Bug 163143

Summary: Squid does not start when /usr/bin/ntlm_auth is used for NTLM authentication
Product: [Fedora] Fedora Reporter: Jirka Pech <fedorabugs>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 1.25.2-4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-08-19 13:10:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jirka Pech 2005-07-13 14:04:01 UTC
Description of problem:
If I use ntlm_auth winbind helper for Squid to support NTLM authentication, I'm
getting these messages in audit log (after set enforce to 0):

type=SELINUX_ERR msg=audit(1121261809.389:921981): security_compute_sid: 
invalid context root:system_r:winbind_helper_t for
scontext=root:system_r:squid_t tcontext=system_u:object_r:winbind_helper_exec_t
tclass=process
type=AVC msg=audit(1121261809.389:921981): avc:  denied  { read write } for 
pid=25466 comm="ntlm_auth" name=[315468] dev=sockfs ino=315468
scontext=root:system_r:winbind_helper_t tcontext=root:system_r:squid_t
tclass=tcp_socket
type=AVC msg=audit(1121261809.389:921981): avc:  denied  { read append } for 
pid=25466 comm="ntlm_auth" name=cache.log dev=sda5 ino=448451
scontext=root:system_r:winbind_helper_t tcontext=root:object_r:squid_log_t
tclass=file
type=SYSCALL msg=audit(1121261809.389:921981): arch=40000003 syscall=11
success=yes exit=0 a0=8c882f8 a1=bfb7a184 a2=8c995b8 a3=400 items=2 pid=25466
auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23
comm="ntlm_auth" exe="/usr/bin/ntlm_auth"
type=AVC_PATH msg=audit(1121261809.389:921981):  path="/var/log/squid/cache.log"
type=AVC_PATH msg=audit(1121261809.389:921981):  path="socket:[315468]"
type=PATH msg=audit(1121261809.389:921981): item=0 name="/usr/bin/ntlm_auth"
inode=488268 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1121261809.389:921981): item=1 inode=129520 dev=08:03
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=SELINUX_ERR msg=audit(1121261809.411:923434): security_compute_sid: 
invalid context root:system_r:winbind_helper_t for
scontext=root:system_r:squid_t tcontext=system_u:object_r:winbind_helper_exec_t
tclass=process
type=SYSCALL msg=audit(1121261809.411:923434): arch=40000003 syscall=11
success=yes exit=0 a0=8c882f8 a1=bfb7a184 a2=8c97518 a3=400 items=2 pid=25465
auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23
comm="ntlm_auth" exe="/usr/bin/ntlm_auth"
type=PATH msg=audit(1121261809.411:923434): item=0 name="/usr/bin/ntlm_auth"
inode=488268 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1121261809.411:923434): item=1 inode=129520 dev=08:03
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=SELINUX_ERR msg=audit(1121261809.432:924714): security_compute_sid: 
invalid context root:system_r:winbind_helper_t for
scontext=root:system_r:squid_t tcontext=system_u:object_r:winbind_helper_exec_t
tclass=process
type=SYSCALL msg=audit(1121261809.432:924714): arch=40000003 syscall=11
success=yes exit=0 a0=8c882f8 a1=bfb7a184 a2=8c9b658 a3=400 items=2 pid=25467
auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23
comm="ntlm_auth" exe="/usr/bin/ntlm_auth"
type=PATH msg=audit(1121261809.432:924714): item=0 name="/usr/bin/ntlm_auth"
inode=488268 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1121261809.432:924714): item=1 inode=129520 dev=08:03
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=SELINUX_ERR msg=audit(1121261809.460:925960): security_compute_sid: 
invalid context root:system_r:winbind_helper_t for
scontext=root:system_r:squid_t tcontext=system_u:object_r:winbind_helper_exec_t
tclass=process
type=SYSCALL msg=audit(1121261809.460:925960): arch=40000003 syscall=11
success=yes exit=0 a0=8c882f8 a1=bfb7a184 a2=8c9d6f8 a3=400 items=2 pid=25468
auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23
comm="ntlm_auth" exe="/usr/bin/ntlm_auth"
type=PATH msg=audit(1121261809.460:925960): item=0 name="/usr/bin/ntlm_auth"
inode=488268 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1121261809.460:925960): item=1 inode=129520 dev=08:03
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=SELINUX_ERR msg=audit(1121261809.470:927143): security_compute_sid: 
invalid context root:system_r:winbind_helper_t for
scontext=root:system_r:squid_t tcontext=system_u:object_r:winbind_helper_exec_t
tclass=process
type=SYSCALL msg=audit(1121261809.470:927143): arch=40000003 syscall=11
success=yes exit=0 a0=8c882f8 a1=bfb7a184 a2=8c9f798 a3=400 items=2 pid=25469
auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23
comm="ntlm_auth" exe="/usr/bin/ntlm_auth"
type=PATH msg=audit(1121261809.470:927143): item=0 name="/usr/bin/ntlm_auth"
inode=488268 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1121261809.470:927143): item=1 inode=129520 dev=08:03
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1121261810.017:927486): avc:  denied  { getattr } for 
pid=25465 comm="ntlm_auth" name=[315465] dev=sockfs ino=315465
scontext=root:system_r:winbind_helper_t tcontext=root:system_r:squid_t
tclass=tcp_socket
type=SYSCALL msg=audit(1121261810.017:927486): arch=40000003 syscall=197
success=yes exit=0 a0=0 a1=bfbf117c a2=3bbff4 a3=0 items=0 pid=25465 auid=0
uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 comm="ntlm_auth"
exe="/usr/bin/ntlm_auth"
type=AVC_PATH msg=audit(1121261810.017:927486):  path="socket:[315465]"

Also I have this output in /var/log/messages (enforce set to 1):
Jul 13 15:10:30 proxy squid[24695]: Squid Parent: child process 24697 started
Jul 13 15:10:31 proxy (squid): The ntlmauthenticator helpers are crashing too
rapidly, need help!
Jul 13 15:10:31 proxy squid[24695]: Squid Parent: child process 24697 exited due
to signal 6
Jul 13 15:10:34 proxy squid[24695]: Squid Parent: child process 24729 started
Jul 13 15:10:35 proxy (squid): The ntlmauthenticator helpers are crashing too
rapidly, need help!
Jul 13 15:10:35 proxy squid[24695]: Squid Parent: child process 24729 exited due
to signal 6
Jul 13 15:10:38 proxy squid[24695]: Squid Parent: child process 24759 started
Jul 13 15:10:38 proxy (squid): The ntlmauthenticator helpers are crashing too
rapidly, need help!
Jul 13 15:10:38 proxy squid[24695]: Squid Parent: child process 24759 exited due
to signal 6
Jul 13 15:10:41 proxy squid[24695]: Squid Parent: child process 24788 started
Jul 13 15:10:42 proxy (squid): The ntlmauthenticator helpers are crashing too
rapidly, need help!
Jul 13 15:10:42 proxy squid[24695]: Squid Parent: child process 24788 exited due
to signal 6
Jul 13 15:10:45 proxy squid[24695]: Squid Parent: child process 24817 started
Jul 13 15:10:45 proxy (squid): The ntlmauthenticator helpers are crashing too
rapidly, need help!
Jul 13 15:10:45 proxy squid[24695]: Squid Parent: child process 24817 exited due
to signal 6
Jul 13 15:10:45 proxy squid[24695]: Exiting due to repeated, frequent failures

This is probably the policy problem, because everything was going fine before
policy yum auto-update during the week and squid restart today.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.2-1

How reproducible:
Every time.

Steps to Reproduce:
1. Install squid on FC4 box with SELinux enforcing enabled and edit the config
file to include:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm max_challenge_reuses 10
auth_param ntlm children 5
 
2. Start squid.
  
Actual results:
Squid exits because it can't start ntlm helper children and errors are logged.

Expected results:
Normal squid startup.

Additional info:
There are some local policy rules in place, which were needed to run Squid with
NTLM support (in a fresh FC4 installation):

# samba
allow squid_t port_t:tcp_socket                 { name_connect };
allow squid_t samba_etc_t:dir                   { search read };
allow squid_t samba_etc_t:file                  { getattr read };
allow squid_t samba_var_t:dir                   { search read };
allow squid_t samba_var_t:file                  { getattr read };

# winbind
allow squid_t winbind_var_run_t:dir             { getattr read search };
allow squid_t winbind_var_run_t:file            { getattr read };
allow squid_t winbind_var_run_t:sock_file       { getattr write };
allow squid_t winbind_t:unix_stream_socket      { connectto };

Comment 1 Daniel Walsh 2005-07-13 14:48:41 UTC
Something went wrong with your update???

Do you have selinux-policy-targeted-sources installed?

If yes could you do a 

cd /etc/selinux/targeted/src/policy
make load
And then try again.



Comment 2 Jirka Pech 2005-07-13 15:14:18 UTC
I don't know about anything went wrong during update.

Yes, I have sources installed and I already did policy build and reload before
restarting squid, because I have some custom rules.
So, I can handle local directory relocations and file TE settings by customizing
local policy, but what I really don't understand is why is winbind not allowed
to read/write/getattr the socket and the worst thing of all is

security_compute_sid: invalid context root:system_r:winbind_helper_t for
scontext=root:system_r:squid_t tcontext=system_u:object_r:winbind_helper_exec_t
tclass=process

what I really don't understand at all. I suppose that squid_t wants transition
to winbind_helper_exec_t domain, but I'm not sure why. And when I rolled back to
selinux-policy-targeted-1.24-3, everything goes fine again.


Comment 3 Daniel Walsh 2005-07-13 15:27:16 UTC
Does adding

role system_r type winbind_helper_t to windbind.te 
fix the problem?

Comment 4 Jirka Pech 2005-07-13 16:07:05 UTC
Yes it fixed invalid context error on transition, but it should be "types" not
"type".

role system_r types winbind_helper_t

Have you removed these from 1.25.2-1 (this is audit2allow output after squid
restart with fixed role types)?

allow winbind_helper_t squid_t:tcp_socket { read getattr write };



Comment 5 Daniel Walsh 2005-07-13 16:23:53 UTC
Did it work in enforcing mode?  Or does it need this rule?  This could just be a
bug in squid not closing the tcp_socket on exec of ntlm_auth?

Dan

Comment 6 Jirka Pech 2005-07-13 17:01:35 UTC
Yes, it works in enforcing mode.

I'm not sure, but I think that NTLM authentication needs keep-alive (proxy
server to domain controller) connection, so it is probably not a squid bug.


Comment 7 Jirka Pech 2005-07-14 10:21:39 UTC
I'm sorry Dan, I didn't respond to your second question. The rule is needed for
squid to work.

Jirka Pech

Comment 8 Daniel Walsh 2005-07-14 14:40:14 UTC
Fixed in selinux-policy-strict-1.25.2-4


Comment 9 Walter Justen 2005-08-19 13:10:47 UTC
Thanks for the bug report. This particular bug was fixed and a update package
was published for download. Please feel free to report any further bugs you find.