FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 02-09-2010, 01:48 PM
Daniel J Walsh
 
Default SELinux security alert/Squid -

On 02/09/2010 04:43 AM, Bob Goodwin wrote:
> On 09/02/10 02:17, Tim wrote:
>> On Mon, 2010-02-08 at 13:23 -0500, Daniel J Walsh wrote:
>>
>>> squid_connect_any --> off
>>>
>> Probably not a good idea, the settings there as an aid to protect you
>> against maliciousness. If you want to add exceptions, that's a better
>> idea than just letting anything through.
>>
>> I'd make an educated guess that the original poster hadn't tried to
>> connect to an alternative port, while going through their proxy, before.
>>
>>
> Well then should it not be possible to tell SELinux that this particular
> connection is acceptable? To me it is vital, I need to control system
> usage and that's where I get my usage data! The problem is minor and
> doesn't warrant disabling SELinux in any way, I only see it upon
> rebooting, usually around 04:00 which is my habit. But the "star" is
> there again this morning.
>
> As a result I have once more done [as su/root]: setsebool -P
> squid_connect_any=1 as it suggests. Whatever that does takes perhaps 30
> seconds and shows a lot of cpu activity while doing it so I know
> something is happening.
>
> The security alert, generated at this morning's boot:
>
> Summary:
>
> SELinux is preventing the squid daemon from connecting to network
> port 8180
>
> Detailed Description:
>
> [squid has a permissive type (squid_t). This access was not denied.]
>
> SELinux has denied the squid daemon from connecting to 8180. By
> default squid
> policy is setup to deny squid connections. If you did not setup
> squid to network
> connections, this could signal a intrusion attempt.
>
> Allowing Access:
>
> If you want squid to connect to network ports you need to turn on the
> squid_connect_any boolean: "setsebool -P squid_connect_any=1"
>
> Fix Command:
>
> setsebool -P squid_connect_any=1
>
> Additional Information:
>
> Source Context system_u:system_r:squid_t:s0
> Target Context system_ubject_rort_t:s0
> Target Objects None [ tcp_socket ]
> Source squid
> Source Path /usr/sbin/squid
> Port 8180
> Host box6
> Source RPM Packages squid-3.1.0.15-2.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.32-78.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name squid_connect_any
> Host Name box6
> Platform Linux box6
> 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP
> Mon Jan 18 19:52:07 UTC 2010 x86_64
> x86_64
> Alert Count 33
> First Seen Sun 07 Feb 2010 04:50:46 PM EST
> Last Seen Sun 07 Feb 2010 05:08:58 PM EST
> Local ID 87daf7bf-ecdf-4025-9780-520ef4d433f5
> Line Numbers
>
> Raw Audit Messages
>
> node=box6 type=AVC msg=audit(1265580538.758:20027): avc: denied {
> name_connect } for pid=1504 comm="squid" dest=8180
> scontext=system_u:system_r:squid_t:s0
> tcontext=system_ubject_rort_t:s0 tclass=tcp_socket
>
> node=box6 type=SYSCALL msg=audit(1265580538.758:20027):
> arch=c000003e syscall=42 success=yes exit=4294967424 a0=e
> a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504
> auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23
> fsgid=23 tty=(none) ses=4294967295 comm="squid"
> exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null)
>
>
Another option would be to identify port 8180 as an http port.

semanage port -a -t http_port_t -p tcp 8180

Would label this port http_port_t and squid would be allowed to connect to this port without setting the boolean.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-09-2010, 02:35 PM
Bob Goodwin
 
Default SELinux security alert/Squid -

On 09/02/10 09:46, Daniel J Walsh wrote:
> yum update setroubleshoot* --enablerepo=updates-testing
>
Ok, I have done that on this computer and see what happens after the
next re-boot.

Will try it on another computer [box9] also displaying the "SELinux
security alert" but with a different complaint:


Summary:

SELinux is preventing /usr/bin/gs "setattr" access on
/var/cache/fontconfig.

Detailed Description:

SELinux denied access requested by gs. It is not expected that this
access is
required by gs and this access may signal an intrusion attempt. It
is also
possible that the specific version or configuration of the
application is
causing it to require additional access.

Usually I am hardly aware that SELinux is working, just the past few
days with this notice.

Thanks.

Bob

--


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 

Thread Tools




All times are GMT. The time now is 08:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org