[CentOS] Squid and SELinux
Marcos Lois Bermúdez
marcos.discalis at gmail.com
Tue Feb 1 16:16:25 UTC 2011
Hi Tsuyoshi,
The /home/squid dir have the user_u:object_r:squid_cache_t
The /home dir have the system_u:object_r:home_root_t
This seems that only can be achieved via audit2allow?
A lot of thks for your fast reply.
Regards.
El 01/02/11 02:29, Tsuyoshi Nagata escribió:
> Hi Mrcos
> (2011/02/01 0:31), Marcos Lois Bermúdez wrote:
>> semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
>>
>> i check the files and are in the good context:
>>
>> drwxr-xr-x squid squid user_u:object_r:squid_cache_t .
> **> drwxr-xr-x squid squid system_u:object_r:home_root_t ..
>> drwxr-x--- squid squid user_u:object_r:squid_cache_t 00
>> drwxr-x--- squid squid user_u:object_r:squid_cache_t 01
>> ...
>>
>> But when i want start it i get this:
>>
>> type=AVC msg=audit(1296442326.932:739661): avc: denied { search }
>> for pid=30924 comm="squid" name="/" dev=sda3 ino=2
>> scontext=user_u:system_r:squid_t:s0
>> tcontext=system_u:object_r:home_root_t:s0 tclass=dir
>
> [root at localhost ~]# audit2allow -m squid
> type=AVC msg=audit(1296442326.932:739661): avc: denied { search }
> for pid=30924 comm="squid" name="/" dev=sda3 ino=2
> scontext=user_u:system_r:squid_t:s0
> tcontext=system_u:object_r:home_root_t:s0 tclass=dir
> Ctl-D
> module squid 1.0;
>
> require {
> type home_root_t;
> type squid_t;
> class dir search;
> }
>
> #============= squid_t ==============
> allow squid_t home_root_t:dir search;
> [root at localhost ~]#
>
>
> It seems the directory '/home/squid' has 'home_root_t' type.
> Change it to 'squid_cache_t'
> # chcon -u system_u -r object_r -t squid_cache_t /home/squid
>
> --Tsuyoshi.
>
>
More information about the CentOS
mailing list