Bug 143454 - squid message queue avc denied
squid message queue avc denied
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-20 20:42 EST by Phil Anderson
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version: RHBA-2005-251
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-27 01:50:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Phil Anderson 2004-12-20 20:42:19 EST
Squid uses various message queues to communicate between processes.  I
don't think this happens in the default single process basic
configuration, but if you change your cache type to diskd (seperate
process for each cahce directory) which anyone with a decent squid
cache would do for performance reasons (up to 600% faster depending on
your setup).

selinux-policy-targeted-1.17.30-2.51 doesn't allow these message
queues to be accessed.  Here is a list of the message queues used by
my squid proxy:

[root@dominic log]$ ipcs -q

------ Message Queues --------
key        msqid      owner      perms      used-bytes   messages
0x00381c00 0          squid      700        0            0
0x00381c01 32769      squid      700        0            0
0x00381c04 65538      squid      700        0            0
0x00381c05 98307      squid      700        0            0
0x00381c08 131076     squid      700        0            0
0x00381c09 163845     squid      700        0            0

Here are the audit denied messages which I get:
audit(1103591954.339:0): avc:  denied  { unix_read } for  pid=3591
exe=/usr/sbin/squid key=3677189 scontext=user_u:system_r:squid_t
tcontext=user_u:system_r:squid_t tclass=msgq
audit(1103592170.820:0): avc:  denied  { unix_write } for  pid=3591
exe=/usr/sbin/squid key=3677192 scontext=user_u:system_r:squid_t
tcontext=user_u:system_r:squid_t tclass=msgq
audit(1103592170.820:0): avc:  denied  { write } for  pid=3591
exe=/usr/sbin/squid key=3677192 scontext=user_u:system_r:squid_t
tcontext=user_u:system_r:squid_t tclass=msgq
audit(1103592170.820:0): avc:  denied  { enqueue } for  pid=3591
exe=/usr/sbin/squid key=3677192 scontext=user_u:system_r:squid_t
tcontext=user_u:system_r:squid_t tclass=msgq
audit(1103592170.820:0): avc:  denied  { read } for  pid=3591
exe=/usr/sbin/squid key=3677192 scontext=user_u:system_r:squid_t
tcontext=user_u:system_r:squid_t tclass=msgq
Comment 1 Daniel Walsh 2004-12-21 11:36:33 EST
Fixes added to squid.

selinux-policy-targeted-1.17.30-2.57 and selinux-policy-targeted-1.19.15-1

Both available on ftp://people.redhat.com/dwalsh/SELinux/

Should be in a FC3 Update soon.
Comment 2 Phil Anderson 2004-12-21 19:47:08 EST
I've updated my system to selinux-policy-targeted-1.17.30-2.58 and
will leave it running and post results tomorrow here.  I assume I
don't need to reboot?  I restarted squid just to be safe.
Comment 3 Phil Anderson 2004-12-22 00:15:54 EST
selinux-policy-targeted-1.17.30-2.58 didn't help.  I think we need
something like:

allow squid_t self:msgq create_msgq_perms;
allow squid_t self:shm create_shm_perms;

However, that didn't stop the errors for me either.... I'm new to
selinux, so maybe I'm doing something wrong.
Comment 4 Daniel Walsh 2004-12-22 09:27:40 EST
Ok, do this.  

stop squid, 
service squid stop
setenforce 0
service squid start
setenforce 1

Send me the avc messages from /var/log/messages.

I do not know much about squid, is this something I could easily
setup?  If so could you send me the config files to set it up and
instructions, so we can resolve these problems.

Dan
Comment 5 Daniel Walsh 2004-12-22 10:23:03 EST
Ok, try selinux-policy-targeted-1.17.30-2.59

available
ftp://people.redhat.com/dwalsh/SELinux/FC3
Comment 6 Phil Anderson 2004-12-23 07:34:13 EST
selinux-policy-targeted-1.17.30-2.59 fixes the shared memory and
message queue problems.

With all those messages gone, I noticed one remaining error.  When in
permissive mode, I get one error on startup.  After that, there are no
errors (server has been up for 16 hours and served 100,000 requests. 
I'm not sure exactly what squid is doing here, but it only happens
when diskd is turned on.

audit(1103749634.311:0): avc:  denied  { read write } for  pid=6057
path=/SYSV005ea402 (deleted) dev=tmpfs ino=3112961
scontext=root:system_r:squid_t tcontext=root:object_r:tmpfs_t tclass=file

audit2allow suggests that this will fix it:
allow squid_t tmpfs_t:file { read write };

If you want to try out squid yourself, install the RPM and add the
following line to your /etc/squid/squid.conf:
cache_dir diskd /var/spool/squid 100 16 256

That line changes it from using the basic single process disk IO to
using the recommended multiple process diskd backend.  The above
behaviour will only happen if you use diskd instead of ufs.
Comment 7 Daniel Walsh 2005-01-03 16:06:34 EST
Fixed in selinux-policy-targeted-1.17.30-2.66

Dan

Note You need to log in before you can comment on or make changes to this bug.