[CentOS] SELinux breaks Squid's ssl_crtd helper
peter.winterflood
peter.winterflood at ossi.co.uk
Fri Mar 9 19:00:34 UTC 2018
The ausearch is only identifying issues that there are logs for at that time.
Best to create a file context for that path permanantly.
Theres an example of how to do this in the selinux man pages. Typing on my
phone im tryinf to remember the command that the example in its man page.
Semanage fcontext is what you are looking for followed by a restorecon on
the path you added.
Regards peter
Sent with AquaMail for Android
http://www.aqua-mail.com
On 9 March 2018 13:18:45 "Nicolas Kovacs" <info at microlinux.fr> wrote:
> Hi,
>
> I've setup a transparent HTTP+HTTPS proxy on my server running CentOS 7,
> using Squid. Here's my configuration file.
>
> --8<----------------------------------------------------------------
> # /etc/squid/squid.conf
>
>
>
> # Définitions
>
> acl localnet src 192.168.2.0/24
>
> acl SSL_ports port 443
>
> acl Safe_ports port 80 # http
>
> acl Safe_ports port 21 # ftp
>
> acl Safe_ports port 443 # https
>
> acl Safe_ports port 70 # gopher
>
> acl Safe_ports port 210 # wais
>
> acl Safe_ports port 1025-65535 # unregistered ports
>
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> # Règles d'accès
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
>
> # Ports du proxy
> http_port 3130
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump \
> cert=/etc/squid/ssl_cert/nestor.microlinux.lan.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
> # Emplacement de ssl_crtd et du cache des certificats TLS
> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
> sslcrtd_children 8 startup=1 idle=1
>
> # SSL-Bump
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
>
> # Taille du cache dans la RAM
> cache_mem 2048 MB
>
> # Emplacement et taille du cache sur le disque
> # cache_dir ufs /var/spool/squid 100 16 256
>
> # Vidage système
> coredump_dir /var/spool/squid
>
> # Durée de vie des fichiers sans date d'expiration
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> --8<----------------------------------------------------------------
>
> First, I tested the configuration in permissive mode, where it works
> perfectly. After running it a while, I get the following SELinux alert.
>
> # sealert -a /var/log/audit/audit.log
> ***** Plugin catchall (17.1 confidence) suggests *****
> If you believe that ssl_crtd should be allowed read access on the
> index.txt file by default. Then you should report this as a bug. You can
> generate a local policy module to allow this access. Do allow this
> access for now by executing:
> # ausearch -c 'ssl_crtd' --raw | audit2allow -M my-sslcrtd
> # semodule -i my-sslcrtd.pp
>
> Unfortunately the suggested solution doesn't work, because the problem
> reappears, and I get all sorts of errors in /var/log/squid/cache.log,
> all due to ssl_crtd not being able to access stuff under /var/lib/ssl_db.
>
> Any idea how I can solve this problem permanently ?
>
> Cheers,
>
> Niki
>
> --
> Microlinux - Solutions informatiques durables
> 7, place de l'église - 30730 Montpezat
> Site : https://www.microlinux.fr
> Blog : https://blog.microlinux.fr
> Mail : info at microlinux.fr
> Tél. : 04 66 63 10 32
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list