Hide Forgot
Description of problem: I am using CentOS 7, but I found a possible issue in the SELinux policy which might be of interest to RHEL. We have squid configured using sslbump to act as a TLS man-in-the-middle with the ability to peer into HTTPS connections (on an exercise network, dijoint from the Internet). We found that the targeted SELinux policy forbids /usr/lib64/squid/ssl_crtd from updating its certificate database. This is because /etc/squid/ssl_db is labeled squid_conf_t, and this does not permit directory or file writes. We fixed this by relabeling /etc/squid/ssl_db and the objects contained therein with: system_u:object_r:squid_cache_t:s0 Version-Release number of selected component (if applicable): squid-3.3.8-26.el7.x86_64 selinux-policy-targeted-3.13.1-60.el7_2.3.noarch How reproducible: Every time Steps to Reproduce: 1. Install squid 2. Configure squid's sslbump 3. Visit an HTTPS site using a client configured to connect through squid Actual results: /usr/lib64/squid/ssl_crtd produces AVC errors and malfunctions.
Please collect SELinux denials that appeared on your machine and attach them here. Thank you.
Please see comment2
I am also experiencing this problem. These entries appear in audit log: type=AVC msg=audit(1469523598.300:4698): avc: denied { read } for pid=14890 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1469523598.300:4698): arch=c000003e syscall=2 success=no exit=-13 a0=7f0ebb5c8288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14890 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null) type=PROCTITLE msg=audit(1469523598.300:4698): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D620034303936 type=AVC msg=audit(1469523598.301:4699): avc: denied { read } for pid=14889 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1469523598.301:4699): arch=c000003e syscall=2 success=no exit=-13 a0=7f338a3ce288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14889 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null) type=PROCTITLE msg=audit(1469523598.301:4699): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D620034303936 type=AVC msg=audit(1469523598.301:4700): avc: denied { read } for pid=14891 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1469523598.301:4700): arch=c000003e syscall=2 success=no exit=-13 a0=7f4a431f1288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14891 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null) type=PROCTITLE msg=audit(1469523598.301:4700): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D620034303936 type=AVC msg=audit(1469523598.307:4701): avc: denied { read } for pid=14894 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1469523598.307:4701): arch=c000003e syscall=2 success=no exit=-13 a0=7fc8e888a288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14894 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null) type=PROCTITLE msg=audit(1469523598.307:4701): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D620034303936 type=AVC msg=audit(1469523598.308:4702): avc: denied { read } for pid=14893 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1469523598.308:4702): arch=c000003e syscall=2 success=no exit=-13 a0=7f6f55571288 a1=0 a2=1b6 a3=24 items=0 ppid=14888 pid=14893 auid=4294967295 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd" subj=system_u:system_r:squid_t:s0 key=(null) type=PROCTITLE msg=audit(1469523598.308:4702): proctitle=2873736C5F6372746429002D73002F7661722F6C69622F73736C5F6462002D4D00344D42002D6
When ausearch -i is used then the AVC messages look this way: ---- type=PROCTITLE msg=audit(07/26/2016 10:59:58.301:4700) : proctitle=(ssl_crtd) -s /var/lib/ssl_db -M 4MB -b 4096 type=SYSCALL msg=audit(07/26/2016 10:59:58.301:4700) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f4a431f1288 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=14888 pid=14891 auid=unset uid=unknown(23) gid=unknown(23) euid=unknown(23) suid=unknown(23) fsuid=unknown(23) egid=unknown(23) sgid=unknown(23) fsgid=unknown(23) tty=(none) ses=unset comm=ssl_crtd exe=/usr/lib64/squid/ssl_crtd subj=system_u:system_r:squid_t:s0 key=(null) type=AVC msg=audit(07/26/2016 10:59:58.301:4700) : avc: denied { read } for pid=14891 comm=ssl_crtd name=index.txt dev="dm-0" ino=264611 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 ---- I didn't know where the index.txt file should be located, but now it's clear: # strace -f -e open /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB -b 4096 open("/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3 open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libssl.so.10", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libcrypto.so.10", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libcom_err.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libk5crypto.so.3", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3 open("/etc/pki/tls/legacy-settings", O_RDONLY) = -1 ENOENT (No such file or directory) open("/var/lib/ssl_db/index.txt", O_RDONLY) = -1 ENOENT (No such file or directory) /usr/lib64/squid/ssl_crtd: Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db". +++ exited with 0 +++ # Unfortunately, selinux-policy is not fixed yet: # matchpathcon /var/lib/ssl_db /var/lib/ssl_db system_u:object_r:var_lib_t:s0 # matchpathcon /var/lib/ssl_db/index.txt /var/lib/ssl_db/index.txt system_u:object_r:var_lib_t:s0 # sesearch -s squid_t -t var_lib_t -c file -p read --allow -C #
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861