Bug 163143
Summary: | Squid does not start when /usr/bin/ntlm_auth is used for NTLM authentication | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jirka Pech <fedorabugs> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.25.2-4 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-08-19 13:10:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jirka Pech
2005-07-13 14:04:01 UTC
Something went wrong with your update??? Do you have selinux-policy-targeted-sources installed? If yes could you do a cd /etc/selinux/targeted/src/policy make load And then try again. I don't know about anything went wrong during update. Yes, I have sources installed and I already did policy build and reload before restarting squid, because I have some custom rules. So, I can handle local directory relocations and file TE settings by customizing local policy, but what I really don't understand is why is winbind not allowed to read/write/getattr the socket and the worst thing of all is security_compute_sid: invalid context root:system_r:winbind_helper_t for scontext=root:system_r:squid_t tcontext=system_u:object_r:winbind_helper_exec_t tclass=process what I really don't understand at all. I suppose that squid_t wants transition to winbind_helper_exec_t domain, but I'm not sure why. And when I rolled back to selinux-policy-targeted-1.24-3, everything goes fine again. Does adding role system_r type winbind_helper_t to windbind.te fix the problem? Yes it fixed invalid context error on transition, but it should be "types" not "type". role system_r types winbind_helper_t Have you removed these from 1.25.2-1 (this is audit2allow output after squid restart with fixed role types)? allow winbind_helper_t squid_t:tcp_socket { read getattr write }; Did it work in enforcing mode? Or does it need this rule? This could just be a bug in squid not closing the tcp_socket on exec of ntlm_auth? Dan Yes, it works in enforcing mode. I'm not sure, but I think that NTLM authentication needs keep-alive (proxy server to domain controller) connection, so it is probably not a squid bug. I'm sorry Dan, I didn't respond to your second question. The rule is needed for squid to work. Jirka Pech Fixed in selinux-policy-strict-1.25.2-4 Thanks for the bug report. This particular bug was fixed and a update package was published for download. Please feel free to report any further bugs you find. |