Bug 804366
Summary: | SELinux is preventing /usr/bin/squidGuard from 'create' accesses on the Datei BDB26234. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | cblaauw <carstenblaauw> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 16 | CC: | dominick.grift, dwalsh, gwync, itamar, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:f105199fd2448de7c6b9c20632b2513fcdc6304dec5d5ef94e24b0607d1f00b7 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-04-10 09:11:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
cblaauw
2012-03-18 09:32:48 UTC
Does it happen by default or did you configure anything? Is squidguard using /tmp? After a quick peek at the source, I don't *think* so. My /etc/squid/squidGuard.conf contains the following references to directories: dbhome /var/squidGuard/blacklists logdir /var/log/squidGuard ausearch -m avc gives me lots of: type=SYSCALL msg=audit(1321727280.140:91): arch=c000003e syscall=2 success=yes exit=13 a0=287f7a0 a1=c2 a2=180 a3=1 items=0 ppid=1138 pid=3215 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="squidGuard" exe="/usr/bin/squidGuard" subj=system_u:system_r:squid_t:s0 key=(null) type=AVC msg=audit(1321727280.140:91): avc: denied { read write open } for pid=3215 comm="squidGuard" name="BDB03215" dev=dm-1 ino=562 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1321727280.140:91): avc: denied { create } for pid=3215 comm="squidGuard" name="BDB03215" scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file Do you still need info from me? I'm unsure. cblaauw, What is the content of BDB03215? I don't know the content of BDB03215, maybe it's a temporary file that squidGuard uses. If I find out the path of the file I can have a look, but right now it is nowhere to find. I think the name changes on every restart of squidGuard. Sorry that I cannot help more. Carsten Right now the bug does not appear, because I did: grep squidGuard /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp content of mypol.te: module mypol 1.0; require { type tmp_t; type squid_t; class file { read write create unlink open }; } #============= squid_t ============== #!!!! The source type 'squid_t' can write to a 'file' of the following types: # pcscd_var_run_t, squid_var_run_t, squid_cache_t, squid_tmpfs_t, squid_log_t, root_t, krb5_host_rcache_t allow squid_t tmp_t:file { read write create unlink open }; Miroslav lets add in squid_tmp_t, and allow it. Added. |