SELinux breaks Squid's ssl_crtd helper

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi,

I've setup a transparent HTTP+HTTPS proxy on my server running CentOS 7,
using Squid. Here's my configuration file.

--8<----------------------------------------------------------------
# /etc/squid/squid.conf



# Définitions

acl localnet src 192.168.2.0/24

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# Règles d'accès
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

# Ports du proxy
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
  cert=/etc/squid/ssl_cert/nestor.microlinux.lan.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

# Emplacement de ssl_crtd et du cache des certificats TLS
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

# SSL-Bump
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

# Taille du cache dans la RAM
cache_mem 2048 MB

# Emplacement et taille du cache sur le disque
# cache_dir ufs /var/spool/squid 100 16 256

# Vidage système
coredump_dir /var/spool/squid

# Durée de vie des fichiers sans date d'expiration
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
--8<----------------------------------------------------------------

First, I tested the configuration in permissive mode, where it works
perfectly. After running it a while, I get the following SELinux alert.

# sealert -a /var/log/audit/audit.log
***** Plugin catchall (17.1 confidence) suggests *****
If you believe that ssl_crtd should be allowed read access on the
index.txt file by default. Then you should report this as a bug. You can
generate a local policy module to allow this access. Do allow this
access for now by executing:
# ausearch -c 'ssl_crtd' --raw | audit2allow -M my-sslcrtd
# semodule -i my-sslcrtd.pp

Unfortunately the suggested solution doesn't work, because the problem
reappears, and I get all sorts of errors in /var/log/squid/cache.log,
all due to ssl_crtd not being able to access stuff under /var/lib/ssl_db.

Any idea how I can solve this problem permanently ?

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info@xxxxxxxxxxxxx
Tél. : 04 66 63 10 32
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux