After some deeper digging, it seems selinux was only temporarily
disabled (via " echo 0 >/selinux/enforce"), not disabled in the primary
config file. But this actually allowed me to track down a fix to keep
using selinux (which we definitely need for server security). I am going
to add it here for others that may run into the same problem (in RedHat,
CentOS and Scientific Linux) and how to fix it. This allows us to use
ssl-bump with selinux. I had one where "pinger" was also having an issue
so I am including it here.
Scientific Linux 6.5 (would also work for RedHat and CentOS 6)
squid 3.4.5 and 3.4.6
Edit /etc/selinux/config and change to “permissive”. Then cycle the
audit logs:
cd /var/log/audit/
mv audit.log audit.log.0
touch audit.log
Thenreboot the system and let selinux come back up and catch the items
in its log (usually ssl_crtd and pinger) located at
/var/log/audit/audit.log. Many times squid will try to start but end up
with “the ssl_crtd helpers are crashing too quickly” which will shut the
squid service down.
*
Install the needed tool for selinux: yum install
policycoreutils-python (which will also install a few other needed
dependencies).
ssl_crtd: Start in /tmp/ folder since we will not need these files for
long.
*
grep ssl_crtd /var/log/audit/audit.log | audit2allow -m
ssl_crtdlocal > ssl_crtdlocal.te
o
outputs the suggested settings into the file ssl_crtdlocal.te,
which we will review below in “cat”
*
cat ssl_crtdlocal.te # to review the created file and show what will
be done
*
grep ssl_crtd /var/log/audit/audit.log | audit2allow -M ssl_crtdlocal
o
Note the capital M, this makes the needed file, ready for
selinux to import, and then the next command below actually
enables it.
*
semodule -i ssl_crtdlocal.pp
1.
Now for pinger (if needed):
*
grep pinger /var/log/audit/audit.log | audit2allow -m pingerlocal >
pingerlocal.te
*
cat pingerlocal.te # to review the created file and show what will
be done
*
grep pinger /var/log/audit/audit.log | audit2allow -M pingerlocal
*
semodule -i pingerlocal.pp
After those are entered, go back in and edit /etc/selinux/config and
change to “enforcing”. Reboot the system one more time and watch the
logs for any other entries relating to squid like “ssl_crtd” or “pinger”
(look at the comm="ssl_crtd" aspect) to see if any other squid based
items need an allowance:
*
type=AVC msg=audit(1403808338.272:24): avc: denied { read } for
pid=1457 comm="ssl_crtd" name="index.txt" dev=dm -0 ino=5376378
scontext=system_u:system_r:squid_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
o
-OR-
*
type=SYSCALL msg=audit(1403808338.272:24): arch=c000003e syscall=2
success=yes exit=3 a0=cfe2e8 a1=0 a2=1b6 a3=0 items=0 ppid=1454
pid=1457 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295
comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd"
subj=system_u:system_r:squid_t:s0 key=(null)
Thanks all
Mike
On 6/26/2014 12:13 PM, Mike wrote:
OS is CentOS based Scientific Linux 6.5. Squid is version 3.4.6
(updated today) but was happening as well with 3.4.5.
This happens only after a reboot, so there has to be an issue in the
/etc/init.d/squid startup script causing this. Something on initial
startup is causing it to start and then immediately exit with the
status 0. Subsequent startup attempts by it causes the ssl_crtd
helpers to crash, so I want to prevent that initial automated "exit
with status 0".
A manual "service squid start" allows it to start without a problem.
We even tried a delayed secondary startup in /etc/rc.local pointing to
a basic (chmod +x) script that says
#!/bin/bash
sleep 60
service squid start
but that doesn't help, the exact same thing happens when it tries to
start, so I suspect something in the init.d script.
Permissions are all set, selinux is disabled.
From the var/log/messages
Jun 26 11:41:05 cogicm01 squid[1544]: Squid Parent: will start 1 kids
Jun 26 11:41:05 cogicm01 squid[1544]: Squid Parent: (squid-1) process
1547 started
Jun 26 11:41:05 cogicm01 squid[1544]: Squid Parent: (squid-1) process
1547 exited with status 0
Jun 26 11:41:10 cogicm01 squid[1561]: Squid Parent: will start 1 kids
Jun 26 11:41:10 cogicm01 squid[1561]: Squid Parent: (squid-1) process
1563 started
Jun 26 11:41:10 cogicm01 squid[1561]: Squid Parent: (squid-1) process
1563 exited with status 0
Jun 26 11:41:15 cogicm01 squid[1566]: Squid Parent: will start 1 kids
Jun 26 11:41:15 cogicm01 squid[1566]: Squid Parent: (squid-1) process
1568 started
Jun 26 11:41:15 cogicm01 (squid-1): The ssl_crtd helpers are crashing
too rapidly, need help!
Jun 26 11:41:16 cogicm01 squid[1566]: Squid Parent: (squid-1) process
1568 exited with status 1
Jun 26 11:41:19 cogicm01 squid[1566]: Squid Parent: (squid-1) process
1577 started
Jun 26 11:41:19 cogicm01 (squid-1): The ssl_crtd helpers are crashing
too rapidly, need help!
Jun 26 11:41:19 cogicm01 squid[1566]: Squid Parent: (squid-1) process
1577 exited with status 1
Jun 26 11:41:22 cogicm01 squid[1566]: Squid Parent: (squid-1) process
1610 started
Jun 26 11:41:22 cogicm01 (squid-1): The ssl_crtd helpers are crashing
too rapidly, need help!
Jun 26 11:41:22 cogicm01 squid[1566]: Squid Parent: (squid-1) process
1610 exited with status 1
Jun 26 11:41:25 cogicm01 squid[1566]: Squid Parent: (squid-1) process
1617 started
Jun 26 11:41:25 cogicm01 (squid-1): The ssl_crtd helpers are crashing
too rapidly, need help!
Jun 26 11:41:25 cogicm01 squid[1566]: Squid Parent: (squid-1) process
1617 exited with status 1
Jun 26 11:41:28 cogicm01 squid[1566]: Squid Parent: (squid-1) process
1624 started
Jun 26 11:41:29 cogicm01 (squid-1): The ssl_crtd helpers are crashing
too rapidly, need help!
Jun 26 11:41:29 cogicm01 squid[1566]: Squid Parent: (squid-1) process
1624 exited with status 1
Jun 26 11:41:29 cogicm01 squid[1566]: Squid Parent: (squid-1) process
1624 will not be restarted due to repeated, frequent failures
Jun 26 11:41:29 cogicm01 squid[1566]: Exiting due to repeated,
frequent failures
Based on my last email, I adjusted things since it kept trying to
remove a pid folder that is there but empty, whereas the pid file
itself is within the normal /var/run/ folder, not the /var/run/squid/
folder. This means on shutdown or service restart, it was not removing
the old pid file. So I adjusted it on stop or restart to remove the
.pid file which works. But the above issue on system startup remains.
