Hi, I use CENTOS 5.3 and currently have no knowledge of SELINUX as yesterday was the first time i studied it. As u could have guessed i am a newbie in Linux field.yes...... i have been assigned the project of migrating from ISA to squid (managing having confidence in my capability to learn/understand things have assigned it... ) And i assume it would take quite a time to be able to build the policy myself for which i have short of time. So i am thinking of pending it for some future time. And concentrate towards other issues/stabalization that are necessary for the required Basic functionality. Once the project is piloted and management show confidence in me i can do more challenging tasks like this. But if you think its really very necessary then definately i will look forward to complete this task before piloting. Any tips/guidance will be warm welcomed. Thanking you & regards, Bilal ---------------------------------------- > Date: Wed, 19 May 2010 11:33:40 +0200 > From: tiery.denys@xxxxxxxxx > To: gigoz@xxxxxxx > CC: squid-users@xxxxxxxxxxxxxxx > Subject: Re: SELINUX issue(confined>unconfined) > > Hi, > > In permissive mode, you only get log, but selinux will not be active > (it will not forbid unauthorized access). Usually you put selinux in > permissive mode only in order to get all access denied log in > audit.log in order to build policy module or adjust filecontexts. > > I suggest you to spend some time on selinux, it can realy increase the > security of your proxy server. > > But you will need to build a policy module for squid_kerb_auth witch > is not currently supported by selinux policy on redhat-like systems. > > What distrib do you use ? > > > Tiery > > > On Wed, May 19, 2010 at 6:17 AM, GIGO . wrote: >> >> Thank you i will give it a try. However i am also thinking of running SELinux in permissive mode for my proxy server. what do you say about it? >> >> >> regards, >> >> Bilal >> >> ---------------------------------------- >>> Date: Tue, 18 May 2010 15:00:05 +0200 >>> From: tiery.denys@xxxxxxxxx >>> To: gigoz@xxxxxxx >>> CC: squid-users@xxxxxxxxxxxxxxx >>> Subject: Re: SELINUX issue(confined>unconfined) >>> >>> okay, >>> >>> I have also worked on a similar project (squid/kerberos/selinux). >>> I installed squid in /usr/local/squid but I had to modify >>> /etc/selinux/targeted/contexts/files/file_contexts and adapt it to my >>> squid directory. >>> >>> /usr/local/squid/etc(/.*)? system_u:object_r:squid_conf_t:s0 >>> /usr/local/squid/var/logs(/.*)? system_u:object_r:squid_log_t:s0 >>> /usr/local/squid/share(/.*)? system_u:object_r:squid_conf_t:s0 >>> /usr/local/squid/var/cache(/.*)? system_u:object_r:squid_cache_t:s0 >>> /usr/local/squid/sbin/squid -- system_u:object_r:squid_exec_t:s0 >>> /usr/local/squid/var/logs/squid\.pid -- system_u:object_r:squid_var_run_t:s0 >>> /usr/local/squid/libexec(/.*)? system_u:object_r:lib_t:s0 >>> /usr/local/squid -d system_u:object_r:bin_t:s0 >>> /usr/local/squid/var -d system_u:object_r:var_t:s0 >>> >>> Then restore context (with restorecon or .autorelabel and reboot). >>> >>> But i am not sure modifing this file is the best way. >>> It you update your selinux policy, changement will not be persistent. >>> >>> I think it is better to build a selinux module for our squid. >>> >>> Tiery >>> >>> >>> >>> On Tue, May 18, 2010 at 2:34 PM, GIGO . wrote: >>>> >>>> Yes i am using a compiled version. I have used this command chcon -t unconfined_exec_t /usr/sbin/squid and its working now. Is this a security issue? >>>> >>>> regards, >>>> >>>> Bilal >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> ---------------------------------------- >>>>> Date: Tue, 18 May 2010 14:26:06 +0200 >>>>> From: tiery.denys@xxxxxxxxx >>>>> To: squid-users@xxxxxxxxxxxxxxx >>>>> Subject: Re: SELINUX issue(confined>unconfined) >>>>> >>>>> Hi, >>>>> >>>>> ps -Z => squid_t and getenforce => enforcing >>>>> squid is started with selinux >>>>> >>>>> Redhat/centos platform: >>>>> If squid is installed with yum, squid will be started with a squid_t >>>>> selinux context. >>>>> >>>>> If you compile your squid and installed it, you will have to change >>>>> squid files contexts manually. >>>>> >>>>> As i see you have squid_kerb_plugin, you should have compile you squid >>>>> to support kerberos, no? >>>>> >>>>> --- >>>>> >>>>> For your problem: >>>>> >>>>> try to check selinux log: >>>>> audit2allow -al >>>>> or cat /var/log/audit/audit.log | audit2allow >>>>> >>>>> You can also try to restore selinux context for all squid files: >>>>> restorecon -R /etc/squid >>>>> restorecon -R /var/log/squid >>>>> >>>>> etc... >>>>> >>>>> or touch /.autorelabel and reboot >>>>> >>>>> >>>>> Tiery >>>>> >>>>> On Tue, May 18, 2010 at 9:47 AM, GIGO . wrote: >>>>>> >>>>>> Dear All, >>>>>> >>>>>> Your guidance is required. Please help. >>>>>> >>>>>> It looks that squid process run by default as a confined process whether its a compiled version or a version that come with the linux distro. It means that the squid software is SELINUX aware.Am i right? >>>>>> >>>>>> [root@squidLhr ~]# ps -eZ | grep squid >>>>>> system_u:system_r:squid_t 3173 ? 00:00:00 squid >>>>>> system_u:system_r:squid_t 3175 ? 00:00:00 squid >>>>>> system_u:system_r:squid_t 3177 ? 00:00:00 squid >>>>>> system_u:system_r:squid_t 3179 ? 00:00:00 squid >>>>>> system_u:system_r:squid_t 3222 ? 00:00:00 unlinkd >>>>>> system_u:system_r:squid_t 3223 ? 00:00:00 unlinkd >>>>>> >>>>>> >>>>>> it was successful before i changed the selinux to enforcing.Now i even cannot start squid process that access the parent at localhost(3128) manually even. The other process starts normally if i do manually. >>>>>> >>>>>> When running as an unconfined process by the following command the problem had resolved >>>>>> >>>>>> chcon -t unconfined_exec_t /usr/sbin/squid >>>>>> >>>>>> However it doesnot feel appropriate to me. Please guide me on this. >>>>>> >>>>>> >>>>>> >>>>>> I am starting squid with the following init script if it has something to do with the problem: >>>>>> >>>>>> #!/bin/sh >>>>>> # >>>>>> #my script >>>>>> case "$1" in >>>>>> start) >>>>>> /usr/sbin/squid -D -sYC -f /etc/squid/squidcache.conf >>>>>> /usr/sbin/squid -D -sYC -f /etc/squid/squid.conf >>>>>> #The below line is to automatically start apache with system startup >>>>>> /usr/sbin/httpd -k start >>>>>> #KRB5_KTNAME=/etc/squid/HTTP.keytab >>>>>> #export KRB5_KTNAME >>>>>> #KRB5RCACHETYPE=none >>>>>> #export KRB5RCACHETYPE >>>>>> ;; >>>>>> stop) >>>>>> >>>>>> /usr/sbin/squid -k shutdown -f /etc/squid3/squidcache.conf >>>>>> echo "Shutting down squid secondary process" >>>>>> /usr/sbin/squid -k shutdown -f /etc/squid3/squid.conf >>>>>> echo "Shutting down squid main process" >>>>>> # The below line is to automatically stop apache at system shutdown >>>>>> /usr/sbin/httpd -k stop >>>>>> ;; >>>>>> esac >>>>>> >>>>>> >>>>>> Thanking you & regards, >>>>>> >>>>>> Bilal >>>>>> >>>>>> >>>>>> ---------------------------------------- >>>>>>> From: gigoz@xxxxxxx >>>>>>> To: squid-users@xxxxxxxxxxxxxxx >>>>>>> Date: Tue, 18 May 2010 06:02:35 +0000 >>>>>>> Subject: SELINUX issue >>>>>>> >>>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> When i change SELINUX from permissive mode to Enforcing mode. My multiple instance setup fail to start. Please guide how to overcome this. >>>>>>> >>>>>>> -----------------------Excerpts from cache.log----------------- >>>>>>> >>>>>>> 2010/05/18 10:31:51| TCP connection to 127.0.0.1/3128 failed >>>>>>> 2010/05/18 10:31:51| Store rebuilding is 7.91% complete >>>>>>> 2010/05/18 10:31:52| Done reading /var/spool/squid swaplog (51794 entries) >>>>>>> 2010/05/18 10:31:52| Finished rebuilding storage from disk. >>>>>>> 2010/05/18 10:31:52| 51794 Entries scanned >>>>>>> 2010/05/18 10:31:52| 0 Invalid entries. >>>>>>> 2010/05/18 10:31:52| 0 With invalid flags. >>>>>>> 2010/05/18 10:31:52| 51794 Objects loaded. >>>>>>> 2010/05/18 10:31:52| 0 Objects expired. >>>>>>> 2010/05/18 10:31:52| 0 Objects cancelled. >>>>>>> 2010/05/18 10:31:52| 0 Duplicate URLs purged. >>>>>>> 2010/05/18 10:31:52| 0 Swapfile clashes avoided. >>>>>>> 2010/05/18 10:31:52| Took 1.13 seconds (45641.00 objects/sec). >>>>>>> 2010/05/18 10:31:52| Beginning Validation Procedure >>>>>>> 2010/05/18 10:31:52| Completed Validation Procedure >>>>>>> 2010/05/18 10:31:52| Validated 103614 Entries >>>>>>> 2010/05/18 10:31:52| store_swap_size = 913364 >>>>>>> 2010/05/18 10:31:52| storeLateRelease: released 0 objects >>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>>>>> 2010/05/18 10:31:52| Detected DEAD Parent: 127.0.0.1 >>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed >>>>>>> 2010/05/18 10:31:52| Failed to select source for 'http://1.channel19.facebook.com/p' >>>>>>> 2010/05/18 10:31:52| always_direct = 0 >>>>>>> 2010/05/18 10:31:52| never_direct = 1 >>>>>>> 2010/05/18 10:31:52| timedout = 0 >>>>>>> 2010/05/18 10:31:57| Failed to select source for 'http://0.channel19.facebook.cm >>>>>>> >>>>>>> -------------------------------------------------------------------------------------------- >>>>>>> >>>>>>> >>>>>>> regards, >>>>>>> >>>>>>> Bilal >>>>>>> _________________________________________________________________ >>>>>>> Hotmail: Trusted email with powerful SPAM protection. >>>>>>> https://signup.live.com/signup.aspx?id=60969 >>>>>> _________________________________________________________________ >>>>>> Hotmail: Powerful Free email with security by Microsoft. >>>>>> https://signup.live.com/signup.aspx?id=60969 >>>> _________________________________________________________________ >>>> Hotmail: Powerful Free email with security by Microsoft. >>>> https://signup.live.com/signup.aspx?id=60969 >> _________________________________________________________________ >> Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. >> https://signup.live.com/signup.aspx?id=60969 _________________________________________________________________ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
