Bug 168349

Summary: External ACL-Files are ignored if they are stored under the home-directory
Product: [Fedora] Fedora Reporter: Alex Pircher <alexander_pircher>
Component: squidAssignee: Martin Stransky <stransky>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-19 08:04:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex Pircher 2005-09-15 10:11:50 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.7) Gecko/20040616

Description of problem:
If an externtal ACL-File is configured like that:
acl blocked_domains dstdomain "/home/domains.txt"
it is ignored during the restart-process.


Version-Release number of selected component (if applicable):
squid-2.5.STABLE9-8

How reproducible:
Always

Steps to Reproduce:
1. Add acl blocked_domains dstdomain "/home/domains.txt"
2. /etc/init.d/squid restart


Actual Results:  The external ACL-File is ignored


Expected Results:  The external ACL-File should have been added to the configuration



Additional info:

/var/log/squid.out shows:
2005/09/15 12:01:41| strtokFile: /home/domains.txt not found
2005/09/15 12:01:41| aclParseAclLine: WARNING: empty ACL: acl blocked_domains dstdomain "/home/domains.txt"
2005/09/15 12:02:13| strtokFile: /home/domains.txt not found
2005/09/15 12:02:13| aclParseAclLine: WARNING: empty ACL: acl blocked_domains dstdomain "/home/domains.txt"

However, the file domains.txt exists and domains.txt and home have the correct
rights:

# ll /home/domains.txt
-rw-r--r--  1 root root 1104 15. Sep 11:37 /home/domains.txt

# ll / | grep home
drwxr-xr-x    6 root root  4096 15. Sep 12:06 home

Placing the domains.txt under / or under /etc/squid/ works.
Comment 1 Alex Pircher 2005-09-15 23:02:26 UTC 
Seems that SELinux get's the hand on it, in the audit.log I've found:

type=PATH msg=audit(1126778838.221:11646933): item=0 name="/home/domains.txt"
flags=101  inode=5439489 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1126778870.293:4650569): avc:  denied  { search } for 
pid=21036 comm="squid" name="home" dev=dm-0 ino=5439489
scontext=root:system_r:squid_t tcontext=system_u:object_r:home_root_t tclass=dir
Comment 2 Martin Stransky 2005-09-19 08:04:10 UTC 
Sure, the essential function of the selinux is disabling access to directories
which aren't explicidly allowed for access.