Bug 452787

Summary: squid ceased to work after upgrade to 5.2
Product: Red Hat Enterprise Linux 5 Reporter: Tomasz Kepczynski <tomek>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: 5.2CC: dwalsh, mkoci, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 16:32:05 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
Te file to fix squid none

Description Tomasz Kepczynski 2008-06-25 01:37:16 EDT
Description of problem:
My squid ceased to work after yesterday I updated to 5.2.
Search in audit.log yields:

time->Wed Jun 25 07:25:18 2008
type=ANOM_ABEND msg=audit(1214371518.634:1480): auid=0 uid=23 gid=23 ses=227
subj=root:system_r:squid_t:s0 pid=13115 comm="squid" sig=6

and in /var/log/messages I have:

Jun 25 07:25:18 triss (squid): Cannot open snmp Port
Jun 25 07:25:18 triss squid[13081]: Squid Parent: child process 13115 exited due
 to signal 6
Jun 25 07:25:18 triss squid[13081]: Exiting due to repeated, frequent failures
Jun 25 07:25:34 triss squid[13147]: Squid Parent: child process 13149 started

Squid simply does not start. After I set selinux mode
to permissive I am able to start squid so I guess
this is selinux problem.

Thing to note: I have snmp enabled in squid and snmp port
is use is 3401 (the default AFAIR). Disabling snmp also
helps. Setting squid_connect_any to 1 does not help.

Version-Release number of selected component (if applicable):

How reproducible:

Actual results:
squid does not start with snmp enabled and selinux enforcing

Expected results:
squid starts uder these conditions

Additional info:
I found this on CentOS, not RHEL, but I believe you might be interested.
Comment 1 Daniel Walsh 2008-06-25 07:40:52 EDT
You can turn off the DONTAUDIT rules by executing 

# semodule -b /usr/share/selinux/targeted/enableaudit.pp

Do you see any AVC messages, when starting squid?

Turn them back on by executing

# semodule -b /usr/share/selinux/targeted/base.pp
Comment 2 Daniel Walsh 2008-06-25 07:55:11 EDT
I just reviewed the difference between Rawhide Squid policy and RHEL5 and it
looks like listening on 3401 was added after the fact,  So this is indeed a bug.

You can create a custom policy module to allow it to bind to this service

Comment 3 Daniel Walsh 2008-06-25 07:56:37 EDT
Created attachment 310254 [details]
Te file to fix squid

Extract attachment into mysquid.te

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mysquid.pp

Should fix
Comment 4 Daniel Walsh 2008-06-25 07:59:48 EDT
Fixed in selinux-policy-2.4.6-140.el5 
Comment 5 RHEL Product and Program Management 2008-06-25 08:13:13 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 10 errata-xmlrpc 2009-01-20 16:32:05 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.