Hi Eliezer,
I have an updated version of my policy file. It prevents an AVC when
stopping or reloading squid.
Hope you noticed the wrong name for the original file: it was supposed
to be squid-*smp*.te, not squid-*snmp*.te. :-)
Here's the new file:
--- squid-smp.te ---
module squid-smp 1.1;
# for ipc channels between kids/workers
require {
type var_run_t;
type squid_t;
class sock_file { create write unlink };
}
allow squid_t var_run_t:sock_file { create write unlink };
allow squid_t var_run_t:sock_file create;
# for shm used by cache_mem and rock store(?)
require {
type squid_t;
type tmpfs_t;
class dir { remove_name add_name write };
class file { unlink create };
}
allow squid_t tmpfs_t:dir { remove_name write add_name };
allow squid_t tmpfs_t:file { unlink create };
--- end of squid-snmp.te ---
I have not tested it with squid development releases (3.5) only with
your 3.4.x rpms. But please write me if you need any help with SELinux
in the future. I'm not an expert, but as I do have to use it in
enforcing mode, I'll probably get the same issues.
[]s, Fernando Lozano
Hey Fernandno,
First thanks!
It indeed helps a lot since there were issues I didn't knew how to
look at.
I am hoping to release the RPM next week but I will include the
selinux rules only on the next release due to the overhead of packing
it.
I might be able to package it in another external package not related
directly to squid package and which seems reasonable for me.
About the ulimit related issue:
It's an option to use sysconfig for this option and I will consider
it in the next releases.
Eliezer
