[CentOS] Squid and SELinux

Wed Feb 2 18:57:29 UTC 2011
Marcos Lois Bermúdez <marcos.discalis at gmail.com>

Thks,

It's clear now for me, i have a lot of figths with SELinux, but i need 
to learn more, so i don't want deactivate it, allow squit to search 
home_root_t seems to be good, so i try to make the correct thinks and 
prepare a partition outside the home dir for squid.

A lot of thks for your fast reply.

Regards.

El 01/02/11 21:30, Daniel J Walsh escribió:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/31/2011 08:29 PM, Tsuyoshi Nagata wrote:
>> Hi Mrcos
>> (2011/02/01 0:31), Marcos Lois Bermúdez wrote:
>>> semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
>>>
>>> i check the files and are in the good context:
>>>
>>> drwxr-xr-x  squid squid user_u:object_r:squid_cache_t    .
>> **>  drwxr-xr-x  squid squid system_u:object_r:home_root_t  ..
>>> drwxr-x---  squid squid user_u:object_r:squid_cache_t    00
>>> drwxr-x---  squid squid user_u:object_r:squid_cache_t    01
>>> ...
>>>
>>> But when i want start it i get this:
>>>
>>> type=AVC msg=audit(1296442326.932:739661): avc:  denied  { search } for  pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
>> [root at localhost ~]# audit2allow -m squid
>> type=AVC msg=audit(1296442326.932:739661): avc:  denied  { search } for  pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
>> Ctl-D
>> module squid 1.0;
>>
>> require {
>>           type home_root_t;
>>           type squid_t;
>>           class dir search;
>> }
>>
>> #============= squid_t ==============
>> allow squid_t home_root_t:dir search;
>> [root at localhost ~]#
>>
>>
>> It seems the directory '/home/squid' has 'home_root_t' type.
>> Change it to 'squid_cache_t'
>>     # chcon -u system_u -r object_r -t squid_cache_t /home/squid
>>
>> --Tsuyoshi.
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>
> Do not change the context of /home to anything other the home_root_t.
> If you changed the label then you probably would blow up confined
> applications that need to access the homedirs and would not be allowed
> to search through squid_cache_t.
>
> The problem you are having is you setup the squid_cache_t directory
> under a directory that squid is not allowed to search in.  The easiest
> thing to do is to add a rule that allows squid_t to search home_root_t
>
> # grep home_root_t /var/log/audit/audit.log | audit2allow -M mysquid
> # semodule -i mysquid.pp
>
> Another option would be to move the directory to / and then squid_t
> would be able to read it.
>
> semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
>
> What the correct way to apply the label.  Then run restorecon.  Using
> chcon should only be used for testing, since it is not permanent.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk1IbWAACgkQrlYvE4MpobNqrACeK+nSf0h8h0II4UpbPipOI62o
> RhQAoJMfxjOOVOx7qzS7rp0PwAWd05n3
> =Q6ax
> -----END PGP SIGNATURE-----
>