Search squid archive

Re: Squid exiting on its own at sys startup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey Mike,

I was wondering if you have these Selinux rules in binary or another format(src) which I can try to use and package them in RPM?

Thanks,
Eliezer

On 06/27/2014 12:08 AM, Mike wrote:
After some deeper digging, it seems selinux was only temporarily
disabled (via " echo 0 >/selinux/enforce"), not disabled in the primary
config file. But this actually allowed me to track down a fix to keep
using selinux (which we definitely need for server security). I am going
to add it here for others that may run into the same problem (in RedHat,
CentOS and Scientific Linux) and how to fix it. This allows us to use
ssl-bump with selinux. I had one where "pinger" was also having an issue
so I am including it here.
Scientific Linux 6.5 (would also work for RedHat and CentOS 6)
squid 3.4.5 and 3.4.6

Edit /etc/selinux/config and change to “permissive”. Then cycle the
audit logs:
cd /var/log/audit/
mv audit.log audit.log.0
touch audit.log

Thenreboot the system and let selinux come back up and catch the items
in its log (usually ssl_crtd and pinger) located at
/var/log/audit/audit.log. Many times squid will try to start but end up
with “the ssl_crtd helpers are crashing too quickly” which will shut the
squid service down.

  *

    Install the needed tool for selinux: yum install
    policycoreutils-python (which will also install a few other needed
    dependencies).

ssl_crtd: Start in /tmp/ folder since we will not need these files for
long.

  *

    grep ssl_crtd /var/log/audit/audit.log | audit2allow -m
    ssl_crtdlocal > ssl_crtdlocal.te

      o

        outputs the suggested settings into the file ssl_crtdlocal.te,
        which we will review below in “cat”

  *

    cat ssl_crtdlocal.te # to review the created file and show what will
    be done

  *

    grep ssl_crtd /var/log/audit/audit.log | audit2allow -M ssl_crtdlocal

      o

        Note the capital M, this makes the needed file, ready for
        selinux to import, and then the next command below actually
        enables it.

  *

    semodule -i ssl_crtdlocal.pp


1.

    Now for pinger (if needed):

  *

    grep pinger /var/log/audit/audit.log | audit2allow -m pingerlocal >
    pingerlocal.te

  *

    cat pingerlocal.te # to review the created file and show what will
    be done

  *

    grep pinger /var/log/audit/audit.log | audit2allow -M pingerlocal

  *

    semodule -i pingerlocal.pp

After those are entered, go back in and edit /etc/selinux/config and
change to “enforcing”. Reboot the system one more time and watch the
logs for any other entries relating to squid like “ssl_crtd” or “pinger”
(look at the comm="ssl_crtd" aspect) to see if any other squid based
items need an allowance:

  *

    type=AVC msg=audit(1403808338.272:24): avc: denied { read } for
    pid=1457 comm="ssl_crtd" name="index.txt" dev=dm -0 ino=5376378
    scontext=system_u:system_r:squid_t:s0
    tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

      o

        -OR-

  *

    type=SYSCALL msg=audit(1403808338.272:24): arch=c000003e syscall=2
    success=yes exit=3 a0=cfe2e8 a1=0 a2=1b6 a3=0 items=0 ppid=1454
    pid=1457 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
    egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295
    comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd"
    subj=system_u:system_r:squid_t:s0 key=(null)



Thanks all
Mike





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux