 commits into
masterfrom
dev/selinux-config
Jul 3, 2026
Merged

Fix SELinux labeling for Usermin runtime data#135
jcameron merged 3 commits into
masterfrom
dev/selinux-config

Conversation

@iliaross

Copy link
Copy Markdown
Collaborator

Hello Jamie,

This PR adds SELinux context handling for Usermin’s default runtime directory on EL systems.

Setup now persists and applies a var_run_t fcontext rule when SELinux is enabled, falls back safely when SELinux tooling is unavailable, and removes the local fcontext rule when /var/usermin is deleted during uninstall.

Discussed originally here:
https://forum.virtualmin.com/t/usermin-needs-selinux-fix/137474

This PR adds SELinux context handling for Usermin’s default runtime directory on EL systems.

Setup now persists and applies a `var_run_t` fcontext rule when SELinux is enabled, falls back safely when SELinux tooling is unavailable, and removes the local fcontext rule when `/var/usermin` is deleted during uninstall.
Comment thread makerpm.pl
if [ "\$?" = 0 ]; then
# RPM is being removed, and no new version of usermin
# has taken it's place. Delete the config files
if command -v semanage >/dev/null 2>&1; then

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does if command work on all operating systems, including those without bash ?

Better to use which or maybe just -x instead

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely not which. command -v is specified by POSIX sh, so it works without Bash on normal Unix/POSIX shells such as dash, ash, ksh, BusyBox sh, etc.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually I may have mis-understood what command does. Are you using it to check if the semanage command is installed, or something else?

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes command -v semanage is being used to check whether semanage is available in the current PATH.

And, we cannot use has_command in this context, just in case.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I checked the man page for sh on some other operating systems we support, and it seems like command is not supported on Solaris : https://docs.oracle.com/cd/E86824_01/html/E54763/sh-1.html

Hence I don't think we can use it, and in fact we should be very careful to not use bash-specific code in setup.sh

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

setup.sh already had a pre-existing command -v systemctl use, so this is not a brand-new portability and makerpm.pl RPM scriptlet does not matter for Solaris at all.

And, even though the Oracle docs show command is not a built-in of Solaris legacy sh, their shell_builtins table lists command only for ksh, while type is listed for sh too.

The same docs also say Solaris has /usr/xpg4/bin/sh as the standards-compliant shell, and note that /usr/bin/sh links to ksh93 on Solaris 11, where command should exist.

Therefore, I don’t think we should change style just for legacy Solaris /usr/sunos/bin/sh, especially since setup.sh has already used command -v for a long time without reported issues.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well I guess we got lucky with that systemctl case, although it probably generated an odd error message on systems using legacy /bin/sh. Don't forget that there are also embedded system Linuxes that don't have the full bash because they lack storage space, and people do run Webmin on them.

Please just change this to if [ -x /usr/sbin/semanage ]; or something. It's a tiny change for improved cross-system compatability!

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright, updated to use type which is better than which and also supported by older versions of Solaris.

Comment thread setup.sh Outdated
@jcameron jcameron merged commit 38a46e7 into master Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants