[CentOS] Squid and SELinux

Tue Feb 1 20:30:24 UTC 2011
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/31/2011 08:29 PM, Tsuyoshi Nagata wrote:
> Hi Mrcos
> (2011/02/01 0:31), Marcos Lois Bermúdez wrote:
>> semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'
>>
>> i check the files and are in the good context:
>>
>> drwxr-xr-x  squid squid user_u:object_r:squid_cache_t    .
> **> drwxr-xr-x  squid squid system_u:object_r:home_root_t  ..
>> drwxr-x---  squid squid user_u:object_r:squid_cache_t    00
>> drwxr-x---  squid squid user_u:object_r:squid_cache_t    01
>> ...
>>
>> But when i want start it i get this:
>>
>> type=AVC msg=audit(1296442326.932:739661): avc:  denied  { search } for  pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
> 
> [root at localhost ~]# audit2allow -m squid
> type=AVC msg=audit(1296442326.932:739661): avc:  denied  { search } for  pid=30924 comm="squid" name="/" dev=sda3 ino=2 scontext=user_u:system_r:squid_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
> Ctl-D
> module squid 1.0;
> 
> require {
>          type home_root_t;
>          type squid_t;
>          class dir search;
> }
> 
> #============= squid_t ==============
> allow squid_t home_root_t:dir search;
> [root at localhost ~]#
> 
> 
> It seems the directory '/home/squid' has 'home_root_t' type.
> Change it to 'squid_cache_t'
>    # chcon -u system_u -r object_r -t squid_cache_t /home/squid
> 
> --Tsuyoshi.
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos


Do not change the context of /home to anything other the home_root_t.
If you changed the label then you probably would blow up confined
applications that need to access the homedirs and would not be allowed
to search through squid_cache_t.

The problem you are having is you setup the squid_cache_t directory
under a directory that squid is not allowed to search in.  The easiest
thing to do is to add a rule that allows squid_t to search home_root_t

# grep home_root_t /var/log/audit/audit.log | audit2allow -M mysquid
# semodule -i mysquid.pp

Another option would be to move the directory to / and then squid_t
would be able to read it.

semanage fcontext -a -t squid_cache_t '/home/squid(/.*)?'

What the correct way to apply the label.  Then run restorecon.  Using
chcon should only be used for testing, since it is not permanent.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1IbWAACgkQrlYvE4MpobNqrACeK+nSf0h8h0II4UpbPipOI62o
RhQAoJMfxjOOVOx7qzS7rp0PwAWd05n3
=Q6ax
-----END PGP SIGNATURE-----