Bug 1310198 - Squid SELinux policy is broken on F23+
Squid SELinux policy is broken on F23+
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: squid (Show other bugs)
23
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Luboš Uhliarik
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-19 12:47 EST by Brian Bouterse
Modified: 2016-12-20 13:51 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-20 13:51:52 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
squid.conf in use when traceback was experienced (5.38 KB, text/plain)
2016-02-19 12:47 EST, Brian Bouterse
no flags Details

  None (edit)
Description Brian Bouterse 2016-02-19 12:47:58 EST
Created attachment 1128618 [details]
squid.conf in use when traceback was experienced

I recently started running Squid on EL6/EL7/F22/F23/Rawhide with SElinux Enforcing. When starting or restarting squid on F23 specifically I receive the following AVC denials:


eb 17 22:16:55 example.com squid[11942]: Ipc::Mem::Segment::create failed to shm_open(/squid-cf__metadata.shm): (13) Permission denied
Feb 17 22:16:55 example.com systemd[1]: squid.service: Control process exited, code=exited status=1
Feb 17 22:16:55 example.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=squid comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Feb 17 22:16:55 example.com systemd[1]: squid.service: Unit entered failed state.
Feb 17 22:16:55 example.com systemd[1]: squid.service: Failed with result 'exit-code'.

I filed this as an upstream issue[0] but they identified this as a packaging Bug. Note this is *not* a problem on EL6/EL7/Fedora 22

I have not tested rawhide, but please ensure that works also in case. This prevents us from testing our own software with squid on Fedora 23 so it's an important problem for us.

To restart I use:  `sudo systemctl start squid`

I've attached our squid.conf in case it's somehow related, but the upstream bug comments suggest it's part of normal operation.

FYI, The following two SELinux statements resolve the issue for me:

fs_rw_inherited_tmpfs_files(squid_t);
fs_read_tmpfs_files(squid_t);

[0]: http://bugs.squid-cache.org/show_bug.cgi?id=4444
Comment 1 Randy Barlow 2016-02-19 13:45:56 EST
On my Rawhide box I can start squid without any errors from systemctl with SELinux in enforcing mode. I also saw no errors in the journal.

This was with squid-3.5.13-1.fc24.x86_64.
Comment 2 Randy Barlow 2016-03-17 17:07:11 EDT
I am now able to reproduce this error on Fedora Rawhide, so I retract my statement from comment 1. Squid does not start on Rawhide or Fedora 23, and I suspect that it also does not start on Fedora 24 though I have not tested this yet.
Comment 3 Randy Barlow 2016-03-20 12:18:49 EDT
I believe that the difference in my tests between February and March was due to using a similar squid.conf as Brian attached. In February my test only used the stock configuration.
Comment 4 Luboš Uhliarik 2016-04-07 06:21:36 EDT
Hello, on what Fedora version, have you tested it on?

I installed the latest squid from testing repository: 

rpm -qa squid
squid-3.5.10-2.fc23.x86_64

I have not experienced any issues, by installing squid and starting it.

Process:

1) # yum install https://kojipkgs.fedoraproject.org//packages/squid/3.5.10/2.fc23/x86_64/squid-3.5.10-2.fc23.x86_64.rpm

2) # getenforce 
Enforcing

3) # cat /etc/fedora-release 
Fedora release 23 (Twenty Three)

4) # systemctl start squid

5) # systemctl status squid
● squid.service - Squid caching proxy
   Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2016-04-07 05:56:30 EDT; 23min ago
  Process: 3750 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
  Process: 3742 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
 Main PID: 3752 (squid)
   CGroup: /system.slice/squid.service
           ├─3752 /usr/sbin/squid -f /etc/squid/squid.conf
           ├─3754 (squid-1) -f /etc/squid/squid.conf
           └─3755 (logfile-daemon) /var/log/squid/access.log

Apr 07 05:56:29 HOSTNAME systemd[1]: Starting Squid caching proxy...
Apr 07 05:56:30 HOSTNAME squid[3752]: Squid Parent: will start 1 kids
Apr 07 05:56:30 HOSTNAME squid[3752]: Squid Parent: (squid-1) process 3754 started
Apr 07 05:56:30 HOSTNAME systemd[1]: Started Squid caching proxy.

I used default configuration file and fresh install of F23.
Comment 5 Luboš Uhliarik 2016-04-07 06:35:15 EDT
Note: I also tried the configuration, you have attached and I haven't experienced any problems.
Comment 6 Andrew Peek 2016-04-12 07:48:10 EDT
I am using squid with ssl_crtd which is generating the following SELinux errors,

Apr 09 16:42:37 proxy1 audit[2876]: AVC avc:  denied  { read } for  pid=2876 comm="ssl_crtd" name="index.txt" dev="xvda3" ino=17256413 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
Apr 09 16:43:44 proxy1 audit[3024]: AVC avc:  denied  { open } for  pid=3024 comm="ssl_crtd" path="/var/lib/ssl_db/index.txt" dev="xvda3" ino=17256413 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
Apr 09 16:44:40 proxy1 audit[3153]: AVC avc:  denied  { getattr } for  pid=3153 comm="ssl_crtd" path="/var/lib/ssl_db/index.txt" dev="xvda3" ino=17256413 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
Apr 09 16:46:48 proxy1 audit[3264]: AVC avc:  denied  { lock } for  pid=3264 comm="ssl_crtd" path="/var/lib/ssl_db/index.txt" dev="xvda3" ino=17256413 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
Apr 09 16:47:26 proxy1 audit[3403]: AVC avc:  denied  { write } for  pid=3403 comm="ssl_crtd" name="certs" dev="xvda3" ino=25175635 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Apr 09 16:48:41 proxy1 audit[3528]: AVC avc:  denied  { add_name } for  pid=3528 comm="ssl_crtd" name="1CD3C2FD3B0DF41881036E5ABC44206BB583B6F0.pem" scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Apr 09 16:49:22 proxy1 audit[3665]: AVC avc:  denied  { create } for  pid=3665 comm="ssl_crtd" name="6D4E62214691FF0826A9ECBCD8DE708EF1DFC632.pem" scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
Apr 09 17:01:07 proxy1 audit[812]: AVC avc:  denied  { remove_name } for  pid=812 comm="ssl_crtd" name="0F29746F4650BD5CB807793C952999065898AAC6.pem" dev="xvda3" ino=25175593 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
Apr 09 17:02:58 proxy1 audit[2164]: AVC avc:  denied  { unlink } for  pid=2164 comm="ssl_crtd" name="0F29746F4650BD5CB807793C952999065898AAC6.pem" dev="xvda3" ino=25175593 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0

I solved by interatively applying SELinux policy updates, ultimately resulting in,

module ssl_crtdlocal 1.0;
require {
	type squid_t;
	type var_lib_t;
	class dir { add_name remove_name write };
	class file { create getattr lock open read unlink write };
}
#============= squid_t ==============
allow squid_t var_lib_t:dir { add_name remove_name write };
allow squid_t var_lib_t:file { create getattr lock open read unlink write };

The relevant squid.conf entry is,

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

The errors occur on current fc24 and rawhide. They were also in fc23 however haven't been testing with that for a few months.
Comment 7 Brian Bouterse 2016-04-19 13:29:15 EDT
Since you couldn't reproduce the issue, I tried to. I installed squid on a dnf updated fedora 23 cloud machine by running:

sudo dnf update -y
sudo dnf install squid -y

$ cat /etc/redhat-release
Fedora release 23 (Twenty Three)

sudo systemctl start squid
sudo systemctl stop squid
sudo systemctl restart squid

I received squid-3.5.9-7.fc23.x86_64. Confirmed with:

$ rpm -qa | grep squid
squid-3.5.9-7.fc23.x86_64

I did not receive any denials. SELinux is Enforcing as told by getenforce. I was not able to reproduce the issue I saw in my Vagrant development environment.

The other environment I was using did have certificates configured. My current thinking is that Comment 6 is likely what I was experiencing. Even though normal squid usage has no problem, I think there is something about that environment which causes the SELinux denial.

I tried the squid config file from the vagrant environment and it did not produce the SELinux denial either. Maybe a cert configuration? I'm not sure if we are still affected by this in the other environment because we carry the workaround now[0].

[0]: https://github.com/pulp/pulp/commit/df7e5c5b533ae6e3e2d962a3df47ed027d3df22c#diff-55c0ad69105815228aac56aa704fa9c2R94
Comment 8 Luboš Uhliarik 2016-08-15 04:43:32 EDT
Since there is no reproducer, I'm closing this bug as INSUFFICIENT_DATA. If you experience this bug again, feel free to reopen it.
Comment 9 Christian Luers 2016-08-25 06:09:50 EDT
On fedora 23 I can again reproduce the error.

Using the default install via yum and adding the squid.conf from Brian in the first comment in http://bugs.squid-cache.org/show_bug.cgi?id=4444.

Selinux stops the ssl_crtd squid certificate database generator and worker to function properly.
There is no rule defined for ssl_crtd, and no access context listed.

[root@mx1 gdata]# semanage fcontext --list | grep crtd
results in no details.

[root@mx1 gdata]# semanage fcontext --list | grep squid
/dev/shm/squid-*                                   regular file       system_u:object_r:squid_tmpfs_t:s0 
/etc/lightsquid(/.*)?                              all files          system_u:object_r:squid_conf_t:s0 
/etc/rc\.d/init\.d/squid                           regular file       system_u:object_r:squid_initrc_exec_t:s0 
/etc/squid(/.*)?                                   all files          system_u:object_r:squid_conf_t:s0 
/usr/lib/squid/cachemgr\.cgi                       regular file       system_u:object_r:squid_script_exec_t:s0 
/usr/libexec/squid/cache_swap\.sh                  regular file       system_u:object_r:squid_exec_t:s0 
/usr/sbin/lightparser.pl                           regular file       system_u:object_r:squid_cron_exec_t:s0 
/usr/sbin/squid                                    regular file       system_u:object_r:squid_exec_t:s0 
/usr/share/lightsquid/cgi(/.*)?                    all files          system_u:object_r:squid_script_exec_t:s0 
/usr/share/munin/plugins/squid_.*                  regular file       system_u:object_r:services_munin_plugin_exec_t:s0 
/usr/share/squid(/.*)?                             all files          system_u:object_r:squid_conf_t:s0 
/var/cache/squid(/.*)?                             all files          system_u:object_r:squid_cache_t:s0 
/var/lightsquid(/.*)?                              all files          system_u:object_r:squid_cache_t:s0 
/var/log/squid(/.*)?                               all files          system_u:object_r:squid_log_t:s0 
/var/log/squidGuard(/.*)?                          all files          system_u:object_r:squid_log_t:s0 
/var/run/squid.*                                   all files          system_u:object_r:squid_var_run_t:s0 
/var/spool/squid(/.*)?                             all files          system_u:object_r:squid_cache_t:s0 
/var/squidGuard(/.*)?                              all files          system_u:object_r:squid_cache_t:s0 
[root@mx1 gdata]# semanage fcontext --list | grep ssl_crtd


running squid with the ssl_crtd helper processes fails.
cat /var/log/squid/cache.log

2016/08/24 16:06:08 kid1| Adding domain mail17.qa.local from /etc/resolv.conf
2016/08/24 16:06:08 kid1| Adding domain qa.local from /etc/resolv.conf
2016/08/24 16:06:08 kid1| Adding domain gdata.de from /etc/resolv.conf
2016/08/24 16:06:08 kid1| Adding nameserver 10.28.8.2 from /etc/resolv.conf
2016/08/24 16:06:08 kid1| Adding nameserver 10.28.8.3 from /etc/resolv.conf
2016/08/24 16:06:08 kid1| helperOpenServers: Starting 5/5 'ssl_crtd' processes
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
2016/08/24 16:06:08 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2016/08/24 16:06:08 kid1| Logfile Daemon: opening log /var/log/squid/access.log
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
2016/08/24 16:06:08 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2016/08/24 16:06:08 kid1| Store logging disabled


Setting the selinux to enforcing=0 makes the ssl_crtd work again
The following entries are found in /var/log/audit/audit.log

type=USER_AVC msg=audit(1472043853.010:357): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname
=? addr=? terminal=?' 
type=SERVICE_START msg=audit(1472043853.076:358): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=squid comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=
success' 
type=AVC msg=audit(1472043853.120:359): avc:  denied  { read } for  pid=1800 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=47945 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=f
ile permissive=1 
type=AVC msg=audit(1472043853.120:360): avc:  denied  { open } for  pid=1800 comm="ssl_crtd" path="/var/lib/ssl_db/index.txt" dev="dm-0" ino=47945 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_l
ib_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1472043853.120:361): avc:  denied  { getattr } for  pid=1800 comm="ssl_crtd" path="/var/lib/ssl_db/index.txt" dev="dm-0" ino=47945 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:va
r_lib_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1472044502.167:362): avc:  denied  { create } for  pid=1828 comm="local" name="Maildir" scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(1472044502.167:363): avc:  denied  { create } for  pid=1828 comm="local"
Comment 10 Luboš Uhliarik 2016-08-31 09:21:04 EDT
OK, I reopened this bug, since I got an acknowledgement from selinux team, that this is the problem of selinux-policy package and will be fixed in near future. 

So please, be patient and let's wait for selinux team.
Comment 11 Fedora End Of Life 2016-11-24 10:38:57 EST
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 12 Fedora End Of Life 2016-12-20 13:51:52 EST
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.