1291164 – SELinux policy (daemons) changes required for package: squid34

Bug 1291164 - SELinux policy (daemons) changes required for package: squid34

Summary: SELinux policy (daemons) changes required for package: squid34

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.8
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1265328
TreeView+	depends on / blocked

Reported:	2015-12-14 08:21 UTC by Eng Ops Maitai User
Modified:	2016-05-10 20:03 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.7.19-286.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-10 20:03:50 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:0763	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2016-05-10 22:33:46 UTC

Comment 2 Milos Malik 2015-12-14 09:19:08 UTC

Following AVC appeared in enforcing mode when the /etc/squid/squid.conf file contained "workers 2":
----
type=PATH msg=audit(12/14/2015 10:15:58.008:484) : item=1 name=/dev/shm/squid-squid-page-pool.shm nametype=CREATE 
type=PATH msg=audit(12/14/2015 10:15:58.008:484) : item=0 name=/dev/shm/ inode=5936 dev=00:10 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT 
type=CWD msg=audit(12/14/2015 10:15:58.008:484) :  cwd=/ 
type=SYSCALL msg=audit(12/14/2015 10:15:58.008:484) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7fffa21155d0 a1=O_RDWR|O_CREAT|O_TRUNC|O_NOFOLLOW|O_CLOEXEC a2=0600 a3=0x7fffa2115350 items=2 ppid=27143 pid=27321 auid=root uid=squid gid=squid euid=squid suid=root fsuid=squid egid=squid sgid=squid fsgid=squid tty=pts0 ses=61 comm=squid exe=/usr/sbin/squid subj=unconfined_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(12/14/2015 10:15:58.008:484) : avc:  denied  { write } for  pid=27321 comm=squid name=/ dev=tmpfs ino=5936 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir 
----

Comment 3 Milos Malik 2015-12-14 09:26:41 UTC

Following AVCs appeared in permissive mode when the /etc/squid/squid.conf file contained "workers 2":
----
type=PATH msg=audit(12/14/2015 10:22:04.504:517) : item=1 name=/dev/shm/squid-squid-page-pool.shm inode=221470 dev=00:10 mode=file,600 ouid=squid ogid=squid rdev=00:00 obj=unconfined_u:object_r:tmpfs_t:s0 nametype=CREATE 
type=PATH msg=audit(12/14/2015 10:22:04.504:517) : item=0 name=/dev/shm/ inode=5936 dev=00:10 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=PARENT 
type=CWD msg=audit(12/14/2015 10:22:04.504:517) :  cwd=/ 
type=SYSCALL msg=audit(12/14/2015 10:22:04.504:517) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7ffcc7ac21d0 a1=O_RDWR|O_CREAT|O_TRUNC|O_NOFOLLOW|O_CLOEXEC a2=0600 a3=0x7ffcc7ac1f50 items=2 ppid=6121 pid=6289 auid=root uid=squid gid=squid euid=squid suid=root fsuid=squid egid=squid sgid=squid fsgid=squid tty=pts0 ses=61 comm=squid exe=/usr/sbin/squid subj=unconfined_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(12/14/2015 10:22:04.504:517) : avc:  denied  { create } for  pid=6289 comm=squid name=squid-squid-page-pool.shm scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmpfs_t:s0 tclass=file 
type=AVC msg=audit(12/14/2015 10:22:04.504:517) : avc:  denied  { add_name } for  pid=6289 comm=squid name=squid-squid-page-pool.shm scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir 
type=AVC msg=audit(12/14/2015 10:22:04.504:517) : avc:  denied  { write } for  pid=6289 comm=squid name=/ dev=tmpfs ino=5936 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir 
----

Unfortunately, the SHM objects created by squid did not get correct labels:

# ls -Z /dev/shm/
-rw-------. squid squid unconfined_u:object_r:tmpfs_t:s0 squid-cache_mem.shm
-rw-------. squid squid unconfined_u:object_r:tmpfs_t:s0 squid-squid-page-pool.shm
#

Comment 7 errata-xmlrpc 2016-05-10 20:03:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html

Note You need to log in before you can comment on or make changes to this bug.