[CentOS] SELinux breaks Squid's ssl_crtd helper

Sat Mar 10 22:38:17 UTC 2018
Nicolas Kovacs <info at microlinux.fr>

Le 10/03/2018 à 18:18, Gordon Messmer a écrit :
> Start by running "ausearch -c 'ssl_crtd' --raw" by itself.  Try to
> determine whether or not all of the affected files are mentioned in that
> output.
> Typically, to generate a complete policy, you'll need to run in
> permissive mode while you operate the system, so that all of the things
> that you want to allow are recorded.  Many services that need a new
> policy will generate more than one AVC denial, and in enforcing mode
> they'll terminate or at least cease processing the labeled resources
> that they need after the first denial.  In permissive mode, you should
> get a better list of exceptions that are required, because AVCs are
> recorded, but the application isn't actually denied permission to those
> resources.
> When your logs are complete, remove the old module and generate a new
> one according to the directions from sealert.

OK, I found the solution. This is actually a bug in Squid's default
SELinux policy, but it can be corrected manually.




Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32