Search squid archive

configuring Eliezer RPMs for CentOS 6 for SMP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi there,

First of all, thanks Elizer for providing the packages!

The package installed and run fine with the default, single process config. I'm trying to follow best-practices like keeping SELinux enabled (enfocing) and I was happy to see the packages follow the standard targete policies included on CentOS 6.5.

But, when I tried a SMP setup, I got some SELinux AVCs.

Those were related to the socket files used for IPC betweeb workers and
coordinator, and shm files for shared cache_mem and (i guess) rock store.

Here are the revelant settings from my squid.conf (this is my test machine, the production one has more RAM, cores and disk):

--- SNIP ---
workers 2
cache_mem 1024 MB
cache_dir rock /cache/shared 2000 min-size=1 max-size=31000
max-swap-rate=250 swap-timeout=350
cache_dir aufs /cache/worker${process_number} 2000 16 256 min-size=31001
max-size=346030080
--- SNIP ---

I followed standard advice and run audit2allow to build aditional SELinux policy modules. After everything was working fine, I took the time to build and test a consolidated policy module. Here it is:

--- squid-snmp.te ---
module squid-smp 1.0;

# for ipc channels between kids/workers
require {
	type var_run_t;
	type squid_t;
	class sock_file { create write };
}
allow squid_t var_run_t:sock_file { create write };
allow squid_t var_run_t:sock_file create;

# for shm used by cache_mem and rock store(?)
require {
	type squid_t;
	type tmpfs_t;
	class dir { remove_name add_name write };
	class file { unlink create };
}
allow squid_t tmpfs_t:dir { remove_name write add_name };
allow squid_t tmpfs_t:file { unlink create };
--- squid-snmp.te ---

To compile and install this policy module, please run:

# checkmodule -M -m -o squid-smp.mod squid-smp.te
# semodule_package -o squid-smp.pp -m squid-smp.mod
# semodule -i squid-smp.pp

I hope Eliezer can add this to the next update to his packages, so others can try SMP without fighting with SELinux.

But, as I'm not so experienced with SELinux, I'd be glad to receive advice on how to make this policy more strict, more "secure".

For example, I guess I could use squid_var_run_t instead of using var_run_t, to have a more specific fcontext for squid IPC files. I know how to do this manually:

# semanage fcontext -a -t squid_var_run_t "/var/run/squid(/.*)?"
# restorecon -Fv /var/run/squid/

But I don't know hot to add this to the policy file.

I also guess I could be more strict about the shm files (tmpfs_t) but I don't know how to do this.

Another hurdle I had with the RPM packages was about setting ulimit nofile. I'm used to add them to /etc/security/limits.conf and this work fo r CentOS init.d scripts, but not for the squid script.

My solution was to a line to /etc/sysconfig/squid:
ulimit -n 32768

But maybe I should edit the init.d/squid script to use function daemon() from /etc/init.d/functions or runuser like other CentOS init.d scripts do.

Well, I hope my findins and ideas can be useful to ther CentOS/RHEL admins, and someone there can help me making the squid RPM more "Red Hat-ish".


[]s, Fernando Lozano





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux