1102843 – SELinux prevents squid runing in SMP mode

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1102843 - SELinux prevents squid runing in SMP mode

Summary: SELinux prevents squid runing in SMP mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-05-29 16:16 UTC by Fernando Lozano
Modified:	2015-03-05 10:39 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-3.13.1-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:39:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1102346	unspecified	CLOSED	SELinux prevents squid runing in SMP mode	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1102842	medium	CLOSED	missing /var/run/squid needed for smp mode	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2015:0458	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2015-03-05 15:17:00 UTC

Internal Links: 1102346 1102842

Description Fernando Lozano 2014-05-29 16:16:18 UTC

I already submited this bug and a proposed solutin for Fedora as:

https://bugzilla.redhat.com/show_bug.cgi?id=1099543

The same problem and fix aplies to RHEL6 and RHEL7, so I hope the updated policy can be quickly added to RHEL.

Comment 1 Fernando Lozano 2014-05-29 16:20:44 UTC

This is the same as bug #1102346 but for RHEL7, which does provide a squid RPM with smp mode capability. But I hope the change on SELinux policy can be made for RHEL6 also, it would help people who install a newer squid than provided by RHEL6.

Comment 3 Milos Malik 2014-05-29 19:47:19 UTC

Enforcing mode:
----
type=PATH msg=audit(05/29/2014 21:34:06.492:89394) : item=2 name=(null) objtype=CREATE 
type=PATH msg=audit(05/29/2014 21:34:06.492:89394) : item=1 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(05/29/2014 21:34:06.492:89394) : item=0 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=SOCKADDR msg=audit(05/29/2014 21:34:06.492:89394) : saddr=local /var/run/squid/kid-3.ipc 
type=SYSCALL msg=audit(05/29/2014 21:34:06.492:89394) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xf a1=0x7f7d1f4e33cc a2=0x1a a3=0x0 items=3 ppid=23207 pid=23211 auid=unset uid=squid gid=squid euid=squid suid=root fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(05/29/2014 21:34:06.492:89394) : avc:  denied  { create } for  pid=23211 comm=squid name=kid-3.ipc scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file 
----
type=PATH msg=audit(05/29/2014 21:34:06.497:89395) : item=2 name=(null) objtype=CREATE 
type=PATH msg=audit(05/29/2014 21:34:06.497:89395) : item=1 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(05/29/2014 21:34:06.497:89395) : item=0 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=SOCKADDR msg=audit(05/29/2014 21:34:06.497:89395) : saddr=local /var/run/squid/kid-4.ipc 
type=SYSCALL msg=audit(05/29/2014 21:34:06.497:89395) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xf a1=0x7f0d62ab63cc a2=0x1a a3=0x0 items=3 ppid=23207 pid=23210 auid=unset uid=squid gid=squid euid=squid suid=root fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(05/29/2014 21:34:06.497:89395) : avc:  denied  { create } for  pid=23210 comm=squid name=kid-4.ipc scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file 
----
type=PATH msg=audit(05/29/2014 21:34:06.509:89396) : item=2 name=(null) objtype=CREATE 
type=PATH msg=audit(05/29/2014 21:34:06.509:89396) : item=1 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(05/29/2014 21:34:06.509:89396) : item=0 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=SOCKADDR msg=audit(05/29/2014 21:34:06.509:89396) : saddr=local /var/run/squid/kid-1.ipc 
type=SYSCALL msg=audit(05/29/2014 21:34:06.509:89396) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xf a1=0x7f97433303cc a2=0x1a a3=0x0 items=3 ppid=23207 pid=23213 auid=unset uid=squid gid=squid euid=squid suid=root fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(05/29/2014 21:34:06.509:89396) : avc:  denied  { create } for  pid=23213 comm=squid name=kid-1.ipc scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file 
----
type=PATH msg=audit(05/29/2014 21:34:06.519:89397) : item=2 name=(null) objtype=CREATE 
type=PATH msg=audit(05/29/2014 21:34:06.519:89397) : item=1 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(05/29/2014 21:34:06.519:89397) : item=0 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=SOCKADDR msg=audit(05/29/2014 21:34:06.519:89397) : saddr=local /var/run/squid/coordinator.ipc 
type=SYSCALL msg=audit(05/29/2014 21:34:06.519:89397) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xb a1=0x7f1a610bae6c a2=0x20 a3=0x0 items=3 ppid=23207 pid=23209 auid=unset uid=squid gid=squid euid=squid suid=root fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(05/29/2014 21:34:06.519:89397) : avc:  denied  { create } for  pid=23209 comm=squid name=coordinator.ipc scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file 
----
type=PATH msg=audit(05/29/2014 21:34:06.523:89398) : item=2 name=(null) objtype=CREATE 
type=PATH msg=audit(05/29/2014 21:34:06.523:89398) : item=1 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(05/29/2014 21:34:06.523:89398) : item=0 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=SOCKADDR msg=audit(05/29/2014 21:34:06.523:89398) : saddr=local /var/run/squid/kid-2.ipc 
type=SYSCALL msg=audit(05/29/2014 21:34:06.523:89398) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0xf a1=0x7f8f052e13cc a2=0x1a a3=0x0 items=3 ppid=23207 pid=23212 auid=unset uid=squid gid=squid euid=squid suid=root fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(05/29/2014 21:34:06.523:89398) : avc:  denied  { create } for  pid=23212 comm=squid name=kid-2.ipc scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file 
----

Permissive mode:
----
type=PATH msg=audit(05/29/2014 21:35:53.395:89417) : item=4 name=(null) inode=3456803 dev=00:12 mode=socket,750 ouid=squid ogid=squid rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=CREATE 
type=PATH msg=audit(05/29/2014 21:35:53.395:89417) : item=3 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(05/29/2014 21:35:53.395:89417) : item=2 name=(null) objtype=CREATE 
type=PATH msg=audit(05/29/2014 21:35:53.395:89417) : item=1 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(05/29/2014 21:35:53.395:89417) : item=0 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=SOCKADDR msg=audit(05/29/2014 21:35:53.395:89417) : saddr=local /var/run/squid/kid-4.ipc 
type=SYSCALL msg=audit(05/29/2014 21:35:53.395:89417) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xf a1=0x7f3f9dfdf3cc a2=0x1a a3=0x0 items=5 ppid=23425 pid=23428 auid=unset uid=squid gid=squid euid=squid suid=root fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(05/29/2014 21:35:53.395:89417) : avc:  denied  { create } for  pid=23428 comm=squid name=kid-4.ipc scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file 
----
type=PATH msg=audit(05/29/2014 21:35:53.407:89418) : item=4 name=(null) inode=3457949 dev=00:12 mode=socket,750 ouid=squid ogid=squid rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=CREATE 
type=PATH msg=audit(05/29/2014 21:35:53.407:89418) : item=3 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(05/29/2014 21:35:53.407:89418) : item=2 name=(null) objtype=CREATE 
type=PATH msg=audit(05/29/2014 21:35:53.407:89418) : item=1 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(05/29/2014 21:35:53.407:89418) : item=0 name=(null) inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=SOCKADDR msg=audit(05/29/2014 21:35:53.407:89418) : saddr=local /var/run/squid/kid-3.ipc 
type=SYSCALL msg=audit(05/29/2014 21:35:53.407:89418) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xf a1=0x7fba97df83cc a2=0x1a a3=0x0 items=5 ppid=23425 pid=23429 auid=unset uid=squid gid=squid euid=squid suid=root fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(05/29/2014 21:35:53.407:89418) : avc:  denied  { create } for  pid=23429 comm=squid name=kid-3.ipc scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file 
----
type=PATH msg=audit(05/29/2014 21:35:53.410:89419) : item=0 name=(null) inode=3457946 dev=00:12 mode=socket,750 ouid=squid ogid=squid rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=NORMAL 
type=SOCKADDR msg=audit(05/29/2014 21:35:53.410:89419) : saddr=local /var/run/squid/coordinator.ipc 
type=SYSCALL msg=audit(05/29/2014 21:35:53.410:89419) : arch=x86_64 syscall=sendmsg success=yes exit=4112 a0=0xb a1=0x7fba97df6368 a2=MSG_NOSIGNAL a3=0x2 items=1 ppid=23425 pid=23429 auid=unset uid=squid gid=squid euid=squid suid=root fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(05/29/2014 21:35:53.410:89419) : avc:  denied  { write } for  pid=23429 comm=squid name=coordinator.ipc dev="tmpfs" ino=3457946 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file 
----
type=PATH msg=audit(05/29/2014 21:42:40.913:89456) : item=1 name=/var/run/squid/coordinator.ipc inode=3459739 dev=00:12 mode=socket,750 ouid=squid ogid=squid rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=DELETE 
type=PATH msg=audit(05/29/2014 21:42:40.913:89456) : item=0 name=/var/run/squid/ inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=CWD msg=audit(05/29/2014 21:42:40.913:89456) :  cwd=/var/spool/squid 
type=SYSCALL msg=audit(05/29/2014 21:42:40.913:89456) : arch=x86_64 syscall=unlink success=no exit=-13(Permission denied) a0=0x7fb92ee5ae6e a1=0x7fff9a94f208 a2=0x0 a3=0x0 items=2 ppid=23766 pid=23768 auid=unset uid=squid gid=squid euid=squid suid=root fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(05/29/2014 21:42:40.913:89456) : avc:  denied  { unlink } for  pid=23768 comm=squid name=coordinator.ipc dev="tmpfs" ino=3459739 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file 
----
type=PATH msg=audit(05/29/2014 21:42:40.916:89457) : item=1 name=/var/run/squid/kid-4.ipc inode=3461373 dev=00:12 mode=socket,750 ouid=squid ogid=squid rdev=00:00 obj=system_u:object_r:var_run_t:s0 objtype=DELETE 
type=PATH msg=audit(05/29/2014 21:42:40.916:89457) : item=0 name=/var/run/squid/ inode=3456229 dev=00:12 mode=dir,755 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 objtype=PARENT 
type=CWD msg=audit(05/29/2014 21:42:40.916:89457) :  cwd=/var/spool/squid 
type=SYSCALL msg=audit(05/29/2014 21:42:40.916:89457) : arch=x86_64 syscall=unlink success=no exit=-13(Permission denied) a0=0x7feaf54393ce a1=0x7fff006f7db8 a2=0x0 a3=0x7fff006f7c30 items=2 ppid=23766 pid=23769 auid=unset uid=squid gid=squid euid=squid suid=root fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(05/29/2014 21:42:40.916:89457) : avc:  denied  { unlink } for  pid=23769 comm=squid name=kid-4.ipc dev="tmpfs" ino=3461373 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file 
----

Comment 4 Miroslav Grepl 2014-05-30 10:55:31 UTC

We added fixes.

Comment 8 errata-xmlrpc 2015-03-05 10:39:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html

Note You need to log in before you can comment on or make changes to this bug.