Hello, can you do a little test for me? can you please try the following acl acl block_as4837 dst_as 4837 http_access deny block_as4837 and then try in a browser http://sudo.ml Thanks, Walter On 30.09.2015 18:45, Veiko Kukk wrote:
On 30/09/15 18:27, Veiko Kukk wrote:I'm sorry, should have provided operating system version with my first post. It is CentOS 6.7 with latest updates. Sure, when changing selinux to permissive mode, it works. I have not had time meanwhile to find out what are the required minimal selinux changes required, probably allowing squid to write to /dev/shm.If somebody has the same problem, and happens to read mailinglist archive, this is the solution. My guess about /dev/shm was true,# grep squid /var/log/audit/audit.log| audit2allow -a #============= squid_t ==============#!!!! The source type 'squid_t' can write to a 'dir' of the following types: # squid_log_t, var_log_t, var_run_t, pcscd_var_run_t, squid_var_run_t, squid_cache_t, tmp_t, cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_tallow squid_t tmpfs_t:dir { write remove_name add_name }; allow squid_t tmpfs_t:file { create unlink }; allow squid_t user_tmpfs_t:file { read write }; If you agree with offered rights, create custom module and load it. # grep squid /var/log/audit/audit.log| audit2allow -a -M mysquid ******************** IMPORTANT *********************** To make this policy package active, execute: # semodule -i mysquid.pp And now squid 3.5.9 on CentOS 6.7 works with selinux enforced mode. Veiko
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users