| Summary: | SELinux is preventing /usr/bin/squidGuard from 'create' accesses on the Datei BDB26234. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | cblaauw <carstenblaauw> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dominick.grift, dwalsh, gwync, itamar, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:f105199fd2448de7c6b9c20632b2513fcdc6304dec5d5ef94e24b0607d1f00b7 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-04-10 09:11:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Does it happen by default or did you configure anything? Is squidguard using /tmp? After a quick peek at the source, I don't *think* so. My /etc/squid/squidGuard.conf contains the following references to directories:
dbhome /var/squidGuard/blacklists
logdir /var/log/squidGuard
ausearch -m avc gives me lots of:
type=SYSCALL msg=audit(1321727280.140:91): arch=c000003e syscall=2 success=yes exit=13 a0=287f7a0 a1=c2 a2=180 a3=1 items=0 ppid=1138 pid=3215 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="squidGuard" exe="/usr/bin/squidGuard" subj=system_u:system_r:squid_t:s0 key=(null)
type=AVC msg=audit(1321727280.140:91): avc: denied { read write open } for pid=3215 comm="squidGuard" name="BDB03215" dev=dm-1 ino=562 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1321727280.140:91): avc: denied { create } for pid=3215 comm="squidGuard" name="BDB03215" scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
Do you still need info from me? I'm unsure. cblaauw, What is the content of BDB03215? I don't know the content of BDB03215, maybe it's a temporary file that squidGuard uses. If I find out the path of the file I can have a look, but right now it is nowhere to find. I think the name changes on every restart of squidGuard. Sorry that I cannot help more. Carsten Right now the bug does not appear, because I did:
grep squidGuard /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
content of mypol.te:
module mypol 1.0;
require {
type tmp_t;
type squid_t;
class file { read write create unlink open };
}
#============= squid_t ==============
#!!!! The source type 'squid_t' can write to a 'file' of the following types:
# pcscd_var_run_t, squid_var_run_t, squid_cache_t, squid_tmpfs_t, squid_log_t, root_t, krb5_host_rcache_t
allow squid_t tmp_t:file { read write create unlink open };
Miroslav lets add in squid_tmp_t, and allow it. Added. |
libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.2.10-1.fc16.x86_64 reason: SELinux is preventing /usr/bin/squidGuard from 'create' accesses on the Datei BDB26234. time: So 18 Mär 2012 10:32:08 CET description: :SELinux is preventing /usr/bin/squidGuard from 'create' accesses on the Datei BDB26234. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that squidGuard should be allowed create access on the BDB26234 file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep squidGuard /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:squid_t:s0 :Target Context system_u:object_r:tmp_t:s0 :Target Objects BDB26234 [ file ] :Source squidGuard :Source Path /usr/bin/squidGuard :Port <Unbekannt> :Host (removed) :Source RPM Packages squidGuard-1.4-9.fc15.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-78.fc16.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.2.10-1.fc16.x86_64 #1 SMP Mon Mar 12 : 22:34:35 UTC 2012 x86_64 x86_64 :Alert Count 7 :First Seen Fr 16 Mär 2012 18:14:25 CET :Last Seen So 18 Mär 2012 10:31:02 CET :Local ID 9f0cb499-7d82-4ad8-a04c-7041461c4dce : :Raw Audit Messages :type=AVC msg=audit(1332063062.137:319): avc: denied { create } for pid=26234 comm="squidGuard" name="BDB26234" scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file : : :type=AVC msg=audit(1332063062.137:319): avc: denied { read write open } for pid=26234 comm="squidGuard" name="BDB26234" dev=dm-1 ino=694 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file : : :type=SYSCALL msg=audit(1332063062.137:319): arch=x86_64 syscall=open success=yes exit=EACCES a0=10737a0 a1=c2 a2=180 a3=12 items=0 ppid=1122 pid=26234 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm=squidGuard exe=/usr/bin/squidGuard subj=system_u:system_r:squid_t:s0 key=(null) : :Hash: squidGuard,squid_t,tmp_t,file,create : :audit2allow : :#============= squid_t ============== :#!!!! The source type 'squid_t' can write to a 'file' of the following types: :# pcscd_var_run_t, squid_var_run_t, squid_cache_t, squid_tmpfs_t, squid_log_t, root_t, krb5_host_rcache_t : :allow squid_t tmp_t:file { read write create open }; : :audit2allow -R : :#============= squid_t ============== :#!!!! The source type 'squid_t' can write to a 'file' of the following types: :# pcscd_var_run_t, squid_var_run_t, squid_cache_t, squid_tmpfs_t, squid_log_t, root_t, krb5_host_rcache_t : :allow squid_t tmp_t:file { read write create open }; :