On Tue, October 18, 2016 13:31, Garri Djavadyan wrote:
> On Tue, 2016-10-18 at 13:02 +0200, Walter H. wrote:
>> Hello,
>>
>> just in case anybody wants to run Squid 3.5.x on CentOS
>> with SELinux enforcing,
>>
>> here is the semodule
>>
>> <squid_update.tt>
>> module squid_update 1.0;
>>
>> require {
>> type squid_conf_t;
>> type squid_t;
>> type var_t;
>> class file { append open read write getattr lock
>> execute_no_trans };
>> }
>>
>> #============= squid_t ==============
>> allow squid_t squid_conf_t:file execute_no_trans;
>> allow squid_t var_t:file { append open read write getattr lock };
>> </squid_update.tt>
>>
>> and do the following:
>>
>> checkmodule -M -m -o squid_update.mod squid_update.tt
>> semodule_package -o squid_update.pp -m squid_update.mod
>> semodule -i squid_update.pp
>
> Hi,
>
> Have you tried to use default policy and relabel target dirs/files
> using types dedicated for squid? For example:
>
> # semanage fcontext -l | grep squid
> ...
my output differs a little bit; and yes the target files/dirs are labeled
as dedicated;
don't ask me why, but I have two CentOS 6.x VMs (each latest) one with the
official package (release 3.1.23) and one with this 3.5.20 RPM package;
with the 3.1.x there is no problem with
<squid.conf>
url_rewrite_program /etc/squid/url-rewrite-program.pl
url_rewrite_children 8
url_rewrite_host_header on
url_rewrite_access allow all
</squid.conf>
but with the 3.5.x there is access denied (shown in /var/log/audit/audit.log)
and squid doesn't start;
specific to the 3.5.x release, I added a certificate validator helper,
which has also problems ...
with this semodule package everything works fine ...
so there must be something different, between these two releases;
with SELinux disabled or permissive there is no need of this semodule
package;
Greetings,
Walter
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
