Daniel J Walsh <dwalsh@xxxxxxxxxx> writes:
> On 11/06/2012 04:00 PM, lee wrote:
>> Daniel J Walsh <dwalsh@xxxxxxxxxx> writes:
>>
>>> On 11/05/2012 07:55 PM, lee wrote:
>>>> Hi,
>>>>
>>>> selinux prevents squid 2.7 from running. What do I need to do to get
>>>> it to work? This selinux is really a PITA ... does it do any good at
>>>> all?
>>>>
>>> What avcs are you getting?
>>
>> Not any recent ones, see below. The ones I have seem to be from my
>> attempts to change permissions.
>>
>>> man squid_selinux
>>
>> ,---- | [root@yun ~]# ls -laZ /var/spool/ | [...] | drwxr-xr-x. root root
>> unconfined_u:object_r:squid_cache_t:s0 squid | [...] | [root@yun ~]# `----
>>
>> So the directory should be set fine, according to the manpage.
>>
>> ,---- | [root@yun ~]# ls -laZ /etc/squid/squid.conf | -rw-r--r--. root root
>> unconfined_u:object_r:squid_conf_t:s0 /etc/squid/squid.conf | [root@yun ~]#
>> `----
>>
>> The configuration file seems ok, too.
>>
>> From the manpage:
>>
>>
>> squid_exec_t
>>
>> - Set files with the squid_exec_t type, if you want to transition an
>> executable to the squid_t domain.
>>
>>
>> What is that supposed to mean? What is a squid_t domain?
>>
>> ,---- | [root@yun ~]# ls -laZ /usr/local/squid/sbin/squid | -rwxr-xr-x.
>> root root system_u:object_r:bin_t:s0 /usr/local/squid/sbin/squid |
>> [root@yun ~]# chcon -v -t squid_t /usr/local/squid/sbin/squid
>> | changing security context of `/usr/local/squid/sbin/squid' | chcon:
>> failed to change context of `/usr/local/squid/sbin/squid' to
>> `system_u:object_r:squid_t:s0': Permission denied | [root@yun ~]# `----
>>
>> Huh? I guess I could force it by disableing selinux or switching to
>> permissive mode, but I'm probably not supposed to do that.
>>
>>
>>> Or do either of these booleans help.
>>>
>>> semanage boolean -l | grep squid squid_use_tproxy (off ,
>>> off) Allow squid to run as a transparent proxy (TPROXY)
>>> squid_connect_any (on , on) Allow squid to connect to
>>> all ports, not just HTTP, FTP, and Gopher ports.
>>
>> ,---- | [root@yun ~]# semanage boolean -l | grep squid | squid_use_tproxy
>> (off , off) squid_use_tproxy | squid_connect_any (on ,
>> on) squid_connect_any `----
>>
>> So this seems to be the same as you have. I will need to adjust that once
>> squid is able to run because I have specified one other port I need squid
>> to work with. Is it possible to allow just one additional port rather than
>> allowing all ports?
>>
>>
>> ,---- | [root@yun ~]# /usr/local/squid/sbin/squid -f /etc/squid/squid.conf
>> -z | 2012/11/06 21:14:25| Creating Swap Directories | FATAL: Failed to make
>> swap directory /var/spool/squid/00: (13) Permission denied | Squid Cache
>> (Version 2.7.STABLE9-20110824): Terminated abnormally. | CPU Usage: 0.000
>> seconds = 0.000 user + 0.000 sys | Maximum Resident Size: 2064 KB | Page
>> faults with physical i/o: 0 | [root@yun ~]# ausearch -m avc -ts recent |
>> <no matches> | [root@yun ~]# ausearch -m avc |grep squid | type=SELINUX_ERR
>> msg=audit(1352162852.285:131): op=setxattr
>> invalid_context="system_u:unconfined_u:squid_t:system_r" | type=AVC
>> msg=audit(1352162879.956:132): avc: denied { relabelto } for pid=27686
>> comm="chcon" name="squid" dev="cciss!c0d0p3" ino=655368
>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:system_r:squid_t:s0 tclass=file | type=AVC
>> msg=audit(1352164028.526:142): avc: denied { relabelto } for pid=27849
>> comm="chcon" name="squid" dev="cciss!c0d0p3" ino=655368
>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:squid_t:s0 tclass=file `----
>>
>>
>> There isn't any log output from squid about trying to create the cache
>> directory. Something --- probably selinux --- denies access to the cache
>> directory.
>>
>> If I get it to run, as which user is squid supposed to run? Is squid
>> automatically changing to another user when I start it which then doesn't
>> have access to the cache directory because of "normal" file permissions?
>>
>>
>> BTW, if current squid could rewrite URLs, I could just use a current
>> version. Perhaps the latest development version can finally do that?
>>
> squid_t is a processor label type, not a file type.
What does that mean?
> But why are you not using the default squid that Fedora ships?
It's because I require a storeurl_rewrite_program, and that is not
available in squid 3.x. I tried the default one first and it complained
about the option in the configuration, and it says on the squid website
that it hasn't been ported yet.
Without rewriting some URLs, it's not worthwhile to run squid because it
wouldn't cache what I want it to cache in the first place and which is
the very reason I want to run squid.
> Not sure if this is an SELinux issue since you are running the non standard
> squid. The non standard squid is probably running as initrc_t, which is
> unconfined.
>
> ps -eZ | grep squid
Well I can't run squid 2.7 to check what it is running at because it
cannot create the cache.
Hmmm ...
,----
| [root@yun ~]# chmod a+rwx /var/spool/squid/
| [root@yun ~]# /usr/local/squid/sbin/squid -f /etc/squid/squid.conf -z
| 2012/11/07 13:22:28| Creating Swap Directories
`----
That actually worked, so it's perhaps not a selinux issue? But squid is
running as root, so why doesn't it have access to its directories?
Ok it's running now after I changed ownership of /var/spool/squid to
squid:squid and make it rwx for user and group. I have:
,----
| cache_effective_user squid
| cache_effective_group squid
`----
in the configuration. Is that sufficient to prevent squid from running
as root? It still shows up as root in ps.
--
Fedora 17
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
