[CentOS] SELinux breaks Squid's ssl_crtd helper
Nicolas Kovacs
info at microlinux.fr
Sat Mar 10 22:38:17 UTC 2018
Le 10/03/2018 à 18:18, Gordon Messmer a écrit :
> Start by running "ausearch -c 'ssl_crtd' --raw" by itself. Try to
> determine whether or not all of the affected files are mentioned in that
> output.
>
> Typically, to generate a complete policy, you'll need to run in
> permissive mode while you operate the system, so that all of the things
> that you want to allow are recorded. Many services that need a new
> policy will generate more than one AVC denial, and in enforcing mode
> they'll terminate or at least cease processing the labeled resources
> that they need after the first denial. In permissive mode, you should
> get a better list of exceptions that are required, because AVCs are
> recorded, but the application isn't actually denied permission to those
> resources.
>
> When your logs are complete, remove the old module and generate a new
> one according to the directions from sealert.
OK, I found the solution. This is actually a bug in Squid's default
SELinux policy, but it can be corrected manually.
https://blog.microlinux.fr/squid-https-centos/#configuration
Cheers,
Niki
--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32
More information about the CentOS
mailing list