Bug 143454 - squid message queue avc denied
Summary: squid message queue avc denied
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 3
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-12-21 01:42 UTC by Phil Anderson
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version: RHBA-2005-251
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-27 06:50:40 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2005:251 low SHIPPED_LIVE selinux-policy-targeted bug fix update 2005-06-09 04:00:00 UTC

Description Phil Anderson 2004-12-21 01:42:19 UTC
Squid uses various message queues to communicate between processes.  I
don't think this happens in the default single process basic
configuration, but if you change your cache type to diskd (seperate
process for each cahce directory) which anyone with a decent squid
cache would do for performance reasons (up to 600% faster depending on
your setup).

selinux-policy-targeted-1.17.30-2.51 doesn't allow these message
queues to be accessed.  Here is a list of the message queues used by
my squid proxy:

[root@dominic log]$ ipcs -q

------ Message Queues --------
key        msqid      owner      perms      used-bytes   messages
0x00381c00 0          squid      700        0            0
0x00381c01 32769      squid      700        0            0
0x00381c04 65538      squid      700        0            0
0x00381c05 98307      squid      700        0            0
0x00381c08 131076     squid      700        0            0
0x00381c09 163845     squid      700        0            0

Here are the audit denied messages which I get:
audit(1103591954.339:0): avc:  denied  { unix_read } for  pid=3591
exe=/usr/sbin/squid key=3677189 scontext=user_u:system_r:squid_t
tcontext=user_u:system_r:squid_t tclass=msgq
audit(1103592170.820:0): avc:  denied  { unix_write } for  pid=3591
exe=/usr/sbin/squid key=3677192 scontext=user_u:system_r:squid_t
tcontext=user_u:system_r:squid_t tclass=msgq
audit(1103592170.820:0): avc:  denied  { write } for  pid=3591
exe=/usr/sbin/squid key=3677192 scontext=user_u:system_r:squid_t
tcontext=user_u:system_r:squid_t tclass=msgq
audit(1103592170.820:0): avc:  denied  { enqueue } for  pid=3591
exe=/usr/sbin/squid key=3677192 scontext=user_u:system_r:squid_t
tcontext=user_u:system_r:squid_t tclass=msgq
audit(1103592170.820:0): avc:  denied  { read } for  pid=3591
exe=/usr/sbin/squid key=3677192 scontext=user_u:system_r:squid_t
tcontext=user_u:system_r:squid_t tclass=msgq

Comment 1 Daniel Walsh 2004-12-21 16:36:33 UTC
Fixes added to squid.

selinux-policy-targeted-1.17.30-2.57 and selinux-policy-targeted-1.19.15-1

Both available on ftp://people.redhat.com/dwalsh/SELinux/

Should be in a FC3 Update soon.

Comment 2 Phil Anderson 2004-12-22 00:47:08 UTC
I've updated my system to selinux-policy-targeted-1.17.30-2.58 and
will leave it running and post results tomorrow here.  I assume I
don't need to reboot?  I restarted squid just to be safe.

Comment 3 Phil Anderson 2004-12-22 05:15:54 UTC
selinux-policy-targeted-1.17.30-2.58 didn't help.  I think we need
something like:

allow squid_t self:msgq create_msgq_perms;
allow squid_t self:shm create_shm_perms;

However, that didn't stop the errors for me either.... I'm new to
selinux, so maybe I'm doing something wrong.

Comment 4 Daniel Walsh 2004-12-22 14:27:40 UTC
Ok, do this.  

stop squid, 
service squid stop
setenforce 0
service squid start
setenforce 1

Send me the avc messages from /var/log/messages.

I do not know much about squid, is this something I could easily
setup?  If so could you send me the config files to set it up and
instructions, so we can resolve these problems.

Dan

Comment 5 Daniel Walsh 2004-12-22 15:23:03 UTC
Ok, try selinux-policy-targeted-1.17.30-2.59

available
ftp://people.redhat.com/dwalsh/SELinux/FC3

Comment 6 Phil Anderson 2004-12-23 12:34:13 UTC
selinux-policy-targeted-1.17.30-2.59 fixes the shared memory and
message queue problems.

With all those messages gone, I noticed one remaining error.  When in
permissive mode, I get one error on startup.  After that, there are no
errors (server has been up for 16 hours and served 100,000 requests. 
I'm not sure exactly what squid is doing here, but it only happens
when diskd is turned on.

audit(1103749634.311:0): avc:  denied  { read write } for  pid=6057
path=/SYSV005ea402 (deleted) dev=tmpfs ino=3112961
scontext=root:system_r:squid_t tcontext=root:object_r:tmpfs_t tclass=file

audit2allow suggests that this will fix it:
allow squid_t tmpfs_t:file { read write };

If you want to try out squid yourself, install the RPM and add the
following line to your /etc/squid/squid.conf:
cache_dir diskd /var/spool/squid 100 16 256

That line changes it from using the basic single process disk IO to
using the recommended multiple process diskd backend.  The above
behaviour will only happen if you use diskd instead of ufs.

Comment 7 Daniel Walsh 2005-01-03 21:06:34 UTC
Fixed in selinux-policy-targeted-1.17.30-2.66

Dan


Note You need to log in before you can comment on or make changes to this bug.