Unfortunately no, because each system has minor differences, the desired
rules to be used by squid varies based on other programs and
interactions within the system. This is why I just typed them out here
so others can figure out why squid or pinger or ssl_crtd is getting
caught by selinux, and how to at least allow it through selinux, for
that specific system.
These rules are not setup via setsebool, instead they are installed
directly via semodule.
Mike
On 7/8/2014 8:30 PM, Eliezer Croitoru wrote:
Hey Mike,
I was wondering if you have these Selinux rules in binary or another
format(src) which I can try to use and package them in RPM?
Thanks,
Eliezer
On 06/27/2014 12:08 AM, Mike wrote:
After some deeper digging, it seems selinux was only temporarily
disabled (via " echo 0 >/selinux/enforce"), not disabled in the primary
config file. But this actually allowed me to track down a fix to keep
using selinux (which we definitely need for server security). I am going
to add it here for others that may run into the same problem (in RedHat,
CentOS and Scientific Linux) and how to fix it. This allows us to use
ssl-bump with selinux. I had one where "pinger" was also having an issue
so I am including it here.
Scientific Linux 6.5 (would also work for RedHat and CentOS 6)
squid 3.4.5 and 3.4.6
Edit /etc/selinux/config and change to “permissive”. Then cycle the
audit logs:
cd /var/log/audit/
mv audit.log audit.log.0
touch audit.log
Thenreboot the system and let selinux come back up and catch the items
in its log (usually ssl_crtd and pinger) located at
/var/log/audit/audit.log. Many times squid will try to start but end up
with “the ssl_crtd helpers are crashing too quickly” which will shut the
squid service down.
*
Install the needed tool for selinux: yum install
policycoreutils-python (which will also install a few other needed
dependencies).
ssl_crtd: Start in /tmp/ folder since we will not need these files for
long.
*
grep ssl_crtd /var/log/audit/audit.log | audit2allow -m
ssl_crtdlocal > ssl_crtdlocal.te
o
outputs the suggested settings into the file ssl_crtdlocal.te,
which we will review below in “cat”
*
cat ssl_crtdlocal.te # to review the created file and show what will
be done
*
grep ssl_crtd /var/log/audit/audit.log | audit2allow -M
ssl_crtdlocal
o
Note the capital M, this makes the needed file, ready for
selinux to import, and then the next command below actually
enables it.
*
semodule -i ssl_crtdlocal.pp
1.
Now for pinger (if needed):
*
grep pinger /var/log/audit/audit.log | audit2allow -m pingerlocal >
pingerlocal.te
*
cat pingerlocal.te # to review the created file and show what will
be done
*
grep pinger /var/log/audit/audit.log | audit2allow -M pingerlocal
*
semodule -i pingerlocal.pp
After those are entered, go back in and edit /etc/selinux/config and
change to “enforcing”. Reboot the system one more time and watch the
logs for any other entries relating to squid like “ssl_crtd” or “pinger”
(look at the comm="ssl_crtd" aspect) to see if any other squid based
items need an allowance:
*
type=AVC msg=audit(1403808338.272:24): avc: denied { read } for
pid=1457 comm="ssl_crtd" name="index.txt" dev=dm -0 ino=5376378
scontext=system_u:system_r:squid_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
o
-OR-
*
type=SYSCALL msg=audit(1403808338.272:24): arch=c000003e syscall=2
success=yes exit=3 a0=cfe2e8 a1=0 a2=1b6 a3=0 items=0 ppid=1454
pid=1457 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295
comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd"
subj=system_u:system_r:squid_t:s0 key=(null)
Thanks all
Mike
