FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 02-08-2010, 08:20 AM
Bob Goodwin
 
Default SELinux security alert/Squid -

Yesterday I began getting an "SELinux security alert" and Firefox began
to operate erratically [became useless].

I did "setsebool -P squid_connect_any=1" per the alert and Firefox began
to work again, however now this morning I am getting a similar notice
although it appears to be making an exception.

Do I need to take some further action to satisfy SELinux or will I
continue to get this notice until some future update?

Bob
.



Summary:

SELinux is preventing the squid daemon from connecting to
network port 8180

Detailed Description:

[squid has a permissive type (squid_t). This access was not denied.]

SELinux has denied the squid daemon from connecting to 8180. By
default squid
policy is setup to deny squid connections. If you did not setup
squid to network
connections, this could signal a intrusion attempt.

Allowing Access:

If you want squid to connect to network ports you need to turn
on the
squid_connect_any boolean: "setsebool -P squid_connect_any=1"

Fix Command:

setsebool -P squid_connect_any=1

Additional Information:

Source Context system_u:system_r:squid_t:s0
Target Context system_ubject_rort_t:s0
Target Objects None [ tcp_socket ]
Source squid
Source Path /usr/sbin/squid
Port 8180
Host box6
Source RPM Packages squid-3.1.0.15-2.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-78.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name squid_connect_any
Host Name box6
Platform Linux box6
2.6.31.12-174.2.3.fc12.x86_64 #1 SMP
Mon Jan 18 19:52:07 UTC 2010
x86_64 x86_64
Alert Count 33
First Seen Sun 07 Feb 2010 04:50:46 PM EST
Last Seen Sun 07 Feb 2010 05:08:58 PM EST
Local ID 87daf7bf-ecdf-4025-9780-520ef4d433f5
Line Numbers

Raw Audit Messages

node=box6 type=AVC msg=audit(1265580538.758:20027): avc:
denied { name_connect } for pid=1504 comm="squid" dest=8180
scontext=system_u:system_r:squid_t:s0
tcontext=system_ubject_rort_t:s0 tclass=tcp_socket

node=box6 type=SYSCALL msg=audit(1265580538.758:20027):
arch=c000003e syscall=42 success=yes exit=4294967424 a0=e
a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504
auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23
sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="squid"
exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null)

--

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-08-2010, 05:23 PM
Daniel J Walsh
 
Default SELinux security alert/Squid -

On 02/08/2010 04:20 AM, Bob Goodwin wrote:
> Yesterday I began getting an "SELinux security alert" and Firefox began
> to operate erratically [became useless].
>
> I did "setsebool -P squid_connect_any=1" per the alert and Firefox began
> to work again, however now this morning I am getting a similar notice
> although it appears to be making an exception.
>
> Do I need to take some further action to satisfy SELinux or will I
> continue to get this notice until some future update?
>
> Bob
> .
>
>
>
> Summary:
>
> SELinux is preventing the squid daemon from connecting to
> network port 8180
>
> Detailed Description:
>
> [squid has a permissive type (squid_t). This access was not denied.]
>
> SELinux has denied the squid daemon from connecting to 8180. By
> default squid
> policy is setup to deny squid connections. If you did not setup
> squid to network
> connections, this could signal a intrusion attempt.
>
> Allowing Access:
>
> If you want squid to connect to network ports you need to turn
> on the
> squid_connect_any boolean: "setsebool -P squid_connect_any=1"
>
> Fix Command:
>
> setsebool -P squid_connect_any=1
>
> Additional Information:
>
> Source Context system_u:system_r:squid_t:s0
> Target Context system_ubject_rort_t:s0
> Target Objects None [ tcp_socket ]
> Source squid
> Source Path /usr/sbin/squid
> Port 8180
> Host box6
> Source RPM Packages squid-3.1.0.15-2.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.32-78.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name squid_connect_any
> Host Name box6
> Platform Linux box6
> 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP
> Mon Jan 18 19:52:07 UTC 2010
> x86_64 x86_64
> Alert Count 33
> First Seen Sun 07 Feb 2010 04:50:46 PM EST
> Last Seen Sun 07 Feb 2010 05:08:58 PM EST
> Local ID 87daf7bf-ecdf-4025-9780-520ef4d433f5
> Line Numbers
>
> Raw Audit Messages
>
> node=box6 type=AVC msg=audit(1265580538.758:20027): avc:
> denied { name_connect } for pid=1504 comm="squid" dest=8180
> scontext=system_u:system_r:squid_t:s0
> tcontext=system_ubject_rort_t:s0 tclass=tcp_socket
>
> node=box6 type=SYSCALL msg=audit(1265580538.758:20027):
> arch=c000003e syscall=42 success=yes exit=4294967424 a0=e
> a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504
> auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23
> sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="squid"
> exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null)
>
Are you sure the boolean is turned on ?

# getsebool squid_connect_any
squid_connect_any --> off

Once you have set the boolean on it should stay that way permanently if you use the -P flag

# setsebool -P squid_connect_any 1

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-08-2010, 07:16 PM
Bob Goodwin
 
Default SELinux security alert/Squid -

On 08/02/10 13:23, Daniel J Walsh wrote:

.
Are you sure the boolean is turned on ?

# getsebool squid_connect_any
squid_connect_any --> off

Once you have set the boolean on it should stay that way permanently if you use the -P flag

# setsebool -P squid_connect_any 1


--------------------------

This is what I get:


[bobg@box6 ~]$ getsebool squid_connect_any
squid_connect_any --> on

I guess that means it should work? It's not a big problem and only began yesterday [after an update?] It just puts a warning star at the bottom of my screen.

Bob




.--


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-08-2010, 08:32 PM
Daniel J Walsh
 
Default SELinux security alert/Squid -

On 02/08/2010 03:16 PM, Bob Goodwin wrote:
> On 08/02/10 13:23, Daniel J Walsh wrote:
>
> .
> Are you sure the boolean is turned on ?
>
> # getsebool squid_connect_any
> squid_connect_any --> off
>
> Once you have set the boolean on it should stay that way permanently if
> you use the -P flag
>
> # setsebool -P squid_connect_any 1
>
>
> --------------------------
>
> This is what I get:
>
>
> [bobg@box6 ~]$ getsebool squid_connect_any
> squid_connect_any --> on
>
> I guess that means it should work? It's not a big problem and only began
> yesterday [after an update?] It just puts a warning star at the bottom
> of my screen.
>
> Bob
>
>
>
>
> .--
>
>
Yes, this means that someone put a web sight at 8180, and now squid wants to connect to it. SELinux was preventing it.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-08-2010, 08:59 PM
Bob Goodwin
 
Default SELinux security alert/Squid -

On 08/02/10 16:32, Daniel J Walsh wrote:
> On 02/08/2010 03:16 PM, Bob Goodwin wrote:
>
>> On 08/02/10 13:23, Daniel J Walsh wrote:
>>
>> .
>> Are you sure the boolean is turned on ?
>>
>> # getsebool squid_connect_any
>> squid_connect_any --> off
>>
>> Once you have set the boolean on it should stay that way permanently if
>> you use the -P flag
>>
>> # setsebool -P squid_connect_any 1
>>
>>
>> --------------------------
>>
>> This is what I get:
>>
>>
>> [bobg@box6 ~]$ getsebool squid_connect_any
>> squid_connect_any --> on
>>
>> I guess that means it should work? It's not a big problem and only began
>> yesterday [after an update?] It just puts a warning star at the bottom
>> of my screen.
>>
>> Bob
>>
>>
>>
>>
>> .--
>>
>>
>>
> Yes, this means that someone put a web sight at 8180, and now squid wants to connect to it. SELinux was preventing it.
>
>

Yes my ISP.

http://myaccount.wildblue.net:8180/

I just added "myaccount.wildblue.net" to the Firefox "no proxy for"
list and that seems to satisfy an access problem I didn't know I
had. Don't know if the SELinux alert resulted from that. I'll see
what happens when I reboot tomorrow morning. One of the first things
I do is check my usage via Firefox to be sure we are within limits.

Thanks.

Bob






--


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-09-2010, 06:17 AM
Tim
 
Default SELinux security alert/Squid -

On Mon, 2010-02-08 at 13:23 -0500, Daniel J Walsh wrote:
> squid_connect_any --> off

Probably not a good idea, the settings there as an aid to protect you
against maliciousness. If you want to add exceptions, that's a better
idea than just letting anything through.

I'd make an educated guess that the original poster hadn't tried to
connect to an alternative port, while going through their proxy, before.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-09-2010, 08:43 AM
Bob Goodwin
 
Default SELinux security alert/Squid -

On 09/02/10 02:17, Tim wrote:
> On Mon, 2010-02-08 at 13:23 -0500, Daniel J Walsh wrote:
>
>> squid_connect_any --> off
>>
> Probably not a good idea, the settings there as an aid to protect you
> against maliciousness. If you want to add exceptions, that's a better
> idea than just letting anything through.
>
> I'd make an educated guess that the original poster hadn't tried to
> connect to an alternative port, while going through their proxy, before.
>
>
Well then should it not be possible to tell SELinux that this particular
connection is acceptable? To me it is vital, I need to control system
usage and that's where I get my usage data! The problem is minor and
doesn't warrant disabling SELinux in any way, I only see it upon
rebooting, usually around 04:00 which is my habit. But the "star" is
there again this morning.

As a result I have once more done [as su/root]: setsebool -P
squid_connect_any=1 as it suggests. Whatever that does takes perhaps 30
seconds and shows a lot of cpu activity while doing it so I know
something is happening.

The security alert, generated at this morning's boot:

Summary:

SELinux is preventing the squid daemon from connecting to network
port 8180

Detailed Description:

[squid has a permissive type (squid_t). This access was not denied.]

SELinux has denied the squid daemon from connecting to 8180. By
default squid
policy is setup to deny squid connections. If you did not setup
squid to network
connections, this could signal a intrusion attempt.

Allowing Access:

If you want squid to connect to network ports you need to turn on the
squid_connect_any boolean: "setsebool -P squid_connect_any=1"

Fix Command:

setsebool -P squid_connect_any=1

Additional Information:

Source Context system_u:system_r:squid_t:s0
Target Context system_ubject_rort_t:s0
Target Objects None [ tcp_socket ]
Source squid
Source Path /usr/sbin/squid
Port 8180
Host box6
Source RPM Packages squid-3.1.0.15-2.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-78.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name squid_connect_any
Host Name box6
Platform Linux box6
2.6.31.12-174.2.3.fc12.x86_64 #1 SMP
Mon Jan 18 19:52:07 UTC 2010 x86_64
x86_64
Alert Count 33
First Seen Sun 07 Feb 2010 04:50:46 PM EST
Last Seen Sun 07 Feb 2010 05:08:58 PM EST
Local ID 87daf7bf-ecdf-4025-9780-520ef4d433f5
Line Numbers

Raw Audit Messages

node=box6 type=AVC msg=audit(1265580538.758:20027): avc: denied {
name_connect } for pid=1504 comm="squid" dest=8180
scontext=system_u:system_r:squid_t:s0
tcontext=system_ubject_rort_t:s0 tclass=tcp_socket

node=box6 type=SYSCALL msg=audit(1265580538.758:20027):
arch=c000003e syscall=42 success=yes exit=4294967424 a0=e
a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504
auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23
fsgid=23 tty=(none) ses=4294967295 comm="squid"
exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null)


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-09-2010, 11:36 AM
Tim
 
Default SELinux security alert/Squid -

On Mon, 2010-02-08 at 16:59 -0500, Bob Goodwin wrote:
> I just added "myaccount.wildblue.net" to the Firefox "no proxy for"
> list and that seems to satisfy an access problem I didn't know I
> had.

If that's you're only need to access an unusual port, then bypassing the
proxy would be a good solution. There's not going to be a real need for
a caching proxy between your browser and one site to check your account.
In fact, going through a caching proxy when you want to see fresh pages
can be a problem, in itself, if the site has bad expiry time settings.

If you *needed* to go through a proxy (e.g. all your traffic had to go
through a proxy, or lots of LAN users were browsing the same resource,
and it was costing you bandwidth), then you would want to fix up your
proxy to work.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-09-2010, 12:01 PM
Bob Goodwin
 
Default SELinux security alert/Squid -

On 09/02/10 07:36, Tim wrote:
> On Mon, 2010-02-08 at 16:59 -0500, Bob Goodwin wrote:
>
>> I just added "myaccount.wildblue.net" to the Firefox "no proxy for"
>> list and that seems to satisfy an access problem I didn't know I
>> had.
>>
> If that's you're only need to access an unusual port, then bypassing the
> proxy would be a good solution. There's not going to be a real need for
> a caching proxy between your browser and one site to check your account.
> In fact, going through a caching proxy when you want to see fresh pages
> can be a problem, in itself, if the site has bad expiry time settings.
>
> If you *needed* to go through a proxy (e.g. all your traffic had to go
> through a proxy, or lots of LAN users were browsing the same resource,
> and it was costing you bandwidth), then you would want to fix up your
> proxy to work.
>
>

Ok, that sounds reasonable, but despite setting "no proxy for" I
still see the security alert?

Bob

--

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 02-09-2010, 01:46 PM
Daniel J Walsh
 
Default SELinux security alert/Squid -

On 02/09/2010 08:01 AM, Bob Goodwin wrote:
> On 09/02/10 07:36, Tim wrote:
>> On Mon, 2010-02-08 at 16:59 -0500, Bob Goodwin wrote:
>>
>>> I just added "myaccount.wildblue.net" to the Firefox "no proxy for"
>>> list and that seems to satisfy an access problem I didn't know I
>>> had.
>>>
>> If that's you're only need to access an unusual port, then bypassing the
>> proxy would be a good solution. There's not going to be a real need for
>> a caching proxy between your browser and one site to check your account.
>> In fact, going through a caching proxy when you want to see fresh pages
>> can be a problem, in itself, if the site has bad expiry time settings.
>>
>> If you *needed* to go through a proxy (e.g. all your traffic had to go
>> through a proxy, or lots of LAN users were browsing the same resource,
>> and it was costing you bandwidth), then you would want to fix up your
>> proxy to work.
>>
>>
>
> Ok, that sounds reasonable, but despite setting "no proxy for" I
> still see the security alert?
>
> Bob
>
> --
>
There is a bug in setroubleshoot that is showing all alerts as new on login. You might be seeing this.

Fixed in setroubleshoot-2.2.63-1.fc12
yum update setroubleshoot* --enablerepo=updates-testing

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 

Thread Tools




All times are GMT. The time now is 03:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org