Bug 1276381 - Squid fails to start with under SELinux MLS
Squid fails to start with under SELinux MLS
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Stefan Dordevic
Depends On:
  Show dependency treegraph
Reported: 2015-10-29 10:59 EDT by Dustin C. Hatch
Modified: 2016-11-03 22:23 EDT (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-83.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-11-03 22:23:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dustin C. Hatch 2015-10-29 10:59:33 EDT
Description of problem:
When the system is using the MLS SELinux policy, the squid.service unit fails to start:

systemd[1]: Starting Squid caching proxy...
cache_swap.sh[2119]: init_cache_dir /var/cache/squid... /usr/libexec/squid/cache_swap.sh: line 14: /var/log/squid/squid.out: Permission denied

The problem is this AVC:

type=AVC msg=audit(1446129156.681:889): avc:  denied  { write } for  pid=2124 comm="cache_swap.sh" name="squid" dev="xvda1" ino=8722141 scontext=system_u:system_r:init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:squid_log_t:s0 tclass=dir

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Enable SELinux MLS
2. Start squid.service

Actual results:
Squid fails to start because cache_swap.sh does not run

Expected results:
cache_swap.sh should execute successfully even under SELinux MLS, and squid should start

Additional info:
Fixing this problem is trivial:
chcon -t squid_exec_t /usr/libexec/squid/cache_swap.sh
Comment 3 Miroslav Grepl 2015-11-02 02:43:40 EST
Thank you. We need to add a labeling for /usr/libexec/squid/cache_swap.sh as you mentioned.
Comment 7 errata-xmlrpc 2016-11-03 22:23:54 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.