Paul Howarth wrote:
On Wed, 2006-07-12 at 09:33 +0700, Lutfi wrote:
After upgrade to FC5, my squid cannot using havp (localhost:8080) as
parent proxy anymore. The audit log msg is here:
===> /var/log/audit/audit.log
type=AVC msg=audit(1152671338.823:21775): avc: denied
{ name_connect } for pid=2371 comm="squid" dest=8080
scontext=system_u:system_r:squid_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1152671338.823:21775): arch=40000003
syscall=102 success=no exit=-13 a0=3 a1=bf9eb1a0 a2=52e1c4 a3=b7f1ca2c
items=0 pid=2371 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23
egid=23 sgid=23 fsgid=23 tty=(none) comm="squid" exe="/usr/sbin/squid"
subj=system_u:system_r:squid_t:s0
type=SOCKADDR msg=audit(1152671338.823:21775):
saddr=02001F907F0000010000000000000000
type=SOCKETCALL msg=audit(1152671338.823:21775): nargs=3 a0=12
a1=bbdd8f8 a2=10
How to fix this? Thx
This is off-topic for fedora-extras-list. Please address any followups
to fedora-selinux-list, where the right people will see it to get the
problem fixed in the next selinux-policy update.
I have fixed this problem here using a local policy module:
policy_module(localmisc, 0.1.0)
require {
type squid_t;
};
# Squid doing what comes naturally? WTF?
corenet_tcp_connect_http_cache_port(squid_t)
corenet_tcp_sendrecv_http_cache_port(squid_t)
Ah, the real disadvantage of modules comes out.. hopefully policy issues
like these will be referred to refpolicy upstream as well, so that the
mainline policy can be fixed and not just this persons local setup...
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
