Bug 1334928

Summary: SELinux is preventing squid from getattr access on the file /dev/shm/squid-cf__metadata.shm
Product: [Fedora] Fedora Reporter: Sean Myers <sean.myers>
Component: systemdAssignee: systemd-maint
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: bmbouter, daviddavis, dkliban, dominick.grift, dwalsh, ggainey, ipanova, johannbg, lnykryn, lvrabec, mgrepl, mhrivnak, msekleta, muadda, pcreech, plautrba, rchan, s, systemd-maint, ttereshc, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 18:48:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sean Myers 2016-05-10 20:04:06 UTC 
Description of problem:

I'm unable to start squid after installing it in fedora 22

This appears to have already been fixed in newer versions of the selinux policy, as seen here: https://bugzilla.redhat.com/show_bug.cgi?id=1331574

sealert says:

SELinux is preventing squid from getattr access on the file /dev/shm/squid-cf__metadata.shm.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that squid should be allowed getattr access on the squid-cf__metadata.shm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep squid /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:squid_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /dev/shm/squid-cf__metadata.shm [ file ]
Source                        squid
Source Path                   squid
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.21.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     f22-vanilla-np-qeos-108199
Platform                      Linux f22-vanilla-np-qeos-108199
                              4.4.8-200.fc22.x86_64 #1 SMP Wed Apr 20 18:38:10
                              UTC 2016 x86_64 x86_64
Alert Count                   3
First Seen                    2016-05-10 16:27:27 UTC
Last Seen                     2016-05-10 16:20:05 UTC
Local ID                      1d770798-6ad1-45eb-879a-fa24c839b372

Raw Audit Messages
type=AVC msg=audit(1462897205.715:921): avc:  denied  { getattr } for  pid=3701 comm="squid" path="/dev/shm/squid-cf__metadata.shm" dev="tmpfs" ino=29900 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:obj
ect_r:tmpfs_t:s0 tclass=file permissive=1


Hash: squid,squid_t,tmpfs_t,file,getattr
Comment 1 pulp-infra@redhat.com 2016-05-17 14:22:56 UTC 
The Pulp upstream bug status is at CLOSED - WONTFIX. Updating the external tracker on this bug.
Comment 2 pulp-infra@redhat.com 2016-05-17 14:23:00 UTC 
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
Comment 3 Lukas Vrabec 2016-05-20 13:16:44 UTC 
This is fixed in systemd by relabeling /dev/ on start up.

Systemd folks,
Could you check if it's fixed also in F22? 

Thank you.
Comment 4 Fedora End Of Life 2016-07-19 18:48:46 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.