Bug 487204

Summary: selinux error for squid
Product: [Fedora] Fedora Reporter: stanl
Component: squidAssignee: Jiri Skala <jskala>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 10CC: aglotov, dwalsh, henrik, jonathansteffan, jskala, mnagy
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-03 02:36:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description stanl 2009-02-24 18:48:02 UTC 
Description of problem:  see below.  Not sure why squid is wanting to look at /mnt, and the recommended fix doesn't work.

There seem to be no updates for updates-testing so I haven't got the fix for squidguard yet and chcon yet.  Maybe this is fixed by that fix.  Just thought I'd put it out here.  Squid seems to be working fine even though this occurred.


Version-Release number of selected component (if applicable): see below


How reproducible:  Seems to happen every time


Steps to Reproduce:
1. /sbin/service squid start or /sbin/service squid restart
2.
3.
  
Actual results:  selinux denial


Expected results:  squid performs the actions it is entitled to without complaint from selinux


Additional info:

Summary:

SELinux is preventing squid (squid_t) "search" to ./mnt (mnt_t).

Detailed Description:

SELinux denied access requested by squid. It is not expected that this access is
required by squid and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./mnt,

restorecon -v './mnt'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:squid_t:s0
Target Context                system_u:object_r:mnt_t:s0
Target Objects                ./mnt [ dir ]
Source                        squid
Source Path                   /usr/sbin/squid
Port                          <Unknown>
Host                          fedora10.sata1
Source RPM Packages           squid-3.0.STABLE13-1.fc10
Target RPM Packages           filesystem-2.4.19-1.fc10
Policy RPM                    selinux-policy-3.5.13-45.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     fedora10.sata1
Platform                      Linux fedora10.sata1
                              2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11
                              23:14:31 EST 2009 x86_64 x86_64
Alert Count                   153
First Seen                    Sun 22 Feb 2009 03:37:48 PM MST
Last Seen                     Sun 22 Feb 2009 08:16:53 PM MST
Local ID                      1650f44b-d63c-4c70-8649-51da75c15b21
Line Numbers                  

Raw Audit Messages            

node=fedora10.sata1 type=AVC msg=audit(1235359013.551:159152): avc:  denied  { search } for  pid=24514 comm="squid" name="mnt" dev=sda6 ino=1375 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir

node=fedora10.sata1 type=SYSCALL msg=audit(1235359013.551:159152): arch=c000003e syscall=4 success=yes exit=0 a0=7fffb506050a a1=7fffb5060900 a2=7fffb5060900 a3=7fffb505feb0 items=0 ppid=24511 pid=24514 auid=500 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
Comment 1 Henrik Nordström 2009-02-24 19:17:35 UTC 
Is there anything relevant in cache.log?
Comment 2 stanl 2009-02-24 20:04:06 UTC 
Here is the last restart cyle from the cache.log.  I don't see anything.

2009/02/22 20:16:20| Preparing for shutdown after 76 requests
2009/02/22 20:16:20| Waiting 30 seconds for active connections to finish
2009/02/22 20:16:20| FD 14 Closing HTTP connection
2009/02/22 20:16:51| Shutting down...
2009/02/22 20:16:51| Closing unlinkd pipe on FD 12
2009/02/22 20:16:51| storeDirWriteCleanLogs: Starting...
2009/02/22 20:16:51|   Finished.  Wrote 15 entries.
2009/02/22 20:16:51|   Took 0.00 seconds (14395.39 entries/sec).
CPU Usage: 0.295 seconds = 0.155 user + 0.140 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
	total space in arena:    6144 KB
	Ordinary blocks:         5994 KB     21 blks
	Small blocks:               0 KB      7 blks
	Holding blocks:           936 KB      4 blks
	Free Small blocks:          0 KB
	Free Ordinary blocks:     149 KB
	Total in use:            6930 KB 113%
	Total free:               149 KB 2%
2009/02/22 20:16:51| Squid Cache (Version 3.0.STABLE13): Exiting normally.
2009/02/22 20:16:53| Starting Squid Cache version 3.0.STABLE13 for x86_64-redhat-linux-gnu...
2009/02/22 20:16:53| Process ID 24514
2009/02/22 20:16:53| With 1024 file descriptors available
2009/02/22 20:16:53| DNS Socket created at 0.0.0.0, port 37343, FD 7
2009/02/22 20:16:53| Adding domain ph.cox.net from /etc/resolv.conf
2009/02/22 20:16:53| Adding domain ph.cox.net from /etc/resolv.conf
2009/02/22 20:16:53| Adding nameserver 68.2.16.30 from /etc/resolv.conf
2009/02/22 20:16:53| Adding nameserver 68.2.16.25 from /etc/resolv.conf
2009/02/22 20:16:53| User-Agent logging is disabled.
2009/02/22 20:16:53| Referer logging is disabled.
2009/02/22 20:16:53| Unlinkd pipe opened on FD 12
2009/02/22 20:16:53| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2009/02/22 20:16:53| Swap maxSize 102400 KB, estimated 7876 objects
2009/02/22 20:16:53| Target number of buckets: 393
2009/02/22 20:16:53| Using 8192 Store buckets
2009/02/22 20:16:53| Max Mem  size: 8192 KB
2009/02/22 20:16:53| Max Swap size: 102400 KB
2009/02/22 20:16:53| Version 1 of swap file without LFS support detected... 
2009/02/22 20:16:53| Rebuilding storage in /var/spool/squid (CLEAN)
2009/02/22 20:16:53| Using Least Load store dir selection
2009/02/22 20:16:53| Set Current Directory to /var/spool/squid
2009/02/22 20:16:53| Loaded Icons.
2009/02/22 20:16:53| Accepting  HTTP connections at 0.0.0.0, port 3128, FD 14.
2009/02/22 20:16:53| HTCP Disabled.
2009/02/22 20:16:53| Configuring Parent 127.0.0.1/8118/7
2009/02/22 20:16:53| Ready to serve requests.
2009/02/22 20:16:53| Done reading /var/spool/squid swaplog (15 entries)
2009/02/22 20:16:53| Finished rebuilding storage from disk.
2009/02/22 20:16:53|        15 Entries scanned
2009/02/22 20:16:53|         0 Invalid entries.
2009/02/22 20:16:53|         0 With invalid flags.
2009/02/22 20:16:53|        15 Objects loaded.
2009/02/22 20:16:53|         0 Objects expired.
2009/02/22 20:16:53|         0 Objects cancelled.
2009/02/22 20:16:53|         0 Duplicate URLs purged.
2009/02/22 20:16:53|         0 Swapfile clashes avoided.
2009/02/22 20:16:53|   Took 0.04 seconds (395.92 objects/sec).
2009/02/22 20:16:53| Beginning Validation Procedure
2009/02/22 20:16:53|   Completed Validation Procedure
2009/02/22 20:16:53|   Validated 55 Entries
2009/02/22 20:16:53|   store_swap_size = 200
2009/02/22 20:16:54| storeLateRelease: released 0 objects
2009/02/22 20:28:25| tunnelReadServer: FD 20: read failure: (0) Success
Comment 3 Daniel Walsh 2009-02-25 15:19:49 UTC 
Did you happen to be in the /mnt directory when you executed this command?
Comment 4 Daniel Walsh 2009-02-25 15:22:31 UTC 
I can get this avc to happen if I cd /mnt

And execute

 /etc/init.d/squid restart

But not service.

Confined programs have a bad habbit of searching the Current Working Directory when they start which can generate an AVC like this.

service script cd / when it is executed, so I am surprised you got this.
Comment 5 stanl 2009-02-25 16:12:36 UTC 
Actually I was in the /etc/squid directory while I was doing this.  I ran it a few times while tweaking the squid.conf file to see if I could get it to go away.  I was logged in as root.

This system had been running for a long time without a reboot when I was doing this.  Is it possible that could cause problems like this?
Comment 6 Daniel Walsh 2009-02-25 16:23:02 UTC 
I am pretty sure you can ignore it.  Anything mounted on /mnt?  On a subdir of /mnt?
Comment 7 stanl 2009-02-25 19:53:18 UTC 
Yeah, other instances of fedora, so I can get to their file systems.  Mounted as non check (0 0) from fstab.

Updates-testing had the latest selinux packages and a new kernel, so I rebooted to get the new kernel and did an /.autorelabel so that everything would be consistent with the latest policy.  Then cleared out setroubleshooter log.  Will see what happens.
Comment 8 Daniel Walsh 2009-03-03 02:36:31 UTC 
Reopen if it happens again.