-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vikram Goyal wrote: > Hi, > > I am running dansguardian ( content filter ) and squid. Versions: > > dansguardian-2.8.0.6-1.2.fc8.rf > squid-2.6.STABLE17-1.fc8 > selinux-policy-targeted-3.0.8-87.fc8 > > Well, I want to run dansguardian under selinux enforcing mode but due > some avcs I have to go to permissive mode or allow the blocked accesses, > neither of which I want. > > Bug reporting is also not an option since it is not in the fedora repos. > > The avcs are: > > type=AVC msg=audit(1205054238.538:28): avc: denied { write } for pid=5640 comm="dansguardian" name="run" dev=dm-1 ino=5186 57 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir > > type=AVC msg=audit(1205054238.538:29): avc: denied { write } for pid=5640 comm="dansguardian" name="dansguardian.pid" dev=dm-1 ino=518711 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file > > type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/dansguardian/access.log-20080309" dev=dm-1 ino=1102242 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file > > type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/dbmail.log-20080309" dev=dm-1 ino=1102187 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file > > type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/dovecot.log-20080309" dev=dm-1 ino=1102273 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:dovecot_var_log_t:s0 tclass=file > > type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/rpmpkgs-20080309" dev=dm-1 ino=1102254 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file > > type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/messages-20080309" dev=dm-1 ino=1102211 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file > > type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/secure-20080309" dev=dm-1 ino=1102245 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file > > type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/maillog-20080309" dev=dm-1 ino=1102246 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file > > type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/spooler-20080309" dev=dm-1 ino=1102272 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file > > type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/boot.log-20080309" dev=dm-1 ino=1102291 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file > > type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/cron-20080309" dev=dm-1 ino=1102292 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file > > type=AVC msg=audit(1205054238.870:30): avc: denied { read write } for pid=5652 comm="squid" path="/var/log/setroubleshoot/setroubleshootd.log-20080309" dev=dm-1 ino=1102249 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:setroubleshoot_var_log_t:s0 tclass=file > > As you may see, except for the first three, the rest of the avcs show it > running wild and messing with a number of unrelated logs, which I don't > want to allow. > > I am confused as to how it should be handeled. > > Thanks! I have attached a policy te file to handle these avc;s These look like leaked file descriptors and I think dansguardian must be starting up squid. dansguardian should close open file descriptors on exec fcntl(fd, F_SETFD, FD_CLOEXEC) To use and install this policy extract the mysquid.te file into a directory and execute # yum -y install selinux-policy-devel # make -f /usr/share/selinux/devel/Makefile # semodule -i mysquid.pp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkff1ioACgkQrlYvE4MpobOyiwCeIBamj58IGKJ7bc70tMcgS4w6 JesAoIaM7xO+yiER2GTsWellnLbCrIRw =ORuY -----END PGP SIGNATURE-----
module mysquid 1.0; require { type var_log_t; type cron_log_t; type dovecot_var_log_t; type logrotate_t; type var_run_t; type initrc_var_run_t; type squid_t; type setroubleshoot_var_log_t; class dir write; class file { read write }; } #============= logrotate_t ============== dontaudit logrotate_t initrc_var_run_t:file write; allow logrotate_t var_run_t:dir write; #============= squid_t ============== dontaudit squid_t cron_log_t:file { read write }; dontaudit squid_t dovecot_var_log_t:file { read write }; dontaudit squid_t setroubleshoot_var_log_t:file { read write }; dontaudit squid_t var_log_t:file { read write };
Attachment:
mysquid.te.sig
Description: Binary data
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list