Bug 1325527
Summary: | SELinux policy breaks squid's ssl_crtd | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | W. Michael Petullo <mike> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.4 | CC: | lvrabec, mgrepl, mike, mmalik, plautrba, pvrabec, sdordevi, ssekidde, will | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.13.1-134.el7 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1331269 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 15:10:10 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1331269 |
Description
W. Michael Petullo
2016-04-09 14:58:46 UTC
Please collect SELinux denials that appeared on your machine and attach them here. Thank you. I am also experiencing this problem. These entries appear in audit log: type=AVC msg=audit(1469523598.300:4698): avc: denied { read } for pid=14890 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1469523598.300:4698): arch=c000003e syscall=2 success=no exit=-13 a0=7f0ebb5c8288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14890 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null) type=PROCTITLE msg=audit(1469523598.300:4698): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D620034303936 type=AVC msg=audit(1469523598.301:4699): avc: denied { read } for pid=14889 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1469523598.301:4699): arch=c000003e syscall=2 success=no exit=-13 a0=7f338a3ce288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14889 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null) type=PROCTITLE msg=audit(1469523598.301:4699): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D620034303936 type=AVC msg=audit(1469523598.301:4700): avc: denied { read } for pid=14891 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1469523598.301:4700): arch=c000003e syscall=2 success=no exit=-13 a0=7f4a431f1288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14891 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null) type=PROCTITLE msg=audit(1469523598.301:4700): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D620034303936 type=AVC msg=audit(1469523598.307:4701): avc: denied { read } for pid=14894 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1469523598.307:4701): arch=c000003e syscall=2 success=no exit=-13 a0=7fc8e888a288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14894 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null) type=PROCTITLE msg=audit(1469523598.307:4701): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D620034303936 type=AVC msg=audit(1469523598.308:4702): avc: denied { read } for pid=14893 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1469523598.308:4702): arch=c000003e syscall=2 success=no exit=-13 a0=7f6f55571288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14893 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null) type=PROCTITLE msg=audit(1469523598.308:4702): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D6 When ausearch -i is used then the AVC messages look this way: ---- type=PROCTITLE msg=audit(07/26/2016 10:59:58.301:4700) : proctitle=(ssl_crtd) -s /var/lib/ssl_db -M 4MB -b 4096 type=SYSCALL msg=audit(07/26/2016 10:59:58.301:4700) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f4a431f1288 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=14888 pid=14891 auid=unset uid=unknown(23) gid=unknown(23) euid=unknown(23) suid=unknown(23) fsuid=unknown(23) egid=unknown(23) sgid=unknown(23) fsgid=unknown(23) tty=(none) ses=unset comm=ssl_crtd exe=/usr/lib64/squid/ssl_crtd subj=system_u:system_r:squid_t:s0 key=(null) type=AVC msg=audit(07/26/2016 10:59:58.301:4700) : avc: denied { read } for pid=14891 comm=ssl_crtd name=index.txt dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- I didn't know where the index.txt file should be located, but now it's clear: # strace -f -e open /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB -b 4096 open("/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3 open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libssl.so.10", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libcrypto.so.10", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libcom_err.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libk5crypto.so.3", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/etc/pki/tls/legacy-settings", O_RDONLY) = -1 ENOENT (No such file or directory) open("/var/lib/ssl_db/index.txt", O_RDONLY) = -1 ENOENT (No such file or directory) /usr/lib64/squid/ssl_crtd: Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db". +++ exited with 0 +++ # Unfortunately, selinux-policy is not fixed yet: # matchpathcon /var/lib/ssl_db /var/lib/ssl_db system_u:object_r:var_lib_t:s0 # matchpathcon /var/lib/ssl_db/index.txt /var/lib/ssl_db/index.txt system_u:object_r:var_lib_t:s0 # sesearch -s squid_t -t var_lib_t -c file -p read --allow -C # Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |