1099543 – SELinux prevents squid runing in SMP mode

Bug 1099543 - SELinux prevents squid runing in SMP mode

Summary: SELinux prevents squid runing in SMP mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-05-20 14:55 UTC by Fernando Lozano
Modified:	2014-06-26 01:53 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.12.1-171.fc20
Clone Of:
Environment:
Last Closed:	2014-06-26 01:53:18 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1099970	0	unspecified	CLOSED	squid rpm package misses /var/run/squid needed for smp mode	2021-02-22 00:41:40 UTC

Internal Links: 1099970

Description Fernando Lozano 2014-05-20 14:55:44 UTC

Description of problem:
When you configure squid to run with more than one worker, SELinux prevents it from opening IPC channels and shared memory segments

SMP mode is a new feature from squid 3.3 onwards. It looks the SELinux policy needs to be updated to deal with this new squid featore

Version-Release number of selected component (if applicable):
3.3.x/3.4.x

How reproducible:
Allways -- Actually I tried on CentOS 6.5, using unofficial packages from squid-cache.org.

Not tested yet on Fedora, but from what I see on Fedora RPMs and SRPMs for squid, it looks the same issue will be present there.

I contacted Fedora package mantainers for squid about this and they advised to open the bug on Fedora bugzilla anyway.

Steps to Reproduce:
1. Run squid with factory default configs, to show it's working as expected with SELinux enforcing
2. Change /etc/squid/squid.conf to use SMP mode. For example:
workers 2
cache_mem 1024 MB
cache_dir rock /cache/shared 2000 min-size=1 max-size=31000 max-swap-rate=250 swap-timeout=350
cache_dir aufs /cache/worker${process_number} 2000 16 256 min-size=31001 max-size=346030080
3. Recursively set file context squid_cache_t for /cache and run squid -z to initialize the cache dirs for SMP mode
4. Start squid

Actual results:
AVC denials, not all squid child processes start, won't proxy http requests.

Here's a partial snipset of the AVCs:
-----------------
type=AVC msg=audit(1399489635.910:86640): avc:  denied  { create } for  pid=12184 comm="squid" name="coordinator.ipc" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:squid_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1399489635.921:86641): avc:  denied  { create } for  pid=12186 comm="squid" name="kid-1.ipc" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:squid_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1399490819.665:86659): avc:  denied  { create } for  pid=12419 comm="squid" name="kid-2.ipc" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:squid_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1399493508.444:86954): avc:  denied  { remove_name } for  pid=15856 comm="squid" name="squid-cache_mem.shm" dev=tmpfs ino=36316934 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1399493508.444:86955): avc:  denied  { remove_name } for  pid=15856 comm="squid" name="squid-squid-page-pool.shm" dev=tmpfs ino=36316933 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
-----------------

Expected results:
Squid starts four child (aka kids): two worker processes (squid-1 and squid-2), a disker (squid-disk-3) and a coordinator (squid-coord-4) which share memory segments and use IP channels.

Additional info:
I used audit2allow to generate the following SELinux policy module that solves the AVCs and allow squid to run fine in SMP mode:
-----------------
module squid-smp 1.1;

# for ipc channels between kids/workers
require {
	type var_run_t;
	type squid_t;
	class sock_file { create write unlink };
}
allow squid_t var_run_t:sock_file { create write unlink };
allow squid_t var_run_t:sock_file create;

# for shm used by cache_mem and rock store
require {
	type squid_t;
	type tmpfs_t;
	class dir { remove_name add_name write };
	class file { unlink create };
}
allow squid_t tmpfs_t:dir { remove_name write add_name };
allow squid_t tmpfs_t:file { unlink create };
-----------------

I guess I could have used something more specific than "var_run_t", label files acordingly and have a more strict policy.

Comment 1 Miroslav Grepl 2014-05-21 09:48:30 UTC

allow squid_t var_run_t:sock_file { create write unlink };
allow squid_t var_run_t:sock_file create;

what is a path to this sockets?

name="kid-1.ipc"
name="coordinator.ipc"

Comment 2 Fernando Lozano 2014-05-21 14:53:59 UTC

Those socket files (*.ipc) are created at /var/run/squid

Comment 3 Fernando Lozano 2014-05-21 16:24:30 UTC

Finally got to test squid in SMP mode using Fedora (f19) and squid-3.3.12-1.fc19.x86_64 from Fedora repos.

This squid release does not implements the "rock" cache store, so I had to use a simpler config than with my tests using CentOS 6.5 and squid-3.4.3. It's enough to add this directive to /etc/squid/squid.conf

workers 2

Squid will try to use /var/run/squid for the ipc files, but this directory has to be created with group owner squid and write permission for group:

# ls -laZ /var/run/squid*
-rw-r--r--. root squid system_u:object_r:squid_var_run_t:s0 /var/run/squid.pid

/var/run/squid:
drwxrwxr-x. root squid unconfined_u:object_r:var_run_t:s0 .
drwxr-xr-x. root root  system_u:object_r:var_run_t:s0   ..

This path (/var/run/squid) has to be configurable somewhere, I'll look at this. Probably it should be added to the squid RPM package.

In the meantime, starting squid under f19 with selinux enforcing, I got the same AVCs as I did using centos and audit2allow generated the same policy (first part, "for ipc...").

Comment 4 Daniel Walsh 2014-05-25 10:32:52 UTC

23450f5c3d964a4c688d818c03eff7edf162641b fixes this in git.

Comment 5 Fedora Update System 2014-06-09 20:09:07 UTC

selinux-policy-3.12.1-167.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-167.fc20

Comment 6 Fedora Update System 2014-06-11 16:25:04 UTC

Package selinux-policy-3.12.1-167.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-167.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-7240/selinux-policy-3.12.1-167.fc20
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2014-06-19 13:18:26 UTC

selinux-policy-3.12.1-171.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-171.fc20

Comment 8 Fedora Update System 2014-06-19 22:52:39 UTC

Package selinux-policy-3.12.1-171.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-171.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-7499/selinux-policy-3.12.1-171.fc20
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2014-06-26 01:53:18 UTC

selinux-policy-3.12.1-171.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.