Bug 199083

Summary: selinux stops squid
Product: [Fedora] Fedora Reporter: Frank Büttner <bugzilla>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-28 20:02:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frank Büttner 2006-07-17 07:30:00 UTC 
Description of problem:
when selinux is in enforce mode squid will fail

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.47-3.fc5

How reproducible:
run service squid start

Actual results:
start fails

Expected results:
running squid

Additional info:
audit:
Jul 17 09:36:18 kernel: audit(1153121778.649:71): avc:  denied  { read write }
for  pid=3357 comm=squid name="SYSV00347402" dev=tmpfs ino=884761
scontext=user_u:system_r:squid_t tcontext=user_u:object_r:tmpfs_t tclass=file
Jul 17 09:36:21 kernel: audit(1153121781.993:72): avc:  denied  { read write }
for  pid=3364 comm=squid name="SYSV00349002" dev=tmpfs ino=917530
scontext=user_u:system_r:squid_t tcontext=user_u:object_r:tmpfs_t tclass=file
Jul 17 09:36:26 kernel: audit(1153121786.085:73): avc:  denied  { read write }
for  pid=3370 comm=squid name="SYSV0034a802" dev=tmpfs ino=950299
scontext=user_u:system_r:squid_t tcontext=user_u:object_r:tmpfs_t tclass=file
Comment 1 Daniel Walsh 2006-07-17 14:33:15 UTC 
You have a labling problem.  Looks like some kind of tmp directory is being
mounted and not labeled correctly or you created files on a tmp directory and
moved it to a directory squid is trying to access?
Comment 2 Frank Büttner 2006-07-17 15:40:43 UTC 
I can't find an unlabled file. But it is very interesting. When change the
access method in the squid config file from diskd to ufs then I get an other error:
type=AVC msg=audit(1153151192.075:937): avc:  denied  { name_bind } for 
pid=8719 comm="squid" src=3130 scontext=user_u:system_r:squid_t:s0 tcontext
=system_u:object_r:http_cache_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1153151192.075:937): arch=40000003 syscall=102 success=no
exit=-13 a0=2 a1=bf9f85f4 a2=8499a4 a3=bf9f8604 items=0 pid=8719 au
id=500 uid=23 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none)
comm="squid" exe="/usr/sbin/squid" subj=user_u:system_r:squid_t:s0
type=SOCKADDR msg=audit(1153151192.075:937): saddr=02000C3A000000000000000000000000
type=SOCKETCALL msg=audit(1153151192.075:937): nargs=3 a0=c a1=bf9f8604 a2=10
type=AVC msg=audit(1153151195.403:938): avc:  denied  { name_bind } for 
pid=8726 comm="squid" src=3130 scontext=user_u:system_r:squid_t:s0 tcontext
=system_u:object_r:http_cache_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1153151195.403:938): arch=40000003 syscall=102 success=no
exit=-13 a0=2 a1=bfef32f4 a2=4129a4 a3=bfef3304 items=0 pid=8726 au
id=500 uid=23 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none)
comm="squid" exe="/usr/sbin/squid" subj=user_u:system_r:squid_t:s0
type=SOCKADDR msg=audit(1153151195.403:938): saddr=02000C3A000000000000000000000000
type=SOCKETCALL msg=audit(1153151195.403:938): nargs=3 a0=c a1=bfef3304 a2=10
type=AVC msg=audit(1153151198.723:939): avc:  denied  { name_bind } for 
pid=8733 comm="squid" src=3130 scontext=user_u:system_r:squid_t:s0 tcontext
=system_u:object_r:http_cache_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1153151198.723:939): arch=40000003 syscall=102 success=no
exit=-13 a0=2 a1=bfc96094 a2=4709a4 a3=bfc960a4 items=0 pid=8733 au
id=500 uid=23 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none)
comm="squid" exe="/usr/sbin/squid" subj=user_u:system_r:squid_t:s0
type=SOCKADDR msg=audit(1153151198.723:939): saddr=02000C3A000000000000000000000000
type=SOCKETCALL msg=audit(1153151198.723:939): nargs=3 a0=c a1=bfc960a4 a2=10
type=AVC msg=audit(1153151202.040:940): avc:  denied  { name_bind } for 
pid=8739 comm="squid" src=3130 scontext=user_u:system_r:squid_t:s0 tcontext
=system_u:object_r:http_cache_port_t:s0 tclass=udp_socket
Comment 3 Daniel Walsh 2006-07-17 18:56:43 UTC 
Fixed in 	selinux-policy-2.3.2-1.fc5
Comment 4 Daniel Walsh 2007-03-28 20:02:06 UTC 
Closing bugs