Hi.
I'm trying to setup squid with SELinux, the problem i encounter is taht i want to add another directory for cache, in this system we have a home partition with huge space, i create a squid dir and add the path with semanage:
semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
i check the files and are in the good context:
drwxr-xr-x squid squid user_u:object_r:squid_cache_t . drwxr-xr-x squid squid system_u:object_r:home_root_t .. drwxr-x--- squid squid user_u:object_r:squid_cache_t 00 drwxr-x--- squid squid user_u:object_r:squid_cache_t 01 ...
But when i want start it i get this:
type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
I know that the solution is to mount the huge partition on /var/spool/squid, i'm a newbie to SELinux, and want to know if it's posible to archive this.
Regards.
Hi Mrcos (2011/02/01 0:31), Marcos Lois Bermúdez wrote:
semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
i check the files and are in the good context:
drwxr-xr-x squid squid user_u:object_r:squid_cache_t .
**> drwxr-xr-x squid squid system_u:object_r:home_root_t ..
drwxr-x--- squid squid user_u:object_r:squid_cache_t 00 drwxr-x--- squid squid user_u:object_r:squid_cache_t 01 ...
But when i want start it i get this:
type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
[root@localhost ~]# audit2allow -m squid type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir Ctl-D module squid 1.0;
require { type home_root_t; type squid_t; class dir search; }
#============= squid_t ============== allow squid_t home_root_t:dir search; [root@localhost ~]#
It seems the directory '/home/squid' has 'home_root_t' type. Change it to 'squid_cache_t' # chcon -u system_u -r object_r -t squid_cache_t /home/squid
--Tsuyoshi.
Hi Tsuyoshi,
The /home/squid dir have the user_u:object_r:squid_cache_t The /home dir have the system_u:object_r:home_root_t
This seems that only can be achieved via audit2allow?
A lot of thks for your fast reply.
Regards.
El 01/02/11 02:29, Tsuyoshi Nagata escribió:
Hi Mrcos (2011/02/01 0:31), Marcos Lois Bermúdez wrote:
semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
i check the files and are in the good context:
drwxr-xr-x squid squid user_u:object_r:squid_cache_t .
**> drwxr-xr-x squid squid system_u:object_r:home_root_t ..
drwxr-x--- squid squid user_u:object_r:squid_cache_t 00 drwxr-x--- squid squid user_u:object_r:squid_cache_t 01 ...
But when i want start it i get this:
type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
[root@localhost ~]# audit2allow -m squid type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir Ctl-D module squid 1.0;
require { type home_root_t; type squid_t; class dir search; }
#============= squid_t ============== allow squid_t home_root_t:dir search; [root@localhost ~]#
It seems the directory '/home/squid' has 'home_root_t' type. Change it to 'squid_cache_t' # chcon -u system_u -r object_r -t squid_cache_t /home/squid
--Tsuyoshi.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/31/2011 08:29 PM, Tsuyoshi Nagata wrote:
Hi Mrcos (2011/02/01 0:31), Marcos Lois Bermúdez wrote:
semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
i check the files and are in the good context:
drwxr-xr-x squid squid user_u:object_r:squid_cache_t .
**> drwxr-xr-x squid squid system_u:object_r:home_root_t ..
drwxr-x--- squid squid user_u:object_r:squid_cache_t 00 drwxr-x--- squid squid user_u:object_r:squid_cache_t 01 ...
But when i want start it i get this:
type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
[root@localhost ~]# audit2allow -m squid type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir Ctl-D module squid 1.0;
require { type home_root_t; type squid_t; class dir search; }
#============= squid_t ============== allow squid_t home_root_t:dir search; [root@localhost ~]#
It seems the directory '/home/squid' has 'home_root_t' type. Change it to 'squid_cache_t' # chcon -u system_u -r object_r -t squid_cache_t /home/squid
--Tsuyoshi.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Do not change the context of /home to anything other the home_root_t. If you changed the label then you probably would blow up confined applications that need to access the homedirs and would not be allowed to search through squid_cache_t.
The problem you are having is you setup the squid_cache_t directory under a directory that squid is not allowed to search in. The easiest thing to do is to add a rule that allows squid_t to search home_root_t
# grep home_root_t /var/log/audit/audit.log | audit2allow -M mysquid # semodule -i mysquid.pp
Another option would be to move the directory to / and then squid_t would be able to read it.
semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
What the correct way to apply the label. Then run restorecon. Using chcon should only be used for testing, since it is not permanent.
Thks,
It's clear now for me, i have a lot of figths with SELinux, but i need to learn more, so i don't want deactivate it, allow squit to search home_root_t seems to be good, so i try to make the correct thinks and prepare a partition outside the home dir for squid.
A lot of thks for your fast reply.
Regards.
El 01/02/11 21:30, Daniel J Walsh escribió:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/31/2011 08:29 PM, Tsuyoshi Nagata wrote:
Hi Mrcos (2011/02/01 0:31), Marcos Lois Bermúdez wrote:
semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
i check the files and are in the good context:
drwxr-xr-x squid squid user_u:object_r:squid_cache_t .
**> drwxr-xr-x squid squid system_u:object_r:home_root_t ..
drwxr-x--- squid squid user_u:object_r:squid_cache_t 00 drwxr-x--- squid squid user_u:object_r:squid_cache_t 01 ...
But when i want start it i get this:
type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
[root@localhost ~]# audit2allow -m squid type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir Ctl-D module squid 1.0;
require { type home_root_t; type squid_t; class dir search; }
#============= squid_t ============== allow squid_t home_root_t:dir search; [root@localhost ~]#
It seems the directory '/home/squid' has 'home_root_t' type. Change it to 'squid_cache_t' # chcon -u system_u -r object_r -t squid_cache_t /home/squid
--Tsuyoshi.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Do not change the context of /home to anything other the home_root_t. If you changed the label then you probably would blow up confined applications that need to access the homedirs and would not be allowed to search through squid_cache_t.
The problem you are having is you setup the squid_cache_t directory under a directory that squid is not allowed to search in. The easiest thing to do is to add a rule that allows squid_t to search home_root_t
# grep home_root_t /var/log/audit/audit.log | audit2allow -M mysquid # semodule -i mysquid.pp
Another option would be to move the directory to / and then squid_t would be able to read it.
semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
What the correct way to apply the label. Then run restorecon. Using chcon should only be used for testing, since it is not permanent. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1IbWAACgkQrlYvE4MpobNqrACeK+nSf0h8h0II4UpbPipOI62o RhQAoJMfxjOOVOx7qzS7rp0PwAWd05n3 =Q6ax -----END PGP SIGNATURE-----
-
Daniel J Walsh -
Marcos Lois Bermúdez -
Tsuyoshi Nagata