Hi all,
Just want to enable squid's SNMP support to get information about its perfomance through snmp client. I set "snmp_port 3401" in squid.conf SELinux is in enforcing state with targeted policy. But squid daemon doesn't start. There are some messages in audit.log like type=SYSCALL msg=audit(1176946812.492:244): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf880060 a2=81109f0 a3=bf88007c items=0 ppid=15684 pid=15705 auid=500 uid=23 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) comm="squid" exe="/usr/sbin/squid" subj=user_u:system_r:squid_t:s0 key=(null)
Note that squid can run if I make one of two following changes 1) switch selinux to permissive (setenfoce 0), and keep snmp_port 3401 in squid.conf 2) keep selinux in enforcing state, and disable snmp_port in squid.conf
This problem happens in CentOS 5. The same configuration (i.e. selinux enforcing, and snmp_port 3401) works well in 4.4.
Any hint to solve the problem is appreciated.
Am Donnerstag, den 19.04.2007, 11:17 +0900 schrieb net foss:
Hi all,
su -
cd ~
cp that one:
type=SYSCALL msg=audit(1176946812.492:244): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf880060 a2=81109f0 a3=bf88007c items=0 ppid=15684 pid=15705 auid=500 uid=23 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) comm="squid" exe="/usr/sbin/squid" subj=user_u:system_r:squid_t:s0 key=(null)
into a file named: squid_snmp_audit.log
run: audit2allow -M squid_snmp -i squid_snmp_audit.log
after that:
semodule -i squid_snmp.pp
Any hint to solve the problem is appreciated.
Greetings
This is an automated reply to your message "Re: [CentOS] selinux problem with squid and snmp_port in centos 5" sent to admin@coolcommon-sense.com.
Dear CEN$original_local_part@$original_domainS List
Thank you for your email. I am away from the office at present but will reply as soon as I can.
On 4/19/07, Stefan Held obi@unixkiste.org wrote:
Am Donnerstag, den 19.04.2007, 11:17 +0900 schrieb net foss:
Hi all,
su -
cd ~
cp that one:
type=SYSCALL msg=audit(1176946812.492:244): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf880060 a2=81109f0 a3=bf88007c items=0 ppid=15684 pid=15705 auid=500 uid=23 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) comm="squid" exe="/usr/sbin/squid" subj=user_u:system_r:squid_t:s0 key=(null)
into a file named: squid_snmp_audit.log
run: audit2allow -M squid_snmp -i squid_snmp_audit.log
after that:
semodule -i squid_snmp.pp
Thank you very much for you help, Stefan. Everything I had to do with SELinux in CentOS 4.x (enforcing and targeted mode) is only changing the context of web contents. But now several different SELinux problems happen to my CentOS 5 box. One of them is access denied when squid opens snmp_port that I have described in previous mail. Another one is access denied when squirrelmail connects to localhost:imap (cyrus-imapd server here). I think that I can apply your suggested method to solve these problems.
I have another question. Must I make these rules again after update the policy package or not (i.e. will the next updates of selinux-policy package overwrite the manually edit rules or not?).
Any hint to solve the problem is appreciated.
Greetings
--
Stefan Held VI has only 2 Modes: obi unixkiste org The first one is for beeping all the time, FreeNode: foo_bar the second destroys the text.
Fedora Ambassador: http://fedoraproject.org/wiki/StefanHeld
perl -e'map{print pack c,($|++?1:13)+ord,select$,,$,,$,,$|}split//,ESEL.$/'
GPG-Keyprint = 75C0 F029 CA71 F061 6C07 0640 38F7 E5F9 4EA5 A385
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
admin@coolcommon-sense.com -
net foss -
Stefan Held