Bug 139282 - squid can't run a perl redirect program
squid can't run a perl redirect program
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-14 16:35 EST by Thomas J. Baker
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-11 17:50:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
This is the patch I am adding (922 bytes, text/plain)
2004-11-15 10:00 EST, Daniel Walsh
no flags Details

  None (edit)
Description Thomas J. Baker 2004-11-14 16:35:59 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
squid can't seem to run a perl redirect_program:

audit(1100466419.363:0): avc:  denied  { execute } for  pid=3537
exe=/usr/sbin/squid name=perl dev=dm-0 ino=755085
scontext=root:system_r:squid_t tcontext=system_u:object_r:bin_t
tclass=file
audit(1100466419.368:0): avc:  denied  { execute } for  pid=3538
exe=/usr/sbin/squid name=perl dev=dm-0 ino=755085
scontext=root:system_r:squid_t tcontext=system_u:object_r:bin_t
tclass=file

I've got the context of the perl script set correctly, I think.

[root@gile adzap]# pwd
/usr/local/lib/adzap
[root@gile adzap]# ls -lZ squid_redirect
-rwxr-xr-x  root     root     system_u:object_r:squid_exec_t  
squid_redirect
[root@gile adzap]#

I have a similar problem with an apache cgi script not being able to
run find. Should I file a different bug?


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.19

How reproducible:
Always

Steps to Reproduce:
1. configure squid with a perl redirect_program like adzap
2. 
3.
    

Additional info:

Could be something I'm doing wrong with contexts.
Comment 1 Thomas J. Baker 2004-11-14 16:38:23 EST
Meant to ask, is there a "local additions to policy" file defined yet
where I can add my additions to contexts or policy that won't get
overwritten or disabled by an upgrade? 
Comment 2 Daniel Walsh 2004-11-15 09:37:49 EST
That is what the misc directory is for?

/etc/selinux/targeted/src/policy/domains/misc

I will add an can_exec(squid_t, { bin_t sbin_t } ) to policy

selinux-policy-targeted-1.17.30-2.28
Comment 3 Thomas J. Baker 2004-11-15 09:51:19 EST
Will that fix it completely? I added to my newly created misc/squid.te
and still got this errors:

audit(1100530368.125:0): avc:  denied  { read } for  pid=22419
exe=/usr/sbin/squid name=sh dev=dm-0 ino=966665
scontext=root:system_r:squid_t tcontext=system_u:object_r:bin_t
tclass=lnk_file

due to it being a link:

[root@gile policy]# ls -lZd /bin/sh
lrwxrwxrwx  root     root     system_u:object_r:bin_t          /bin/sh
-> bash
[root@gile policy]# ls -lZd /bin/bash
-rwxr-xr-x  root     root     system_u:object_r:shell_exec_t   /bin/bash
[root@gile policy]# restorecon /bin/sh
Warning! /bin/sh refers to a symbolic link, not following last component.
[root@gile policy]# ls -lZd /bin/sh
lrwxrwxrwx  root     root     system_u:object_r:bin_t          /bin/sh
-> bash
[root@gile policy]#
Comment 4 Thomas J. Baker 2004-11-15 09:52:19 EST
Should read I added can_exec(squid_t, { bin_t sbin_t } ) to my
misc/squid.te and still got errors...
Comment 5 Thomas J. Baker 2004-11-15 09:57:24 EST
Seems the rule you added should have fixed it since it was a bin_t.
And I thought I was starting to understand this stuff...
Comment 6 Daniel Walsh 2004-11-15 10:00:27 EST
Created attachment 106712 [details]
This is the patch I am adding
Comment 7 Thomas J. Baker 2004-11-15 10:18:15 EST
Since /bin/bash is shell_exec_t, I had to modify the can_exec to this:

can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t shell_exec_t } )

and it now mostly seems to work. I get other errors like this now but
the perl redirect_script is now at least running:

audit(1100531926.643:0): avc:  denied  { read } for  pid=23976
exe=/usr/bin/perl name=urandom dev=tmpfs ino=900
scontext=root:system_r:squid_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
audit(1100531926.672:0): avc:  denied  { read } for  pid=23979
exe=/usr/bin/perl name=urandom dev=tmpfs ino=900
scontext=root:system_r:squid_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
audit(1100531926.681:0): avc:  denied  { read } for  pid=23980
exe=/usr/bin/perl name=urandom dev=tmpfs ino=900
scontext=root:system_r:squid_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
audit(1100531926.683:0): avc:  denied  { read } for  pid=23978
exe=/usr/bin/perl name=urandom dev=tmpfs ino=900
scontext=root:system_r:squid_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file
audit(1100531926.691:0): avc:  denied  { read } for  pid=23977
exe=/usr/bin/perl name=urandom dev=tmpfs ino=900
scontext=root:system_r:squid_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file

[root@gile policy]# ps -ef | grep squid
root     23972     1  0 10:18 ?        00:00:00 squid -D
squid    23975 23972  0 10:18 ?        00:00:00 (squid) -D
squid    23976 23975  2 10:18 ?        00:00:04 /usr/bin/perl -w
/usr/lib/squid/squid_redirect
squid    23977 23975  2 10:18 ?        00:00:04 /usr/bin/perl -w
/usr/lib/squid/squid_redirect
squid    23978 23975  2 10:18 ?        00:00:04 /usr/bin/perl -w
/usr/lib/squid/squid_redirect
squid    23979 23975  2 10:18 ?        00:00:04 /usr/bin/perl -w
/usr/lib/squid/squid_redirect
squid    23980 23975  2 10:18 ?        00:00:04 /usr/bin/perl -w
/usr/lib/squid/squid_redirect
squid    23981 23975  0 10:18 ?        00:00:00 (unlinkd)
root     24111 22146  0 10:21 pts/2    00:00:00 grep squid
[root@gile policy]#

I can't really test it too much until I get home tonight to see if it
works well enough.
Comment 8 Thomas J. Baker 2004-11-15 10:23:37 EST
Should I open a new bug about the find not working in cgi-bin scripts
for apache? 
Comment 9 Daniel Walsh 2004-11-18 18:27:25 EST
Yes
Comment 10 Thomas J. Baker 2004-11-29 09:10:52 EST
I got a new updated policy over the weekend and I still have problems
as described in comment #7. /bin/bash is shell_exec_t which was not
added by the patch.
Comment 11 Daniel Walsh 2004-12-07 14:24:20 EST
Fixed in selinux-policy-targeted-1.17.30-2.42

Note You need to log in before you can comment on or make changes to this bug.