Bug 1189556 - SELinux is preventing /usr/sbin/squid from read, write access on the file squid-var.spool.squid.cache1.shm.
SELinux is preventing /usr/sbin/squid from read, write access on the file squ...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
22
x86_64 Unspecified
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:3ecd475d68692f460e05938ad1e...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-05 09:00 EST by mystilleef
Modified: 2016-04-09 04:19 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-09 05:21:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description mystilleef 2015-02-05 09:00:39 EST
Description of problem:
Running concurrent squid processes is broken on Fedora with SELinux set to enforced. Squid needs shared memory (shm) to allow concurrent access to its caches.

In squid.conf, add "workers 2" and change the cache_dir filesystem to "rock" to reproduce the problem.  

I have to generate a local policy on every reboot module to allow access.

SELinux is preventing /usr/sbin/squid from read, write access on the file squid-var.spool.squid.cache1.shm.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that squid should be allowed read write access on the squid-var.spool.squid.cache1.shm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep squid /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:squid_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                squid-var.spool.squid.cache1.shm [ file ]
Source                        squid
Source Path                   /usr/sbin/squid
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           squid-3.4.9-3.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-107.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.19.0-0.rc7.git0.3.fc22.x86_64 #1
                              SMP Tue Feb 3 19:42:06 UTC 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-02-05 08:30:37 EST
Last Seen                     2015-02-05 08:36:15 EST
Local ID                      84ffaffc-7890-48cc-9c3d-6c9fb80cdc21

Raw Audit Messages
type=AVC msg=audit(1423143375.316:698): avc:  denied  { read write } for  pid=3397 comm="squid" name="squid-var.spool.squid.cache1.shm" dev="tmpfs" ino=20233 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1423143375.316:698): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffaf0d56c0 a1=a0242 a2=180 a3=7fafcebc81c0 items=0 ppid=1 pid=3397 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null)

Hash: squid,squid_t,tmpfs_t,file,read,write

Version-Release number of selected component:
selinux-policy-3.13.1-107.fc22.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.19.0-0.rc7.git0.3.fc22.x86_64
type:           libreport
Comment 1 Jaroslav Reznik 2015-03-03 11:50:04 EST
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 2 Daniel Berrange 2015-12-08 11:37:27 EST
This also occurs on Fedora 23 with an unmodified out of the box squid.conf config file.
Comment 3 Lukas Vrabec 2015-12-08 12:31:10 EST
fedora@fedora ~]$ sudo systemctl status squid.service 
● squid.service - Squid caching proxy
   Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2015-12-08 17:22:43 UTC; 4min 18s ago
  Process: 939 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
  Process: 933 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
 Main PID: 942 (squid)
   CGroup: /system.slice/squid.service
           ├─942 /usr/sbin/squid -f /etc/squid/squid.conf
           ├─944 (squid-1) -f /etc/squid/squid.conf
           └─945 (logfile-daemon) /var/log/squid/access.log

Dec 08 17:22:42 fedora.23.virt systemd[1]: Starting Squid caching proxy...
Dec 08 17:22:43 fedora.23.virt squid[942]: Squid Parent: will start 1 kids
Dec 08 17:22:43 fedora.23.virt systemd[1]: Started Squid caching proxy.
Dec 08 17:22:43 fedora.23.virt squid[942]: Squid Parent: (squid-1) process 944 started
Dec 08 17:22:49 fedora.23.virt systemd[1]: Started Squid caching proxy.

[fedora@fedora ~]$ cd /dev/shm/

[fedora@fedora shm]$ ls -Z 
system_u:object_r:squid_tmpfs_t:s0 squid-cf__metadata.shm  system_u:object_r:squid_tmpfs_t:s0 squid-cf__queues.shm  system_u:object_r:squid_tmpfs_t:s0 squid-cf__readers.shm
[fedora@fedora shm]$ sesearch -A -s squid_t -t squid_tmpfs_t 
Found 3 semantic av rules:
   allow squid_t file_type : filesystem getattr ; 
   allow squid_t squid_tmpfs_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow squid_t squid_tmpfs_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 

[fedora@fedora shm]$ ps -efZ | grep squid
system_u:system_r:squid_t:s0    root       942     1  0 17:22 ?        00:00:00 /usr/sbin/squid -f /etc/squid/squid.conf
system_u:system_r:squid_t:s0    squid      944   942  0 17:22 ?        00:00:00 (squid-1) -f /etc/squid/squid.conf
system_u:system_r:squid_t:s0    squid      945   944  0 17:22 ?        00:00:00 (logfile-daemon) /var/log/squid/access.log
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 fedora 1904 780  0 17:28 pts/0 00:00:00 grep --color=auto squid

[fedora@fedora shm]$ rpm -q selinux-policy
selinux-policy-3.13.1-156.fc23.noarch

On my F23 it's looks fine.
Could you remove files related to squid in /dev/shm and start squid using systemctl? 

Thank you.
Comment 4 Daniel Berrange 2015-12-09 05:07:11 EST
(In reply to Lukas Vrabec from comment #3)
> [fedora@fedora shm]$ ls -Z 
> system_u:object_r:squid_tmpfs_t:s0 squid-cf__metadata.shm 
> system_u:object_r:squid_tmpfs_t:s0 squid-cf__queues.shm 
> system_u:object_r:squid_tmpfs_t:s0 squid-cf__readers.shm

Strangely on my system they were labelled  'tmpfs_t' rather than 'squid_tmpfs_t'. When I delete them and restart squid once more they get the correct 'squid_tmpfs_t'.  I guess perhaps those files were created when I had older version of selinux-policy installed and so got the wrong label initially.
Comment 5 Lukas Vrabec 2015-12-09 05:21:06 EST
Thank you for testing. 

Closing as notabug.
Comment 6 Christophe 2016-01-03 17:13:48 EST
I also faced this issue after the installation of squid on my F23...Then it might exist a "bug" during the installation of the packages.

Unfortunately, by my side, the deletion did not resolve the issue. I had to modify the label of the 3 files listed above. 

Once done, the squid daemon was starting successfully.
Comment 7 srakitnican 2016-04-09 04:19:33 EDT
Same (In reply to Daniel Berrange from comment #4)
> (In reply to Lukas Vrabec from comment #3)
> > [fedora@fedora shm]$ ls -Z 
> > system_u:object_r:squid_tmpfs_t:s0 squid-cf__metadata.shm 
> > system_u:object_r:squid_tmpfs_t:s0 squid-cf__queues.shm 
> > system_u:object_r:squid_tmpfs_t:s0 squid-cf__readers.shm
> 
> Strangely on my system they were labelled  'tmpfs_t' rather than
> 'squid_tmpfs_t'. When I delete them and restart squid once more they get the
> correct 'squid_tmpfs_t'.  I guess perhaps those files were created when I
> had older version of selinux-policy installed and so got the wrong label
> initially.

Same happened after installing squid and trying to start it on my F23 box. This fixed it.

Note You need to log in before you can comment on or make changes to this bug.