Bug 224409

Summary: Denials with squid's cachemgr.cgi
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.4.6-37.fc6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-22 18:12:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Loadable policy module to fix your problem. none

Description Orion Poplawski 2007-01-25 16:22:28 UTC 
Description of problem:

When using squid's cachemgr.cgi as configured by the Fedora squid package I get:

Jan 24 16:47:09 hawk kernel: audit(1169682429.577:42): avc:  denied  { search }
for  pid=22647 comm="cachemgr.cgi" name="squid" dev=dm-0 ino=47143
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:squid_conf_t:s0
tclass=dir

This is trying to search /etc/squid.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-27.fc6
Comment 1 Orion Poplawski 2007-01-25 16:27:14 UTC 
*** Bug 224412 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2007-01-25 19:10:53 UTC 
Why is cachemgr.cgi in /etc/squid directory?
Comment 3 Orion Poplawski 2007-01-25 19:20:45 UTC 
It's not.  It's in /usr/lib/squid/cachemgr.cgi, but it's trying to read
/etc/squid/cachemgr.conf.  It may be trying to do other stuff too, not sure. 
Running from the command line under strace I see:

8115  open("/etc/squid/cachemgr.conf", O_RDONLY|O_LARGEFILE) = 3
Comment 4 Orion Poplawski 2007-01-25 19:21:45 UTC 
Note that it seems to run fine.
Comment 5 Daniel Walsh 2007-01-25 20:13:03 UTC 
Created attachment 146614 [details]
Loadable policy module to fix your problem.

Could you save this te file and execute

make -f /usr/share/selinux/devel/Makefile 
semodule -i squid-cgi.pp 
chcon -t httpd_squid_script_exec_t /usr/lib/squid/cachemgr.cgi 

And try it out.
This fix will be in the next policy.
Comment 6 Orion Poplawski 2007-01-25 20:19:44 UTC 
Similar but different:

Jan 25 13:18:42 hawk kernel: audit(1169756322.593:47): avc:  denied  { search }
for  pid=9004 comm="cachemgr.cgi" name="squid" dev=dm-0 ino=47143
scontext=system_u:system_r:httpd_squid_script_t:s0
tcontext=system_u:object_r:squid_conf_t:s0 tclass=dir
Comment 7 Daniel Walsh 2007-01-25 20:28:33 UTC 
Yes I knew about that one.  Sorry forgot to tell you.  

That was added to /usr/share/selinux/devel/include/services/squid.if

########################################
## <summary>
##	Read squid configuration file.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`squid_read_config',`
	gen_require(`
		type squid_conf_t;
	')

	files_search_etc($1)
	allow $1 squid_conf_t:dir search_dir_perms;
	allow $1 squid_conf_t:file r_file_perms;
')
Comment 8 Daniel Walsh 2007-02-14 20:33:04 UTC 
Fixed in selinux-policy-2.4.6-37.fc6
Comment 9 Orion Poplawski 2007-02-16 18:45:20 UTC 
Still see it:

audit(1171651371.459:7): avc:  denied  { search } for  pid=3384
comm="cachemgr.cgi" name="squid" dev=dm-0 ino=47143
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:squid_conf_t:s0
tclass=dir

[root@hawk ~]# restorecon -r -v /usr/lib/squid/ /etc/squid
[root@hawk ~]# rpm -q selinux-policy
selinux-policy-2.4.6-37.fc6
Comment 10 Daniel Walsh 2007-02-16 21:05:43 UTC 
For some reason cachemgr.cgi is not transitioning to httpd_squid_script_t?

getsebool -a | grep http
Comment 11 Orion Poplawski 2007-02-16 21:07:33 UTC 
allow_httpd_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> off
httpd_unified --> on
Comment 12 Daniel Walsh 2007-02-20 19:48:36 UTC 
ls -lZ /usr/lib/squid/cachemgr.cgi
Comment 13 Orion Poplawski 2007-02-20 19:56:54 UTC 
-rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/lib/squid/cachemgr.cgi
Comment 14 Daniel Walsh 2007-02-22 17:53:29 UTC 
restorecon -F -R -v /usr/lib/squid/cachemgr.cgi

The context is wrong.
Comment 15 Orion Poplawski 2007-02-22 18:12:44 UTC 
That indeed fixed the context and removed the denial.