[CentOS] Squid and SELinux
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 1 20:30:24 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/31/2011 08:29 PM, Tsuyoshi Nagata wrote:
> Hi Mrcos
> (2011/02/01 0:31), Marcos Lois Bermúdez wrote:
>> semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
>>
>> i check the files and are in the good context:
>>
>> drwxr-xr-x squid squid user_u:object_r:squid_cache_t .
> **> drwxr-xr-x squid squid system_u:object_r:home_root_t ..
>> drwxr-x--- squid squid user_u:object_r:squid_cache_t 00
>> drwxr-x--- squid squid user_u:object_r:squid_cache_t 01
>> ...
>>
>> But when i want start it i get this:
>>
>> type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
>
> [root at localhost ~]# audit2allow -m squid
> type=AVC msg=audit(1296442326.932:739661): avc: denied { search } for pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
> Ctl-D
> module squid 1.0;
>
> require {
> type home_root_t;
> type squid_t;
> class dir search;
> }
>
> #============= squid_t ==============
> allow squid_t home_root_t:dir search;
> [root at localhost ~]#
>
>
> It seems the directory '/home/squid' has 'home_root_t' type.
> Change it to 'squid_cache_t'
> # chcon -u system_u -r object_r -t squid_cache_t /home/squid
>
> --Tsuyoshi.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Do not change the context of /home to anything other the home_root_t.
If you changed the label then you probably would blow up confined
applications that need to access the homedirs and would not be allowed
to search through squid_cache_t.
The problem you are having is you setup the squid_cache_t directory
under a directory that squid is not allowed to search in. The easiest
thing to do is to add a rule that allows squid_t to search home_root_t
# grep home_root_t /var/log/audit/audit.log | audit2allow -M mysquid
# semodule -i mysquid.pp
Another option would be to move the directory to / and then squid_t
would be able to read it.
semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
What the correct way to apply the label. Then run restorecon. Using
chcon should only be used for testing, since it is not permanent.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1IbWAACgkQrlYvE4MpobNqrACeK+nSf0h8h0II4UpbPipOI62o
RhQAoJMfxjOOVOx7qzS7rp0PwAWd05n3
=Q6ax
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list