[CentOS] SELinux breaks Squid's ssl_crtd helper

Sat Mar 10 17:18:04 UTC 2018
Gordon Messmer <gordon.messmer at gmail.com>

On 03/09/2018 05:18 AM, Nicolas Kovacs wrote:
> Do allow this
> access for now by executing:
> # ausearch -c 'ssl_crtd' --raw | audit2allow -M my-sslcrtd
> # semodule -i my-sslcrtd.pp
> Unfortunately the suggested solution doesn't work

Start by running "ausearch -c 'ssl_crtd' --raw" by itself.  Try to 
determine whether or not all of the affected files are mentioned in that 

Typically, to generate a complete policy, you'll need to run in 
permissive mode while you operate the system, so that all of the things 
that you want to allow are recorded.  Many services that need a new 
policy will generate more than one AVC denial, and in enforcing mode 
they'll terminate or at least cease processing the labeled resources 
that they need after the first denial.  In permissive mode, you should 
get a better list of exceptions that are required, because AVCs are 
recorded, but the application isn't actually denied permission to those 

When your logs are complete, remove the old module and generate a new 
one according to the directions from sealert.