okay, I have also worked on a similar project (squid/kerberos/selinux). I installed squid in /usr/local/squid but I had to modify /etc/selinux/targeted/contexts/files/file_contexts and adapt it to my squid directory. /usr/local/squid/etc(/.*)? system_u:object_r:squid_conf_t:s0 /usr/local/squid/var/logs(/.*)? system_u:object_r:squid_log_t:s0 /usr/local/squid/share(/.*)? system_u:object_r:squid_conf_t:s0 /usr/local/squid/var/cache(/.*)? system_u:object_r:squid_cache_t:s0 /usr/local/squid/sbin/squid -- system_u:object_r:squid_exec_t:s0 /usr/local/squid/var/logs/squid\.pid -- system_u:object_r:squid_var_run_t:s0 /usr/local/squid/libexec(/.*)? system_u:object_r:lib_t:s0 /usr/local/squid -d system_u:object_r:bin_t:s0 /usr/local/squid/var -d system_u:object_r:var_t:s0 Then restore context (with restorecon or .autorelabel and reboot). But i am not sure modifing this file is the best way. It you update your selinux policy, changement will not be persistent. I think it is better to build a selinux module for our squid. Tiery On Tue, May 18, 2010 at 2:34 PM, GIGO . <gigoz@xxxxxxx> wrote: > > Yes i am using a compiled version. I have used this command chcon -t unconfined_exec_t /usr/sbin/squid and its working now. Is this a security issue? > > regards, > > Bilal > > > > > > > > ---------------------------------------- >> Date: Tue, 18 May 2010 14:26:06 +0200 >> From: tiery.denys@xxxxxxxxx >> To: squid-users@xxxxxxxxxxxxxxx >> Subject: Re: SELINUX issue(confined>unconfined) >> >> Hi, >> >> ps -Z => squid_t and getenforce => enforcing >> squid is started with selinux >> >> Redhat/centos platform: >> If squid is installed with yum, squid will be started with a squid_t >> selinux context. >> >> If you compile your squid and installed it, you will have to change >> squid files contexts manually. >> >> As i see you have squid_kerb_plugin, you should have compile you squid >> to support kerberos, no? >> >> --- >> >> For your problem: >> >> try to check selinux log: >> audit2allow -al >> or cat /var/log/audit/audit.log | audit2allow >> >> You can also try to restore selinux context for all squid files: >> restorecon -R /etc/squid >> restorecon -R /var/log/squid >> >> etc... >> >> or touch /.autorelabel and reboot >> >> >> Tiery >> >> On Tue, May 18, 2010 at 9:47 AM, GIGO . wrote: >>> >>> Dear All, >>> >>> Your guidance is required. Please help. >>> >>> It looks that squid process run by default as a confined process whether its a compiled version or a version that come with the linux distro. It means that the squid software is SELINUX aware.Am i right? >>> >>> [root@squidLhr ~]# ps -eZ | grep squid >>> system_u:system_r:squid_t 3173 ? 00:00:00 squid >>> system_u:system_r:squid_t 3175 ? 00:00:00 squid >>> system_u:system_r:squid_t 3177 ? 00:00:00 squid >>> system_u:system_r:squid_t 3179 ? 00:00:00 squid >>> system_u:system_r:squid_t 3222 ? 00:00:00 unlinkd >>> system_u:system_r:squid_t 3223 ? 00:00:00 unlinkd >>> >>> >>> it was successful before i changed the selinux to enforcing.Now i even cannot start squid process that access the parent at localhost(3128) manually even. The other process starts normally if i do manually. >>> >>> When running as an unconfined process by the following command the problem had resolved >>> >>> chcon -t unconfined_exec_t /usr/sbin/squid >>> >>> However it doesnot feel appropriate to me. Please guide me on this. >>> >>> >>> >>> I am starting squid with the following init script if it has something to do with the problem: >>> >>> #!/bin/sh >>> # >>> #my script >>> case "$1" in >>> start) >>> /usr/sbin/squid -D -sYC -f /etc/squid/squidcache.conf >>> /usr/sbin/squid -D -sYC -f /etc/squid/squid.conf >>> #The below line is to automatically start apache with system startup >>> /usr/sbin/httpd -k start >>> #KRB5_KTNAME=/etc/squid/HTTP.keytab >>> #export KRB5_KTNAME >>> #KRB5RCACHETYPE=none >>> #export KRB5RCACHETYPE >>> ;; >>> stop) >>> >>> /usr/sbin/squid -k shutdown -f /etc/squid3/squidcache.conf >>> echo "Shutting down squid secondary process" >>> /usr/sbin/squid -k shutdown -f /etc/squid3/squid.conf >>> echo "Shutting down squid main process" >>> # The below line is to automatically stop apache at system shutdown >>> /usr/sbin/httpd -k stop >>> ;; >>> esac >>> >>> >>> Thanking you & regards, >>> >>> Bilal >>> >>> >>> ---------------------------------------- >>>> From: gigoz@xxxxxxx >>>> To: squid-users@xxxxxxxxxxxxxxx >>>> Date: Tue, 18 May 2010 06:02:35 +0000 >>>> Subject: SELINUX issue >>>> >>>> >>>> Hi all, >>>> >>>> When i change SELINUX from permissive mode to Enforcing mode. My multiple instance setup fail to start. Please guide how to overcome this. >>>> >>>> -----------------------Excerpts from cache.log----------------- >>>> >>>> 2010/05/18 10:31:51| TCP connection to 127.0.0.1/3128 failed >>>> 2010/05/18 10:31:51| Store rebuilding is 7.91% complete >>>> 2010/05/18 10:31:52| Done reading /var/spool/squid swaplog (51794 entries) >>>> 2010/05/18 10:31:52| Finished rebuilding storage from disk. >>>> 2010/05/18 10:31:52| 51794 Entries scanned >>>> 2010/05/18 10:31:52| 0 Invalid entries. >>>> 2010/05/18 10:31:52| 0 With invalid flags. >>>> 2010/05/18 10:31:52| 51794 Objects loaded. >>>> 2010/05/18 10:31:52| 0 Objects expired. >>>> 2010/05/18 10:31:52| 0 Objects cancelled. >>>> 2010/05/18 10:31:52| 0 Duplicate URLs purged. >>>> 2010/05/18 10:31:52| 0 Swapfile clashes avoided. >>>> 2010/05/18 10:31:52| Took 1.13 seconds (45641.00 objects/sec). >>>> 2010/05/18 10:31:52| Beginning Validation Procedure >>>> 2010/05/18 10:31:52| Completed Validation Procedure >>>> 2010/05/18 10:31:52| Validated 103614 Entries >>>> 2010/05/18 10:31:52| store_swap_size = 913364 >>>> 2010/05/18 10:31:52| storeLateRelease: released 0 objects >>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>> 2010/05/18 10:31:52| Detected DEAD Parent: 127.0.0.1 >>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>> 2010/05/18 10:31:52| Failed to select source for 'http://1.channel19.facebook.com/p' >>>> 2010/05/18 10:31:52| always_direct = 0 >>>> 2010/05/18 10:31:52| never_direct = 1 >>>> 2010/05/18 10:31:52| timedout = 0 >>>> 2010/05/18 10:31:57| Failed to select source for 'http://0.channel19.facebook.cm >>>> >>>> -------------------------------------------------------------------------------------------- >>>> >>>> >>>> regards, >>>> >>>> Bilal >>>> _________________________________________________________________ >>>> Hotmail: Trusted email with powerful SPAM protection. >>>> https://signup.live.com/signup.aspx?id=60969 >>> _________________________________________________________________ >>> Hotmail: Powerful Free email with security by Microsoft. >>> https://signup.live.com/signup.aspx?id=60969 > _________________________________________________________________ > Hotmail: Powerful Free email with security by Microsoft. > https://signup.live.com/signup.aspx?id=60969
