Hey Fernandno,
First thanks!
It indeed helps a lot since there were issues I didn't knew how to look at.
I am hoping to release the RPM next week but I will include the selinux
rules only on the next release due to the overhead of packing it.
I might be able to package it in another external package not related
directly to squid package and which seems reasonable for me.
About the ulimit related issue:
It's an option to use sysconfig for this option and I will consider it
in the next releases.
Eliezer
On 05/08/2014 09:15 PM, fernando@xxxxxxxxxxxxx wrote:
Hi there,
First of all, thanks Elizer for providing the packages!
The package installed and run fine with the default, single process
config. I'm trying to follow best-practices like keeping SELinux enabled
(enfocing) and I was happy to see the packages follow the standard
targete policies included on CentOS 6.5.
But, when I tried a SMP setup, I got some SELinux AVCs.
Those were related to the socket files used for IPC betweeb workers and
coordinator, and shm files for shared cache_mem and (i guess) rock store.
Here are the revelant settings from my squid.conf (this is my test
machine, the production one has more RAM, cores and disk):
--- SNIP ---
workers 2
cache_mem 1024 MB
cache_dir rock /cache/shared 2000 min-size=1 max-size=31000
max-swap-rate=250 swap-timeout=350
cache_dir aufs /cache/worker${process_number} 2000 16 256 min-size=31001
max-size=346030080
--- SNIP ---
I followed standard advice and run audit2allow to build aditional SELinux
policy modules. After everything was working fine, I took the time to
build and test a consolidated policy module. Here it is:
--- squid-snmp.te ---
module squid-smp 1.0;
# for ipc channels between kids/workers
require {
type var_run_t;
type squid_t;
class sock_file { create write };
}
allow squid_t var_run_t:sock_file { create write };
allow squid_t var_run_t:sock_file create;
# for shm used by cache_mem and rock store(?)
require {
type squid_t;
type tmpfs_t;
class dir { remove_name add_name write };
class file { unlink create };
}
allow squid_t tmpfs_t:dir { remove_name write add_name };
allow squid_t tmpfs_t:file { unlink create };
--- squid-snmp.te ---
To compile and install this policy module, please run:
# checkmodule -M -m -o squid-smp.mod squid-smp.te
# semodule_package -o squid-smp.pp -m squid-smp.mod
# semodule -i squid-smp.pp
I hope Eliezer can add this to the next update to his packages, so
others can try SMP without fighting with SELinux.
But, as I'm not so experienced with SELinux, I'd be glad to receive
advice on how to make this policy more strict, more "secure".
For example, I guess I could use squid_var_run_t instead of using
var_run_t, to have a more specific fcontext for squid IPC files. I know
how to do this manually:
# semanage fcontext -a -t squid_var_run_t "/var/run/squid(/.*)?"
# restorecon -Fv /var/run/squid/
But I don't know hot to add this to the policy file.
I also guess I could be more strict about the shm files (tmpfs_t) but I
don't know how to do this.
Another hurdle I had with the RPM packages was about setting ulimit
nofile. I'm used to add them to /etc/security/limits.conf and this work
fo r CentOS init.d scripts, but not for the squid script.
My solution was to a line to /etc/sysconfig/squid:
ulimit -n 32768
But maybe I should edit the init.d/squid script to use function daemon()
from /etc/init.d/functions or runuser like other CentOS init.d scripts do.
Well, I hope my findins and ideas can be useful to ther CentOS/RHEL
admins, and someone there can help me making the squid RPM more "Red
Hat-ish".
[]s, Fernando Lozano
