Yes i am using a compiled version. I have used this command chcon -t unconfined_exec_t /usr/sbin/squid and its working now. Is this a security issue? regards, Bilal ---------------------------------------- > Date: Tue, 18 May 2010 14:26:06 +0200 > From: tiery.denys@xxxxxxxxx > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: SELINUX issue(confined>unconfined) > > Hi, > > ps -Z => squid_t and getenforce => enforcing > squid is started with selinux > > Redhat/centos platform: > If squid is installed with yum, squid will be started with a squid_t > selinux context. > > If you compile your squid and installed it, you will have to change > squid files contexts manually. > > As i see you have squid_kerb_plugin, you should have compile you squid > to support kerberos, no? > > --- > > For your problem: > > try to check selinux log: > audit2allow -al > or cat /var/log/audit/audit.log | audit2allow > > You can also try to restore selinux context for all squid files: > restorecon -R /etc/squid > restorecon -R /var/log/squid > > etc... > > or touch /.autorelabel and reboot > > > Tiery > > On Tue, May 18, 2010 at 9:47 AM, GIGO . wrote: >> >> Dear All, >> >> Your guidance is required. Please help. >> >> It looks that squid process run by default as a confined process whether its a compiled version or a version that come with the linux distro. It means that the squid software is SELINUX aware.Am i right? >> >> [root@squidLhr ~]# ps -eZ | grep squid >> system_u:system_r:squid_t 3173 ? 00:00:00 squid >> system_u:system_r:squid_t 3175 ? 00:00:00 squid >> system_u:system_r:squid_t 3177 ? 00:00:00 squid >> system_u:system_r:squid_t 3179 ? 00:00:00 squid >> system_u:system_r:squid_t 3222 ? 00:00:00 unlinkd >> system_u:system_r:squid_t 3223 ? 00:00:00 unlinkd >> >> >> it was successful before i changed the selinux to enforcing.Now i even cannot start squid process that access the parent at localhost(3128) manually even. The other process starts normally if i do manually. >> >> When running as an unconfined process by the following command the problem had resolved >> >> chcon -t unconfined_exec_t /usr/sbin/squid >> >> However it doesnot feel appropriate to me. Please guide me on this. >> >> >> >> I am starting squid with the following init script if it has something to do with the problem: >> >> #!/bin/sh >> # >> #my script >> case "$1" in >> start) >> /usr/sbin/squid -D -sYC -f /etc/squid/squidcache.conf >> /usr/sbin/squid -D -sYC -f /etc/squid/squid.conf >> #The below line is to automatically start apache with system startup >> /usr/sbin/httpd -k start >> #KRB5_KTNAME=/etc/squid/HTTP.keytab >> #export KRB5_KTNAME >> #KRB5RCACHETYPE=none >> #export KRB5RCACHETYPE >> ;; >> stop) >> >> /usr/sbin/squid -k shutdown -f /etc/squid3/squidcache.conf >> echo "Shutting down squid secondary process" >> /usr/sbin/squid -k shutdown -f /etc/squid3/squid.conf >> echo "Shutting down squid main process" >> # The below line is to automatically stop apache at system shutdown >> /usr/sbin/httpd -k stop >> ;; >> esac >> >> >> Thanking you & regards, >> >> Bilal >> >> >> ---------------------------------------- >>> From: gigoz@xxxxxxx >>> To: squid-users@xxxxxxxxxxxxxxx >>> Date: Tue, 18 May 2010 06:02:35 +0000 >>> Subject: SELINUX issue >>> >>> >>> Hi all, >>> >>> When i change SELINUX from permissive mode to Enforcing mode. My multiple instance setup fail to start. Please guide how to overcome this. >>> >>> -----------------------Excerpts from cache.log----------------- >>> >>> 2010/05/18 10:31:51| TCP connection to 127.0.0.1/3128 failed >>> 2010/05/18 10:31:51| Store rebuilding is 7.91% complete >>> 2010/05/18 10:31:52| Done reading /var/spool/squid swaplog (51794 entries) >>> 2010/05/18 10:31:52| Finished rebuilding storage from disk. >>> 2010/05/18 10:31:52| 51794 Entries scanned >>> 2010/05/18 10:31:52| 0 Invalid entries. >>> 2010/05/18 10:31:52| 0 With invalid flags. >>> 2010/05/18 10:31:52| 51794 Objects loaded. >>> 2010/05/18 10:31:52| 0 Objects expired. >>> 2010/05/18 10:31:52| 0 Objects cancelled. >>> 2010/05/18 10:31:52| 0 Duplicate URLs purged. >>> 2010/05/18 10:31:52| 0 Swapfile clashes avoided. >>> 2010/05/18 10:31:52| Took 1.13 seconds (45641.00 objects/sec). >>> 2010/05/18 10:31:52| Beginning Validation Procedure >>> 2010/05/18 10:31:52| Completed Validation Procedure >>> 2010/05/18 10:31:52| Validated 103614 Entries >>> 2010/05/18 10:31:52| store_swap_size = 913364 >>> 2010/05/18 10:31:52| storeLateRelease: released 0 objects >>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>> 2010/05/18 10:31:52| Detected DEAD Parent: 127.0.0.1 >>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>> 2010/05/18 10:31:52| Failed to select source for 'http://1.channel19.facebook.com/p' >>> 2010/05/18 10:31:52| always_direct = 0 >>> 2010/05/18 10:31:52| never_direct = 1 >>> 2010/05/18 10:31:52| timedout = 0 >>> 2010/05/18 10:31:57| Failed to select source for 'http://0.channel19.facebook.cm >>> >>> -------------------------------------------------------------------------------------------- >>> >>> >>> regards, >>> >>> Bilal >>> _________________________________________________________________ >>> Hotmail: Trusted email with powerful SPAM protection. >>> https://signup.live.com/signup.aspx?id=60969 >> _________________________________________________________________ >> Hotmail: Powerful Free email with security by Microsoft. >> https://signup.live.com/signup.aspx?id=60969 _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
