Bug 518605

Summary:	SELinux is preventing squidGuard (squid_t) "read" squid_log_t.
Product:	[Fedora] Fedora	Reporter:	Eddie Lania <eddie>
Component:	selinux-policy-targeted	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Ben Levenson <benl>
Severity:	medium	Docs Contact:
Priority:	low
Version:	13	CC:	jeff.raber
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	3.6.12-80.fc11	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2010-08-02 19:42:43 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Eddie Lania 2009-08-21 08:51:46 UTC

Description of problem:SELinux is preventing squidGuard (squid_t) "read" squid_log_t.

Aug 21 10:39:08 ls2ka setroubleshoot: SELinux is preventing squidGuard (squid_t) "read" squid_log_t. For complete SELinux messages. run sealert -l 8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7
Aug 21 10:43:35 ls2ka squid[4778]: Squid Parent: child process 4781 exited with status 0
Aug 21 10:44:54 ls2ka clamd.scan[2280]: SelfCheck: Database status OK.
Aug 21 10:45:05 ls2ka squid[8198]: Squid Parent: child process 8201 started
Aug 21 10:45:07 ls2ka setroubleshoot: SELinux is preventing squidGuard (squid_t) "read" squid_log_t. For complete SELinux messages. run sealert -l 8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7
Aug 21 10:45:07 ls2ka setroubleshoot: SELinux is preventing squidGuard (squid_t) "read" squid_log_t. For complete SELinux messages. run sealert -l 8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7
^C
[root@ls2ka ~]# sealert -l 8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7

Summary:

SELinux is preventing squidGuard (squid_t) "read" squid_log_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by squidGuard. It is not expected that this
access is required by squidGuard and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:squid_t:s0
Target Context                unconfined_u:object_r:squid_log_t:s0
Target Objects                /var/log/squid/squidGuard.log [ lnk_file ]
Source                        squidGuard
Source Path                   /usr/bin/squidGuard
Port                          <Unknown>
Host                          ls2ka.elton-intra.net
Source RPM Packages           squidGuard-1.4-4.fc11
Target RPM Packages
Policy RPM                    selinux-policy-3.6.12-72.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     ls2ka.elton-intra.net
Platform                      Linux ls2ka.elton-intra.net
                              2.6.29.6-217.2.7.fc11.i686.PAE #1 SMP Fri Aug 14
                              20:52:46 EDT 2009 i686 i686
Alert Count                   3
First Seen                    Fri Aug 21 10:39:07 2009
Last Seen                     Fri Aug 21 10:45:05 2009
Local ID                      8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7
Line Numbers

Raw Audit Messages

node=ls2ka.elton-intra.net type=AVC msg=audit(1250844305.747:50066): avc:  denied  { read } for  pid=8210 comm="squidGuard" name="squidGuard.log" dev=sda2 ino=1318707 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:squid_log_t:s0 tclass=lnk_file

node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1250844305.747:50066): arch=40000003 syscall=5 success=yes exit=3 a0=bf85c83c a1=441 a2=1b6 a3=80f4008 items=0 ppid=8201 pid=8210 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1236 comm="squidGuard" exe="/usr/bin/squidGuard" subj=unconfined_u:system_r:squid_t:s0 key=(null)

Comment 1 Daniel Walsh 2009-08-21 22:33:29 UTC

Miroslav could you add the following to squid.te

manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)

Comment 2 Miroslav Grepl 2009-08-24 15:40:04 UTC

Fixed in selinux-policy-3.6.12-80.fc11

Comment 3 Fedora Update System 2009-08-24 15:44:48 UTC

selinux-policy-3.6.12-80.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-80.fc11

Comment 4 Fedora Update System 2009-08-25 04:26:31 UTC

selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8895

Comment 5 Eddie Lania 2009-08-28 16:49:09 UTC

It seems to be working, thank you.

Comment 6 Fedora Update System 2009-08-28 21:56:30 UTC

selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Eddie Lania 2010-07-05 08:42:12 UTC

scontext=unconfined_u:system_r:squid_t is back in FC13:

Jul  5 10:31:55 ls2ka squid[9829]: Squid Parent: child process 9831 started
Jul  5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32224): avc:  denied  { write } for  pid=9834 comm="squidGuard" name="tmp" dev=sda2 ino=1267316 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Jul  5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32225): avc:  denied  { add_name } for  pid=9834 comm="squidGuard" name="BDB09834" scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Jul  5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32226): avc:  denied  { create } for  pid=9834 comm="squidGuard" name="BDB09834" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
Jul  5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32227): avc:  denied  { read write open } for  pid=9834 comm="squidGuard" name="BDB09834" dev=sda2 ino=1267393 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
Jul  5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32228): avc:  denied  { remove_name } for  pid=9834 comm="squidGuard" name="BDB09834" dev=sda2 ino=1267393 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Jul  5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32229): avc:  denied  { unlink } for  pid=9834 comm="squidGuard" name="BDB09834" dev=sda2 ino=1267393 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

Comment 8 Jeff Raber 2010-07-14 15:44:20 UTC

Changed version to 13.

Comment 9 Eddie Lania 2010-08-02 19:42:13 UTC

Not seeing this SELinux message anymore in /var/log/messages. I suppose it has been solved already in one of the policy updates.

Regards.

Eddie.