Squid uses various message queues to communicate between processes. I don't think this happens in the default single process basic configuration, but if you change your cache type to diskd (seperate process for each cahce directory) which anyone with a decent squid cache would do for performance reasons (up to 600% faster depending on your setup). selinux-policy-targeted-1.17.30-2.51 doesn't allow these message queues to be accessed. Here is a list of the message queues used by my squid proxy: [root@dominic log]$ ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x00381c00 0 squid 700 0 0 0x00381c01 32769 squid 700 0 0 0x00381c04 65538 squid 700 0 0 0x00381c05 98307 squid 700 0 0 0x00381c08 131076 squid 700 0 0 0x00381c09 163845 squid 700 0 0 Here are the audit denied messages which I get: audit(1103591954.339:0): avc: denied { unix_read } for pid=3591 exe=/usr/sbin/squid key=3677189 scontext=user_u:system_r:squid_t tcontext=user_u:system_r:squid_t tclass=msgq audit(1103592170.820:0): avc: denied { unix_write } for pid=3591 exe=/usr/sbin/squid key=3677192 scontext=user_u:system_r:squid_t tcontext=user_u:system_r:squid_t tclass=msgq audit(1103592170.820:0): avc: denied { write } for pid=3591 exe=/usr/sbin/squid key=3677192 scontext=user_u:system_r:squid_t tcontext=user_u:system_r:squid_t tclass=msgq audit(1103592170.820:0): avc: denied { enqueue } for pid=3591 exe=/usr/sbin/squid key=3677192 scontext=user_u:system_r:squid_t tcontext=user_u:system_r:squid_t tclass=msgq audit(1103592170.820:0): avc: denied { read } for pid=3591 exe=/usr/sbin/squid key=3677192 scontext=user_u:system_r:squid_t tcontext=user_u:system_r:squid_t tclass=msgq
Fixes added to squid. selinux-policy-targeted-1.17.30-2.57 and selinux-policy-targeted-1.19.15-1 Both available on ftp://people.redhat.com/dwalsh/SELinux/ Should be in a FC3 Update soon.
I've updated my system to selinux-policy-targeted-1.17.30-2.58 and will leave it running and post results tomorrow here. I assume I don't need to reboot? I restarted squid just to be safe.
selinux-policy-targeted-1.17.30-2.58 didn't help. I think we need something like: allow squid_t self:msgq create_msgq_perms; allow squid_t self:shm create_shm_perms; However, that didn't stop the errors for me either.... I'm new to selinux, so maybe I'm doing something wrong.
Ok, do this. stop squid, service squid stop setenforce 0 service squid start setenforce 1 Send me the avc messages from /var/log/messages. I do not know much about squid, is this something I could easily setup? If so could you send me the config files to set it up and instructions, so we can resolve these problems. Dan
Ok, try selinux-policy-targeted-1.17.30-2.59 available ftp://people.redhat.com/dwalsh/SELinux/FC3
selinux-policy-targeted-1.17.30-2.59 fixes the shared memory and message queue problems. With all those messages gone, I noticed one remaining error. When in permissive mode, I get one error on startup. After that, there are no errors (server has been up for 16 hours and served 100,000 requests. I'm not sure exactly what squid is doing here, but it only happens when diskd is turned on. audit(1103749634.311:0): avc: denied { read write } for pid=6057 path=/SYSV005ea402 (deleted) dev=tmpfs ino=3112961 scontext=root:system_r:squid_t tcontext=root:object_r:tmpfs_t tclass=file audit2allow suggests that this will fix it: allow squid_t tmpfs_t:file { read write }; If you want to try out squid yourself, install the RPM and add the following line to your /etc/squid/squid.conf: cache_dir diskd /var/spool/squid 100 16 256 That line changes it from using the basic single process disk IO to using the recommended multiple process diskd backend. The above behaviour will only happen if you use diskd instead of ufs.
Fixed in selinux-policy-targeted-1.17.30-2.66 Dan