-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Colin Paul Adams wrote: > I just installed (via yum) and started squid. > > I then noticed I had some SELinux alert > > Summary > SELinux is preventing /usr/sbin/squid (squid_t) "read write" to socket > (unconfined_t). > > Detailed Description > SELinux denied access requested by /usr/sbin/squid. It is not expected that > this access is required by /usr/sbin/squid and this access may signal an > intrusion attempt. It is also possible that the specific version or > configuration of the application is causing it to require additional access. > > Allowing Access > You can generate a local policy module to allow this access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this package. > > Additional Information > > Source Context system_u:system_r:squid_t:s0 > Target Context system_u:system_r:unconfined_t:s0 > Target Objects socket [ unix_stream_socket ] > Affected RPM Packages squid-2.6.STABLE17-1.fc8 [application] > Policy RPM selinux-policy-3.0.8-44.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall > Host Name susannah.colina.demon.co.uk > Platform Linux susannah.colina.demon.co.uk 2.6.23.1-42.fc8 > #1 SMP Tue Oct 30 13:18:33 EDT 2007 x86_64 x86_64 > Alert Count 1 > First Seen Sat 26 Jan 2008 06:39:04 GMT > Last Seen Sat 26 Jan 2008 06:39:04 GMT > Local ID b8ea13f6-922f-4bb8-a448-09e80221eb2a > Line Numbers > > and additional similar alerts for sh (xdm), ntpd, and /usr/bin/gcin > > Is it safe to ignore these? Yes. This is just the unix stream socket connected to the pup application. You should upgrade selinux-policy though to a newer policy. pub opens a unix_stream_socket that yum-updated connects to and then sets stdout/stderr/stdin too. When rpm restarts or starts the squid service, the kernel checks if the squid domain can talk to the open file descriptors. It is not allowed so the kernel closes the file descriptors and replaces them with ones connected to /dev/null. These are dontaudited in the latest policy I believe. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkeeSTEACgkQrlYvE4MpobMH7QCdE010G6EBQcGxpXfrjvgi42uU 7vAAoNponOTc3uFhxnrSljMRv2TbbHNy =LnnZ -----END PGP SIGNATURE----- -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list