Bug 1276381

Summary: Squid fails to start with under SELinux MLS
Product: Red Hat Enterprise Linux 7 Reporter: Dustin C. Hatch <dustin>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Stefan Dordevic <sdordevi>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, sdordevi, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-83.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:23:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dustin C. Hatch 2015-10-29 14:59:33 UTC 
Description of problem:
When the system is using the MLS SELinux policy, the squid.service unit fails to start:

systemd[1]: Starting Squid caching proxy...
cache_swap.sh[2119]: init_cache_dir /var/cache/squid... /usr/libexec/squid/cache_swap.sh: line 14: /var/log/squid/squid.out: Permission denied

The problem is this AVC:

type=AVC msg=audit(1446129156.681:889): avc:  denied  { write } for  pid=2124 comm="cache_swap.sh" name="squid" dev="xvda1" ino=8722141 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:squid_log_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
squid-3.3.8-12.el7_0.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Enable SELinux MLS
2. Start squid.service

Actual results:
Squid fails to start because cache_swap.sh does not run

Expected results:
cache_swap.sh should execute successfully even under SELinux MLS, and squid should start

Additional info:
Fixing this problem is trivial:
chcon -t squid_exec_t /usr/libexec/squid/cache_swap.sh
Comment 3 Miroslav Grepl 2015-11-02 07:43:40 UTC 
Thank you. We need to add a labeling for /usr/libexec/squid/cache_swap.sh as you mentioned.
Comment 7 errata-xmlrpc 2016-11-04 02:23:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html