FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 01-31-2011, 02:31 PM
Marcos Lois Bermúdez
 
Default Squid and SELinux

Hi.



I'm trying to setup squid with SELinux, the problem i encounter is
taht i want to add another directory for cache, in this system we
have a home partition with huge space, i create a squid dir and
add the path with semanage:



semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'



i check the files and are in the good context:



drwxr-xr-x* squid squid user_ubject_r:squid_cache_t*** .

drwxr-xr-x* squid squid system_ubject_r:home_root_t* ..

drwxr-x---* squid squid user_ubject_r:squid_cache_t*** 00

drwxr-x---* squid
squid user_ubject_r:squid_cache_t*** 01

...



But when i want start it i get this:



type=AVC msg=audit(1296442326.932:739661): avc:* denied* { search
} for* pid=30924 comm="squid" name="/" dev=sda3 ino=2
scontext=user_u:system_r:squid_t:s0
tcontext=system_ubject_r:home_root_t:s0 tclass=dir



I know that the solution is to mount the huge partition on
/var/spool/squid, i'm a newbie to SELinux, and want to know if
it's posible to archive this.



Regards.




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-01-2011, 12:29 AM
Tsuyoshi Nagata
 
Default Squid and SELinux

Hi Mrcos
(2011/02/01 0:31), Marcos Lois Bermúdez wrote:
> semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
>
> i check the files and are in the good context:
>
> drwxr-xr-x squid squid user_ubject_r:squid_cache_t .
**> drwxr-xr-x squid squid system_ubject_r:home_root_t ..
> drwxr-x--- squid squid user_ubject_r:squid_cache_t 00
> drwxr-x--- squid squid user_ubject_r:squid_cache_t 01
> ...
>
> But when i want start it i get this:
>
> type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_ubject_r:home_root_t:s0 tclass=dir

[root@localhost ~]# audit2allow -m squid
type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_ubject_r:home_root_t:s0 tclass=dir
Ctl-D
module squid 1.0;

require {
type home_root_t;
type squid_t;
class dir search;
}

#============= squid_t ==============
allow squid_t home_root_t:dir search;
[root@localhost ~]#


It seems the directory '/home/squid' has 'home_root_t' type.
Change it to 'squid_cache_t'
# chcon -u system_u -r object_r -t squid_cache_t /home/squid

--Tsuyoshi.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-01-2011, 03:16 PM
Marcos Lois Bermúdez
 
Default Squid and SELinux

Hi Tsuyoshi,

The /home/squid dir have the user_ubject_r:squid_cache_t
The /home dir have the system_ubject_r:home_root_t

This seems that only can be achieved via audit2allow?

A lot of thks for your fast reply.

Regards.

El 01/02/11 02:29, Tsuyoshi Nagata escribió:
> Hi Mrcos
> (2011/02/01 0:31), Marcos Lois Bermúdez wrote:
>> semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
>>
>> i check the files and are in the good context:
>>
>> drwxr-xr-x squid squid user_ubject_r:squid_cache_t .
> **> drwxr-xr-x squid squid system_ubject_r:home_root_t ..
>> drwxr-x--- squid squid user_ubject_r:squid_cache_t 00
>> drwxr-x--- squid squid user_ubject_r:squid_cache_t 01
>> ...
>>
>> But when i want start it i get this:
>>
>> type=AVC msg=audit(1296442326.932:739661): avc: denied { search }
>> for pid=30924 comm="squid" name="/" dev=sda3 ino=2
>> scontext=user_u:system_r:squid_t:s0
>> tcontext=system_ubject_r:home_root_t:s0 tclass=dir
>
> [root@localhost ~]# audit2allow -m squid
> type=AVC msg=audit(1296442326.932:739661): avc: denied { search }
> for pid=30924 comm="squid" name="/" dev=sda3 ino=2
> scontext=user_u:system_r:squid_t:s0
> tcontext=system_ubject_r:home_root_t:s0 tclass=dir
> Ctl-D
> module squid 1.0;
>
> require {
> type home_root_t;
> type squid_t;
> class dir search;
> }
>
> #============= squid_t ==============
> allow squid_t home_root_t:dir search;
> [root@localhost ~]#
>
>
> It seems the directory '/home/squid' has 'home_root_t' type.
> Change it to 'squid_cache_t'
> # chcon -u system_u -r object_r -t squid_cache_t /home/squid
>
> --Tsuyoshi.
>
>

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-01-2011, 07:30 PM
Daniel J Walsh
 
Default Squid and SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/31/2011 08:29 PM, Tsuyoshi Nagata wrote:
> Hi Mrcos
> (2011/02/01 0:31), Marcos Lois Bermúdez wrote:
>> semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
>>
>> i check the files and are in the good context:
>>
>> drwxr-xr-x squid squid user_ubject_r:squid_cache_t .
> **> drwxr-xr-x squid squid system_ubject_r:home_root_t ..
>> drwxr-x--- squid squid user_ubject_r:squid_cache_t 00
>> drwxr-x--- squid squid user_ubject_r:squid_cache_t 01
>> ...
>>
>> But when i want start it i get this:
>>
>> type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_ubject_r:home_root_t:s0 tclass=dir
>
> [root@localhost ~]# audit2allow -m squid
> type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_ubject_r:home_root_t:s0 tclass=dir
> Ctl-D
> module squid 1.0;
>
> require {
> type home_root_t;
> type squid_t;
> class dir search;
> }
>
> #============= squid_t ==============
> allow squid_t home_root_t:dir search;
> [root@localhost ~]#
>
>
> It seems the directory '/home/squid' has 'home_root_t' type.
> Change it to 'squid_cache_t'
> # chcon -u system_u -r object_r -t squid_cache_t /home/squid
>
> --Tsuyoshi.
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos


Do not change the context of /home to anything other the home_root_t.
If you changed the label then you probably would blow up confined
applications that need to access the homedirs and would not be allowed
to search through squid_cache_t.

The problem you are having is you setup the squid_cache_t directory
under a directory that squid is not allowed to search in. The easiest
thing to do is to add a rule that allows squid_t to search home_root_t

# grep home_root_t /var/log/audit/audit.log | audit2allow -M mysquid
# semodule -i mysquid.pp

Another option would be to move the directory to / and then squid_t
would be able to read it.

semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'

What the correct way to apply the label. Then run restorecon. Using
chcon should only be used for testing, since it is not permanent.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1IbWAACgkQrlYvE4MpobNqrACeK+nSf0h8h0 II4UpbPipOI62o
RhQAoJMfxjOOVOx7qzS7rp0PwAWd05n3
=Q6ax
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-02-2011, 05:57 PM
Marcos Lois Bermúdez
 
Default Squid and SELinux

Thks,

It's clear now for me, i have a lot of figths with SELinux, but i need
to learn more, so i don't want deactivate it, allow squit to search
home_root_t seems to be good, so i try to make the correct thinks and
prepare a partition outside the home dir for squid.

A lot of thks for your fast reply.

Regards.

El 01/02/11 21:30, Daniel J Walsh escribió:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/31/2011 08:29 PM, Tsuyoshi Nagata wrote:
>> Hi Mrcos
>> (2011/02/01 0:31), Marcos Lois Bermúdez wrote:
>>> semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
>>>
>>> i check the files and are in the good context:
>>>
>>> drwxr-xr-x squid squid user_ubject_r:squid_cache_t .
>> **> drwxr-xr-x squid squid system_ubject_r:home_root_t ..
>>> drwxr-x--- squid squid user_ubject_r:squid_cache_t 00
>>> drwxr-x--- squid squid user_ubject_r:squid_cache_t 01
>>> ...
>>>
>>> But when i want start it i get this:
>>>
>>> type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_ubject_r:home_root_t:s0 tclass=dir
>> [root@localhost ~]# audit2allow -m squid
>> type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_ubject_r:home_root_t:s0 tclass=dir
>> Ctl-D
>> module squid 1.0;
>>
>> require {
>> type home_root_t;
>> type squid_t;
>> class dir search;
>> }
>>
>> #============= squid_t ==============
>> allow squid_t home_root_t:dir search;
>> [root@localhost ~]#
>>
>>
>> It seems the directory '/home/squid' has 'home_root_t' type.
>> Change it to 'squid_cache_t'
>> # chcon -u system_u -r object_r -t squid_cache_t /home/squid
>>
>> --Tsuyoshi.
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>
> Do not change the context of /home to anything other the home_root_t.
> If you changed the label then you probably would blow up confined
> applications that need to access the homedirs and would not be allowed
> to search through squid_cache_t.
>
> The problem you are having is you setup the squid_cache_t directory
> under a directory that squid is not allowed to search in. The easiest
> thing to do is to add a rule that allows squid_t to search home_root_t
>
> # grep home_root_t /var/log/audit/audit.log | audit2allow -M mysquid
> # semodule -i mysquid.pp
>
> Another option would be to move the directory to / and then squid_t
> would be able to read it.
>
> semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
>
> What the correct way to apply the label. Then run restorecon. Using
> chcon should only be used for testing, since it is not permanent.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk1IbWAACgkQrlYvE4MpobNqrACeK+nSf0h8h0 II4UpbPipOI62o
> RhQAoJMfxjOOVOx7qzS7rp0PwAWd05n3
> =Q6ax
> -----END PGP SIGNATURE-----
>

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 06:39 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org