Daniel J Walsh <dwalsh@xxxxxxxxxx> writes:
> On 11/05/2012 07:55 PM, lee wrote:
>> Hi,
>>
>> selinux prevents squid 2.7 from running. What do I need to do to get it to
>> work? This selinux is really a PITA ... does it do any good at all?
>>
> What avcs are you getting?
Not any recent ones, see below. The ones I have seem to be from my
attempts to change permissions.
> man squid_selinux
,----
| [root@yun ~]# ls -laZ /var/spool/
| [...]
| drwxr-xr-x. root root unconfined_u:object_r:squid_cache_t:s0 squid
| [...]
| [root@yun ~]#
`----
So the directory should be set fine, according to the manpage.
,----
| [root@yun ~]# ls -laZ /etc/squid/squid.conf
| -rw-r--r--. root root unconfined_u:object_r:squid_conf_t:s0 /etc/squid/squid.conf
| [root@yun ~]#
`----
The configuration file seems ok, too.
>From the manpage:
squid_exec_t
- Set files with the squid_exec_t type, if you want to transition
an executable to the squid_t domain.
What is that supposed to mean? What is a squid_t domain?
,----
| [root@yun ~]# ls -laZ /usr/local/squid/sbin/squid
| -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/squid/sbin/squid
| [root@yun ~]# chcon -v -t squid_t /usr/local/squid/sbin/squid
| changing security context of `/usr/local/squid/sbin/squid'
| chcon: failed to change context of `/usr/local/squid/sbin/squid' to `system_u:object_r:squid_t:s0': Permission denied
| [root@yun ~]#
`----
Huh? I guess I could force it by disableing selinux or switching to
permissive mode, but I'm probably not supposed to do that.
> Or do either of these booleans help.
>
> semanage boolean -l | grep squid
> squid_use_tproxy (off , off) Allow squid to run as a
> transparent proxy (TPROXY)
> squid_connect_any (on , on) Allow squid to connect to all
> ports, not just HTTP, FTP, and Gopher ports.
,----
| [root@yun ~]# semanage boolean -l | grep squid
| squid_use_tproxy (off , off) squid_use_tproxy
| squid_connect_any (on , on) squid_connect_any
`----
So this seems to be the same as you have. I will need to adjust that
once squid is able to run because I have specified one other port I need
squid to work with. Is it possible to allow just one additional port
rather than allowing all ports?
,----
| [root@yun ~]# /usr/local/squid/sbin/squid -f /etc/squid/squid.conf -z
| 2012/11/06 21:14:25| Creating Swap Directories
| FATAL: Failed to make swap directory /var/spool/squid/00: (13) Permission denied
| Squid Cache (Version 2.7.STABLE9-20110824): Terminated abnormally.
| CPU Usage: 0.000 seconds = 0.000 user + 0.000 sys
| Maximum Resident Size: 2064 KB
| Page faults with physical i/o: 0
| [root@yun ~]# ausearch -m avc -ts recent
| <no matches>
| [root@yun ~]# ausearch -m avc |grep squid
| type=SELINUX_ERR msg=audit(1352162852.285:131): op=setxattr invalid_context="system_u:unconfined_u:squid_t:system_r"
| type=AVC msg=audit(1352162879.956:132): avc: denied { relabelto } for pid=27686 comm="chcon" name="squid" dev="cciss!c0d0p3" ino=655368 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:squid_t:s0 tclass=file
| type=AVC msg=audit(1352164028.526:142): avc: denied { relabelto } for pid=27849 comm="chcon" name="squid" dev="cciss!c0d0p3" ino=655368 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_t:s0 tclass=file
`----
There isn't any log output from squid about trying to create the cache
directory. Something --- probably selinux --- denies access to the
cache directory.
If I get it to run, as which user is squid supposed to run? Is squid
automatically changing to another user when I start it which then
doesn't have access to the cache directory because of "normal" file
permissions?
BTW, if current squid could rewrite URLs, I could just use a current
version. Perhaps the latest development version can finally do that?
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
