Daniel J Walsh <dwalsh@xxxxxxxxxx> writes: > On 11/05/2012 07:55 PM, lee wrote: >> Hi, >> >> selinux prevents squid 2.7 from running. What do I need to do to get it to >> work? This selinux is really a PITA ... does it do any good at all? >> > What avcs are you getting? Not any recent ones, see below. The ones I have seem to be from my attempts to change permissions. > man squid_selinux ,---- | [root@yun ~]# ls -laZ /var/spool/ | [...] | drwxr-xr-x. root root unconfined_u:object_r:squid_cache_t:s0 squid | [...] | [root@yun ~]# `---- So the directory should be set fine, according to the manpage. ,---- | [root@yun ~]# ls -laZ /etc/squid/squid.conf | -rw-r--r--. root root unconfined_u:object_r:squid_conf_t:s0 /etc/squid/squid.conf | [root@yun ~]# `---- The configuration file seems ok, too. >From the manpage: squid_exec_t - Set files with the squid_exec_t type, if you want to transition an executable to the squid_t domain. What is that supposed to mean? What is a squid_t domain? ,---- | [root@yun ~]# ls -laZ /usr/local/squid/sbin/squid | -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/squid/sbin/squid | [root@yun ~]# chcon -v -t squid_t /usr/local/squid/sbin/squid | changing security context of `/usr/local/squid/sbin/squid' | chcon: failed to change context of `/usr/local/squid/sbin/squid' to `system_u:object_r:squid_t:s0': Permission denied | [root@yun ~]# `---- Huh? I guess I could force it by disableing selinux or switching to permissive mode, but I'm probably not supposed to do that. > Or do either of these booleans help. > > semanage boolean -l | grep squid > squid_use_tproxy (off , off) Allow squid to run as a > transparent proxy (TPROXY) > squid_connect_any (on , on) Allow squid to connect to all > ports, not just HTTP, FTP, and Gopher ports. ,---- | [root@yun ~]# semanage boolean -l | grep squid | squid_use_tproxy (off , off) squid_use_tproxy | squid_connect_any (on , on) squid_connect_any `---- So this seems to be the same as you have. I will need to adjust that once squid is able to run because I have specified one other port I need squid to work with. Is it possible to allow just one additional port rather than allowing all ports? ,---- | [root@yun ~]# /usr/local/squid/sbin/squid -f /etc/squid/squid.conf -z | 2012/11/06 21:14:25| Creating Swap Directories | FATAL: Failed to make swap directory /var/spool/squid/00: (13) Permission denied | Squid Cache (Version 2.7.STABLE9-20110824): Terminated abnormally. | CPU Usage: 0.000 seconds = 0.000 user + 0.000 sys | Maximum Resident Size: 2064 KB | Page faults with physical i/o: 0 | [root@yun ~]# ausearch -m avc -ts recent | <no matches> | [root@yun ~]# ausearch -m avc |grep squid | type=SELINUX_ERR msg=audit(1352162852.285:131): op=setxattr invalid_context="system_u:unconfined_u:squid_t:system_r" | type=AVC msg=audit(1352162879.956:132): avc: denied { relabelto } for pid=27686 comm="chcon" name="squid" dev="cciss!c0d0p3" ino=655368 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:squid_t:s0 tclass=file | type=AVC msg=audit(1352164028.526:142): avc: denied { relabelto } for pid=27849 comm="chcon" name="squid" dev="cciss!c0d0p3" ino=655368 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_t:s0 tclass=file `---- There isn't any log output from squid about trying to create the cache directory. Something --- probably selinux --- denies access to the cache directory. If I get it to run, as which user is squid supposed to run? Is squid automatically changing to another user when I start it which then doesn't have access to the cache directory because of "normal" file permissions? BTW, if current squid could rewrite URLs, I could just use a current version. Perhaps the latest development version can finally do that? -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org