[CentOS] Squid and SELinux

Tue Feb 1 16:16:25 UTC 2011
Marcos Lois Bermúdez <marcos.discalis at gmail.com>

Hi Tsuyoshi,

The /home/squid dir have the user_u:object_r:squid_cache_t
The /home dir have the system_u:object_r:home_root_t

This seems that only can be achieved via audit2allow?

A lot of thks for your fast reply.

Regards.

El 01/02/11 02:29, Tsuyoshi Nagata escribió:
> Hi Mrcos
> (2011/02/01 0:31), Marcos Lois Bermúdez wrote:
>> semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
>>
>> i check the files and are in the good context:
>>
>> drwxr-xr-x  squid squid user_u:object_r:squid_cache_t    .
> **> drwxr-xr-x  squid squid system_u:object_r:home_root_t  ..
>> drwxr-x---  squid squid user_u:object_r:squid_cache_t    00
>> drwxr-x---  squid squid user_u:object_r:squid_cache_t    01
>> ...
>>
>> But when i want start it i get this:
>>
>> type=AVC msg=audit(1296442326.932:739661): avc:  denied  { search } 
>> for  pid=30924 comm="squid" name="/" dev=sda3 ino=2 
>> scontext=user_u:system_r:squid_t:s0 
>> tcontext=system_u:object_r:home_root_t:s0 tclass=dir
>
> [root at localhost ~]# audit2allow -m squid
> type=AVC msg=audit(1296442326.932:739661): avc:  denied  { search } 
> for  pid=30924 comm="squid" name="/" dev=sda3 ino=2 
> scontext=user_u:system_r:squid_t:s0 
> tcontext=system_u:object_r:home_root_t:s0 tclass=dir
> Ctl-D
> module squid 1.0;
>
> require {
>         type home_root_t;
>         type squid_t;
>         class dir search;
> }
>
> #============= squid_t ==============
> allow squid_t home_root_t:dir search;
> [root at localhost ~]#
>
>
> It seems the directory '/home/squid' has 'home_root_t' type.
> Change it to 'squid_cache_t'
>   # chcon -u system_u -r object_r -t squid_cache_t /home/squid
>
> --Tsuyoshi.
>
>