Bug 149815

Summary: squid doesn't start when spool is in a non selinux supported partition
Product: [Fedora] Fedora Reporter: Nerijus Baliūnas <nerijus>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: jmorris, sundaram
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-05 06:49:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nerijus Baliūnas 2005-02-27 17:46:34 UTC 
/mnt/cache1 is reiserfs partition. squid.conf:
cache_dir ufs /mnt/cache1 4000 16 256
# ls -Zd /mnt/cache1 
drwxr-xr-x  squid    squid    system_u:object_r:squid_cache_t  /mnt/cache1
# ls -Zd /mnt/cache1/00                                                        
        
drwxr-xr-x  squid    squid                                     /mnt/cache1/00

Squid cannot start. /var/log/squid/cache.log:
/mnt/cache1: (13) Permission denied
/var/log/messages:
kernel: audit(1109525545.287:0): avc:  denied  { getattr } for  pid=3373
exe=/usr/sbin/squid path=/mnt/cache1 dev=hda6 ino=2
scontext=user_u:system_r:squid_t tcontext=system_u:object_r:nfs_t tclass=dir

Where is nfs_t coming from? Could it be that all files in /mnt/cache1 get it by
default?

System is fully updated as of today.
Comment 1 Daniel Walsh 2005-02-28 13:37:14 UTC 
Not sure, but I know that reiserfs is not supported with SELinux at the current
time.  There are many bugs in its handling of Extended Attributes.

Dan
Comment 2 Nerijus Baliūnas 2005-02-28 13:48:13 UTC 
You probably misunderstood. Yes, I know that reiserfs is not supported with
SELinux. But I showed that reiserfs partition doesn't have EAs at all:
# ls -Zd /mnt/cache1/00
drwxr-xr-x  squid    squid                    /mnt/cache1/00

Directory 00 in reiserfs partition does not have any SELinux attributes. And I
showed that I changed type to squid_cache_t for /mnt/cache1, i.e. a mountpoint.

So the question is - why squid doesn't work on a filesystem, which does not have
ANY SELinux attributes?
Comment 3 Daniel Walsh 2005-02-28 14:02:06 UTC 
Do you have nfs running on this machine?  Or is the kernel/reiserfs getting
confused?

James do you have any ideas?
Comment 4 Nerijus Baliūnas 2005-02-28 14:17:04 UTC 
No nfs running.
Comment 5 Daniel Walsh 2005-02-28 14:18:33 UTC 
Which tells me the kernel/reiser is very confused.  So this is not a policy
problem...
Comment 6 James Morris 2005-02-28 15:28:33 UTC 
(In reply to comment #3)
 
> James do you have any ideas?

Does the policy contain a line like this:

genfscon reiserfs /                     system_u:object_r:nfs_t
Comment 7 Daniel Walsh 2005-02-28 15:40:28 UTC 
Excellent catch.  Yes that is whats causing the nfs.  Sorry I missed it but if
he is mounting with a context why is nfs_t still showing up?

Dan
Comment 8 James Morris 2005-02-28 15:57:58 UTC 
(In reply to comment #7)
> Excellent catch.  Yes that is whats causing the nfs.  Sorry I missed it but if
> he is mounting with a context why is nfs_t still showing up?
> 

I don't think it's a context mount, it was just the first idea thing I came up
with to check.
Comment 9 Daniel Walsh 2005-02-28 16:47:38 UTC 
Nerijus

Could you try to mount the /mnt/cache1 directory with 

fscontext=system_u:object_r:squid_cache_t

mount -t reiserfs -o fscontext=system_u:object_r:squid_cache_t /dev/ABC /mnt/cache1
Comment 10 Nerijus Baliūnas 2005-02-28 16:50:03 UTC 
I don't mount with a context, I just changed SELinux attribute for a mount point
(as otherwise squid was not able to access /mnt/cache1; btw, I had to change
type to squid_cache_t for /mnt also). /etc/fstab:
/dev/hda6     /mnt/cache1       reiserfs defaults    0 0

Any ideas how to use reiserfs for squid cache? Changing nfs_t to squid_cache_t in
genfscon reiserfs /                     system_u:object_r:nfs_t
should help?
Comment 11 Nerijus Baliūnas 2005-02-28 17:05:27 UTC 
mount:
/dev/hda6 on /mnt/cache1 type reiserfs
(rw,fscontext=system_u:object_r:squid_cache_t)

Still no go:
kernel: audit(1109609802.473:0): avc:  denied  { associate } for  pid=4340
exe=/usr/sbin/squid name=00 scontext=root:object_r:squid_cache_t
tcontext=system_u:object_r:squid_cache_t tclass=filesystem
squid: Failed to make swap directory /mnt/cache1/00: (13) Permission denied

BTW, I even cannot create file as root:
# touch /mnt/cache1/aa
touch: cannot touch `/mnt/cache1/aa': Permission denied
kernel: audit(1109610143.996:0): avc:  denied  { associate } for  pid=4436
exe=/bin/touch name=aa scontext=root:object_r:squid_cache_t
tcontext=system_u:object_r:squid_cache_t tclass=filesystem
Comment 12 Daniel Walsh 2005-02-28 17:10:49 UTC 
Ok you are going to need a rule 

allow squid_cache_t self:filesystem associate;

Dan
Comment 13 Nerijus Baliūnas 2005-02-28 17:31:59 UTC 
I added to domains/misc/local.te
allow squid_cache_t self:filesystem { associate };
and ran make reload. Squid starts, but I see in cache.log:
Rebuilding storage in /mnt/cache1 (DIRTY)
/mnt/cache1: (13) Permission denied
...
Done scanning /mnt/cache1 swaplog (0 entries)

/var/log/messages:
kernel: audit(1109611258.279:0): avc:  denied  { getattr } for  pid=4871
exe=/usr/sbin/squid name=/ dev=hda6 ino=2 scontext=root:system_r:squid_t
tcontext=system_u:object_r:squid_cache_t tclass=filesystem
Comment 14 Daniel Walsh 2005-05-12 18:11:55 UTC 
You should use context= instead of fscontext=