Re: how do I get squid 2.7 to run?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/06/2012 04:00 PM, lee wrote:
> Daniel J Walsh <dwalsh@xxxxxxxxxx> writes:
> 
>> On 11/05/2012 07:55 PM, lee wrote:
>>> Hi,
>>> 
>>> selinux prevents squid 2.7 from running.  What do I need to do to get
>>> it to work?  This selinux is really a PITA ... does it do any good at
>>> all?
>>> 
>> What avcs are you getting?
> 
> Not any recent ones, see below.  The ones I have seem to be from my 
> attempts to change permissions.
> 
>> man squid_selinux
> 
> ,---- | [root@yun ~]# ls -laZ /var/spool/ | [...] | drwxr-xr-x. root   root
> unconfined_u:object_r:squid_cache_t:s0 squid | [...] | [root@yun ~]# `----
> 
> So the directory should be set fine, according to the manpage.
> 
> ,---- | [root@yun ~]# ls -laZ /etc/squid/squid.conf | -rw-r--r--. root root
> unconfined_u:object_r:squid_conf_t:s0 /etc/squid/squid.conf | [root@yun ~]#
>  `----
> 
> The configuration file seems ok, too.
> 
> From the manpage:
> 
> 
> squid_exec_t
> 
> -  Set files with the squid_exec_t type, if you want to transition an
> executable to the squid_t domain.
> 
> 
> What is that supposed to mean?  What is a squid_t domain?
> 
> ,---- | [root@yun ~]# ls -laZ /usr/local/squid/sbin/squid | -rwxr-xr-x.
> root root system_u:object_r:bin_t:s0       /usr/local/squid/sbin/squid |
> [root@yun ~]#  chcon -v -t squid_t /usr/local/squid/sbin/squid
>  | changing security context of `/usr/local/squid/sbin/squid' | chcon:
> failed to change context of `/usr/local/squid/sbin/squid' to
> `system_u:object_r:squid_t:s0': Permission denied | [root@yun ~]# `----
> 
> Huh?  I guess I could force it by disableing selinux or switching to 
> permissive mode, but I'm probably not supposed to do that.
> 
> 
>> Or do either of these booleans help.
>> 
>> semanage boolean -l | grep squid squid_use_tproxy               (off  ,
>> off)  Allow squid to run as a transparent proxy (TPROXY) 
>> squid_connect_any              (on   ,   on)  Allow squid to connect to
>> all ports, not just HTTP, FTP, and Gopher ports.
> 
> ,---- | [root@yun ~]# semanage boolean -l | grep squid | squid_use_tproxy
> (off  ,  off)  squid_use_tproxy | squid_connect_any              (on   ,
> on)  squid_connect_any `----
> 
> So this seems to be the same as you have.  I will need to adjust that once
> squid is able to run because I have specified one other port I need squid
> to work with.  Is it possible to allow just one additional port rather than
> allowing all ports?
> 
> 
> ,---- | [root@yun ~]# /usr/local/squid/sbin/squid -f /etc/squid/squid.conf
> -z | 2012/11/06 21:14:25| Creating Swap Directories | FATAL: Failed to make
> swap directory /var/spool/squid/00: (13) Permission denied | Squid Cache
> (Version 2.7.STABLE9-20110824): Terminated abnormally. | CPU Usage: 0.000
> seconds = 0.000 user + 0.000 sys | Maximum Resident Size: 2064 KB | Page
> faults with physical i/o: 0 | [root@yun ~]# ausearch -m avc -ts recent |
> <no matches> | [root@yun ~]# ausearch -m avc |grep squid | type=SELINUX_ERR
> msg=audit(1352162852.285:131): op=setxattr
> invalid_context="system_u:unconfined_u:squid_t:system_r" | type=AVC
> msg=audit(1352162879.956:132): avc:  denied  { relabelto } for  pid=27686
> comm="chcon" name="squid" dev="cciss!c0d0p3" ino=655368
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:system_r:squid_t:s0 tclass=file | type=AVC
> msg=audit(1352164028.526:142): avc:  denied  { relabelto } for  pid=27849
> comm="chcon" name="squid" dev="cciss!c0d0p3" ino=655368
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:squid_t:s0 tclass=file `----
> 
> 
> There isn't any log output from squid about trying to create the cache 
> directory.  Something --- probably selinux --- denies access to the cache
> directory.
> 
> If I get it to run, as which user is squid supposed to run?  Is squid 
> automatically changing to another user when I start it which then doesn't
> have access to the cache directory because of "normal" file permissions?
> 
> 
> BTW, if current squid could rewrite URLs, I could just use a current 
> version.  Perhaps the latest development version can finally do that?
> 
squid_t is a processor label type, not  a file type.

But why are you not using the default squid that Fedora ships?

Not sure if this is an SELinux issue since you are running the non standard
squid.  The non standard squid is probably running as initrc_t, which is
unconfined.

ps -eZ | grep squid
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCaSXoACgkQrlYvE4MpobPWBwCggKIgMJf36oidDkxnHDj3Pr/I
maYAn2XBEr/Y6Ff0eX0BueW/Ng1ET6Ng
=9LNT
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux