Bug 1325527 - SELinux policy breaks squid's ssl_crtd
Summary: SELinux policy breaks squid's ssl_crtd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1331269
TreeView+ depends on / blocked
 
Reported: 2016-04-09 14:58 UTC by W. Michael Petullo
Modified: 2017-08-01 15:10 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.13.1-134.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1331269 (view as bug list)
Environment:
Last Closed: 2017-08-01 15:10:10 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description W. Michael Petullo 2016-04-09 14:58:46 UTC
Description of problem:
I am using CentOS 7, but I found a possible issue in the SELinux policy which might be of interest to RHEL. We have squid configured using sslbump to act as a TLS man-in-the-middle with the ability to peer into HTTPS connections (on an exercise network, dijoint from the Internet). We found that the targeted SELinux policy forbids /usr/lib64/squid/ssl_crtd from updating its certificate database. This is because /etc/squid/ssl_db is labeled squid_conf_t, and this does not permit directory or file writes.

We fixed this by relabeling /etc/squid/ssl_db and the objects contained therein with:

system_u:object_r:squid_cache_t:s0

Version-Release number of selected component (if applicable):
squid-3.3.8-26.el7.x86_64
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Install squid
2. Configure squid's sslbump
3. Visit an HTTPS site using a client configured to connect through squid

Actual results:
/usr/lib64/squid/ssl_crtd produces AVC errors and malfunctions.

Comment 2 Milos Malik 2016-04-11 07:01:39 UTC
Please collect SELinux denials that appeared on your machine and attach them here. Thank you.

Comment 3 Lukas Vrabec 2016-06-22 15:57:59 UTC
Please see comment2

Comment 4 will 2016-07-26 10:03:56 UTC
I am also experiencing this problem. 

These entries appear in audit log:

type=AVC msg=audit(1469523598.300:4698): avc:  denied  { read } for  pid=14890 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1469523598.300:4698): arch=c000003e syscall=2 success=no exit=-13 a0=7f0ebb5c8288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14890 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null)
type=PROCTITLE msg=audit(1469523598.300:4698): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D620034303936
type=AVC msg=audit(1469523598.301:4699): avc:  denied  { read } for  pid=14889 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1469523598.301:4699): arch=c000003e syscall=2 success=no exit=-13 a0=7f338a3ce288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14889 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null)
type=PROCTITLE msg=audit(1469523598.301:4699): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D620034303936
type=AVC msg=audit(1469523598.301:4700): avc:  denied  { read } for  pid=14891 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1469523598.301:4700): arch=c000003e syscall=2 success=no exit=-13 a0=7f4a431f1288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14891 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null)
type=PROCTITLE msg=audit(1469523598.301:4700): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D620034303936
type=AVC msg=audit(1469523598.307:4701): avc:  denied  { read } for  pid=14894 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1469523598.307:4701): arch=c000003e syscall=2 success=no exit=-13 a0=7fc8e888a288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14894 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null)
type=PROCTITLE msg=audit(1469523598.307:4701): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D620034303936
type=AVC msg=audit(1469523598.308:4702): avc:  denied  { read } for  pid=14893 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1469523598.308:4702): arch=c000003e syscall=2 success=no exit=-13 a0=7f6f55571288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14893 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null)
type=PROCTITLE msg=audit(1469523598.308:4702): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D6

Comment 5 Milos Malik 2017-03-20 14:30:56 UTC
When ausearch -i is used then the AVC messages look this way:
----
type=PROCTITLE msg=audit(07/26/2016 10:59:58.301:4700) : proctitle=(ssl_crtd) -s /var/lib/ssl_db -M 4MB -b 4096 
type=SYSCALL msg=audit(07/26/2016 10:59:58.301:4700) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f4a431f1288 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=14888 pid=14891 auid=unset uid=unknown(23) gid=unknown(23) euid=unknown(23) suid=unknown(23) fsuid=unknown(23) egid=unknown(23) sgid=unknown(23) fsgid=unknown(23) tty=(none) ses=unset comm=ssl_crtd exe=/usr/lib64/squid/ssl_crtd subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(07/26/2016 10:59:58.301:4700) : avc:  denied  { read } for  pid=14891 comm=ssl_crtd name=index.txt dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 
----

I didn't know where the index.txt file should be located, but now it's clear:

# strace -f -e open /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB -b 4096
open("/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libssl.so.10", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libcrypto.so.10", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libcom_err.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libk5crypto.so.3", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/etc/pki/tls/legacy-settings", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/lib/ssl_db/index.txt", O_RDONLY) = -1 ENOENT (No such file or directory)
/usr/lib64/squid/ssl_crtd: Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".
+++ exited with 0 +++
#

Unfortunately, selinux-policy is not fixed yet:
# matchpathcon /var/lib/ssl_db
/var/lib/ssl_db	system_u:object_r:var_lib_t:s0
# matchpathcon /var/lib/ssl_db/index.txt
/var/lib/ssl_db/index.txt	system_u:object_r:var_lib_t:s0
# sesearch -s squid_t -t var_lib_t -c file -p read --allow -C

#

Comment 9 errata-xmlrpc 2017-08-01 15:10:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.