Re: dansguardian and selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vikram Goyal wrote:
> Hi,
> 
> I am running dansguardian ( content filter ) and squid. Versions:
> 
> dansguardian-2.8.0.6-1.2.fc8.rf
> squid-2.6.STABLE17-1.fc8
> selinux-policy-targeted-3.0.8-87.fc8
> 
> Well, I want to run dansguardian under selinux enforcing mode but due
> some avcs I have to go to permissive mode or allow the blocked accesses,
> neither of which I want.
> 
> Bug reporting is also not an option since it is not in the fedora repos.
> 
> The avcs are:
> 
> type=AVC msg=audit(1205054238.538:28): avc:  denied  { write } for pid=5640 comm="dansguardian" name="run" dev=dm-1 ino=5186 57 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
> 
> type=AVC msg=audit(1205054238.538:29): avc:  denied  { write } for pid=5640 comm="dansguardian" name="dansguardian.pid" dev=dm-1 ino=518711 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> 
> type=AVC msg=audit(1205054238.870:30): avc:  denied  { read write } for pid=5652 comm="squid" path="/var/log/dansguardian/access.log-20080309" dev=dm-1 ino=1102242 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> type=AVC msg=audit(1205054238.870:30): avc:  denied  { read write } for pid=5652 comm="squid" path="/var/log/dbmail.log-20080309" dev=dm-1 ino=1102187 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> type=AVC msg=audit(1205054238.870:30): avc:  denied  { read write } for pid=5652 comm="squid" path="/var/log/dovecot.log-20080309" dev=dm-1 ino=1102273 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:dovecot_var_log_t:s0 tclass=file
> 
> type=AVC msg=audit(1205054238.870:30): avc:  denied  { read write } for pid=5652 comm="squid" path="/var/log/rpmpkgs-20080309" dev=dm-1 ino=1102254 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file
> 
> type=AVC msg=audit(1205054238.870:30): avc:  denied  { read write } for pid=5652 comm="squid" path="/var/log/messages-20080309" dev=dm-1 ino=1102211 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> type=AVC msg=audit(1205054238.870:30): avc:  denied  { read write } for pid=5652 comm="squid" path="/var/log/secure-20080309" dev=dm-1 ino=1102245 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> type=AVC msg=audit(1205054238.870:30): avc:  denied  { read write } for pid=5652 comm="squid" path="/var/log/maillog-20080309" dev=dm-1 ino=1102246 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> type=AVC msg=audit(1205054238.870:30): avc:  denied  { read write } for pid=5652 comm="squid" path="/var/log/spooler-20080309" dev=dm-1 ino=1102272 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> type=AVC msg=audit(1205054238.870:30): avc:  denied  { read write } for pid=5652 comm="squid" path="/var/log/boot.log-20080309" dev=dm-1 ino=1102291 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> type=AVC msg=audit(1205054238.870:30): avc:  denied  { read write } for pid=5652 comm="squid" path="/var/log/cron-20080309" dev=dm-1 ino=1102292 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
> 
> type=AVC msg=audit(1205054238.870:30): avc:  denied  { read write } for pid=5652 comm="squid" path="/var/log/setroubleshoot/setroubleshootd.log-20080309" dev=dm-1 ino=1102249 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:setroubleshoot_var_log_t:s0 tclass=file
> 
> As you may see, except for the first three, the rest of the avcs show it
> running wild and messing with a number of unrelated logs, which I don't
> want to allow.
> 
> I am confused as to how it should be handeled.
> 
> Thanks!

I have attached a policy te file to handle these avc;s

These look like leaked file descriptors and I think dansguardian must be
starting up squid.

dansguardian should close open file descriptors on exec

fcntl(fd, F_SETFD, FD_CLOEXEC)

To use and install this policy extract the mysquid.te file into a
directory and execute
# yum -y install selinux-policy-devel
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mysquid.pp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkff1ioACgkQrlYvE4MpobOyiwCeIBamj58IGKJ7bc70tMcgS4w6
JesAoIaM7xO+yiER2GTsWellnLbCrIRw
=ORuY
-----END PGP SIGNATURE-----
module mysquid 1.0;

require {
	type var_log_t;
	type cron_log_t;
	type dovecot_var_log_t;
	type logrotate_t;
	type var_run_t;
	type initrc_var_run_t;
	type squid_t;
	type setroubleshoot_var_log_t;
	class dir write;
	class file { read write };
}

#============= logrotate_t ==============
dontaudit logrotate_t initrc_var_run_t:file write;
allow logrotate_t var_run_t:dir write;

#============= squid_t ==============
dontaudit squid_t cron_log_t:file { read write };
dontaudit squid_t dovecot_var_log_t:file { read write };
dontaudit squid_t setroubleshoot_var_log_t:file { read write };
dontaudit squid_t var_log_t:file { read write };

Attachment: mysquid.te.sig
Description: Binary data

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux