Bug 143454
Summary: | squid message queue avc denied | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Phil Anderson <pza> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2005-251 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-01-27 06:50:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Phil Anderson
2004-12-21 01:42:19 UTC
Fixes added to squid. selinux-policy-targeted-1.17.30-2.57 and selinux-policy-targeted-1.19.15-1 Both available on ftp://people.redhat.com/dwalsh/SELinux/ Should be in a FC3 Update soon. I've updated my system to selinux-policy-targeted-1.17.30-2.58 and will leave it running and post results tomorrow here. I assume I don't need to reboot? I restarted squid just to be safe. selinux-policy-targeted-1.17.30-2.58 didn't help. I think we need something like: allow squid_t self:msgq create_msgq_perms; allow squid_t self:shm create_shm_perms; However, that didn't stop the errors for me either.... I'm new to selinux, so maybe I'm doing something wrong. Ok, do this. stop squid, service squid stop setenforce 0 service squid start setenforce 1 Send me the avc messages from /var/log/messages. I do not know much about squid, is this something I could easily setup? If so could you send me the config files to set it up and instructions, so we can resolve these problems. Dan Ok, try selinux-policy-targeted-1.17.30-2.59 available ftp://people.redhat.com/dwalsh/SELinux/FC3 selinux-policy-targeted-1.17.30-2.59 fixes the shared memory and message queue problems. With all those messages gone, I noticed one remaining error. When in permissive mode, I get one error on startup. After that, there are no errors (server has been up for 16 hours and served 100,000 requests. I'm not sure exactly what squid is doing here, but it only happens when diskd is turned on. audit(1103749634.311:0): avc: denied { read write } for pid=6057 path=/SYSV005ea402 (deleted) dev=tmpfs ino=3112961 scontext=root:system_r:squid_t tcontext=root:object_r:tmpfs_t tclass=file audit2allow suggests that this will fix it: allow squid_t tmpfs_t:file { read write }; If you want to try out squid yourself, install the RPM and add the following line to your /etc/squid/squid.conf: cache_dir diskd /var/spool/squid 100 16 256 That line changes it from using the basic single process disk IO to using the recommended multiple process diskd backend. The above behaviour will only happen if you use diskd instead of ufs. Fixed in selinux-policy-targeted-1.17.30-2.66 Dan |