Bug 149815
Summary: | squid doesn't start when spool is in a non selinux supported partition | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nerijus Baliūnas <nerijus> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | CC: | jmorris, sundaram |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-09-05 06:49:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Nerijus Baliūnas
2005-02-27 17:46:34 UTC
Not sure, but I know that reiserfs is not supported with SELinux at the current time. There are many bugs in its handling of Extended Attributes. Dan You probably misunderstood. Yes, I know that reiserfs is not supported with SELinux. But I showed that reiserfs partition doesn't have EAs at all: # ls -Zd /mnt/cache1/00 drwxr-xr-x squid squid /mnt/cache1/00 Directory 00 in reiserfs partition does not have any SELinux attributes. And I showed that I changed type to squid_cache_t for /mnt/cache1, i.e. a mountpoint. So the question is - why squid doesn't work on a filesystem, which does not have ANY SELinux attributes? Do you have nfs running on this machine? Or is the kernel/reiserfs getting confused? James do you have any ideas? No nfs running. Which tells me the kernel/reiser is very confused. So this is not a policy problem... (In reply to comment #3) > James do you have any ideas? Does the policy contain a line like this: genfscon reiserfs / system_u:object_r:nfs_t Excellent catch. Yes that is whats causing the nfs. Sorry I missed it but if he is mounting with a context why is nfs_t still showing up? Dan (In reply to comment #7) > Excellent catch. Yes that is whats causing the nfs. Sorry I missed it but if > he is mounting with a context why is nfs_t still showing up? > I don't think it's a context mount, it was just the first idea thing I came up with to check. Nerijus Could you try to mount the /mnt/cache1 directory with fscontext=system_u:object_r:squid_cache_t mount -t reiserfs -o fscontext=system_u:object_r:squid_cache_t /dev/ABC /mnt/cache1 I don't mount with a context, I just changed SELinux attribute for a mount point (as otherwise squid was not able to access /mnt/cache1; btw, I had to change type to squid_cache_t for /mnt also). /etc/fstab: /dev/hda6 /mnt/cache1 reiserfs defaults 0 0 Any ideas how to use reiserfs for squid cache? Changing nfs_t to squid_cache_t in genfscon reiserfs / system_u:object_r:nfs_t should help? mount: /dev/hda6 on /mnt/cache1 type reiserfs (rw,fscontext=system_u:object_r:squid_cache_t) Still no go: kernel: audit(1109609802.473:0): avc: denied { associate } for pid=4340 exe=/usr/sbin/squid name=00 scontext=root:object_r:squid_cache_t tcontext=system_u:object_r:squid_cache_t tclass=filesystem squid: Failed to make swap directory /mnt/cache1/00: (13) Permission denied BTW, I even cannot create file as root: # touch /mnt/cache1/aa touch: cannot touch `/mnt/cache1/aa': Permission denied kernel: audit(1109610143.996:0): avc: denied { associate } for pid=4436 exe=/bin/touch name=aa scontext=root:object_r:squid_cache_t tcontext=system_u:object_r:squid_cache_t tclass=filesystem Ok you are going to need a rule allow squid_cache_t self:filesystem associate; Dan I added to domains/misc/local.te allow squid_cache_t self:filesystem { associate }; and ran make reload. Squid starts, but I see in cache.log: Rebuilding storage in /mnt/cache1 (DIRTY) /mnt/cache1: (13) Permission denied ... Done scanning /mnt/cache1 swaplog (0 entries) /var/log/messages: kernel: audit(1109611258.279:0): avc: denied { getattr } for pid=4871 exe=/usr/sbin/squid name=/ dev=hda6 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:squid_cache_t tclass=filesystem You should use context= instead of fscontext= |