Bug 145139 - selinux starts shouting when launching squid
selinux starts shouting when launching squid
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-14 13:14 EST by Florin Andrei
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version: RHBA-2005-251
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-09 09:06:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Florin Andrei 2005-01-14 13:14:25 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
I'm on a FC3 system that's totally up-to-date:
selinux-policy-targeted-1.17.30-2.72
kernel-smp-2.6.10-1.741_FC3
squid-2.5.STABLE6-3

Squid has a pretty much vanilla config, i just changed the port to
8080 and i opened up the http ACL to all addresses (it's a private
network so that's ok).

Timeline:
Before, I used this system without enabling squid for a long time.
Only yesterday, i enabled squid. It appeared to work fine, but i
didn't look if there were any selinux-related errors.
Today, i upgraded to the latest kernel and selinux. When rebooting the
system, i noticed that selinux was barfing errors when launching
squid. Here's syslog:

################################################################
Jan 14 10:01:46 stantz squid: Starting squid:
Jan 14 10:01:47 stantz squid[3768]: Squid Parent: child process 3770
started
Jan 14 10:01:47 stantz kernel: audit(1105725707.536:0): avc:  denied 
{ getattr } for  pid=3770 exe=/usr/sbin/squid path=/var/cyrus dev=sda5
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:file_t tclass=dir
Jan 14 10:01:47 stantz kernel: audit(1105725707.548:0): avc:  denied 
{ getattr } for  pid=3770 exe=/usr/sbin/squid path=/var/spool dev=sda3
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Jan 14 10:01:47 stantz kernel: audit(1105725707.562:0): avc:  denied 
{ getattr } for  pid=3770 exe=/usr/sbin/squid path=/var/squid dev=sda6
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:file_t tclass=dir
Jan 14 10:01:47 stantz kernel: audit(1105725707.577:0): avc:  denied 
{ getattr } for  pid=3770 exe=/usr/sbin/squid path=/vmware dev=sdb2
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:file_t tclass=dir
Jan 14 10:01:47 stantz kernel: audit(1105725707.577:0): avc:  denied 
{ getattr } for  pid=3770 exe=/usr/sbin/squid path=/proc/bus/usb
dev=usbfs ino=1570 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:usbfs_t tclass=dir
Jan 14 10:01:47 stantz kernel: audit(1105725707.578:0): avc:  denied 
{ getattr } for  pid=3770 exe=/usr/sbin/squid path=/dev/shm dev=tmpfs
ino=5349 scontext=user_u:system_r:squid_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
Jan 14 10:01:47 stantz kernel: audit(1105725707.578:0): avc:  denied 
{ getattr } for  pid=3770 exe=/usr/sbin/squid path=/var/cyrus dev=sda5
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:file_t tclass=dir
Jan 14 10:01:47 stantz kernel: audit(1105725707.578:0): avc:  denied 
{ getattr } for  pid=3770 exe=/usr/sbin/squid path=/var/spool dev=sda3
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Jan 14 10:01:47 stantz kernel: audit(1105725707.578:0): avc:  denied 
{ getattr } for  pid=3770 exe=/usr/sbin/squid path=/var/squid dev=sda6
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:file_t tclass=dir
Jan 14 10:01:47 stantz kernel: audit(1105725707.578:0): avc:  denied 
{ getattr } for  pid=3770 exe=/usr/sbin/squid path=/vmware dev=sdb2
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:file_t tclass=dir
Jan 14 10:01:47 stantz kernel: audit(1105725707.578:0): avc:  denied 
{ getattr } for  pid=3770 exe=/usr/sbin/squid
path=/proc/sys/fs/binfmt_misc dev=binfmt_misc ino=5391
scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir
Jan 14 10:01:47 stantz kernel: audit(1105725707.578:0): avc:  denied 
{ search } for  pid=3770 exe=/usr/sbin/squid name=lib dev=sdb4
ino=960999 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:var_lib_t tclass=dir
Jan 14 10:01:47 stantz kernel: audit(1105725707.578:0): avc:  denied 
{ getattr } for  pid=3770 exe=/usr/sbin/squid path=/proc/fs/nfsd
dev=nfsd ino=7764 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:nfsd_fs_t tclass=dir
Jan 14 10:01:48 stantz squid: .
Jan 14 10:01:48 stantz squid: ESC[60G
Jan 14 10:01:48 stantz squid:
Jan 14 10:01:48 stantz rc: Starting squid:  succeeded
################################################################

In any case, after booting up squid seems to be working fine and no
further errors are printed out.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.72

How reproducible:
Always

Steps to Reproduce:
1.see above
2.
3.
    

Actual Results:  see above

Expected Results:  see above

Additional info:
Comment 1 Sitsofe Wheeler 2005-01-14 15:29:06 EST
I've seen this sort of thing before when a user sus to root and then starts
squid by doing something like /etc/init.d/squid restart. Was squid started from
boot or was it launched by a user?
Comment 2 Florin Andrei 2005-01-14 16:06:04 EST
Sitsofe,
It's just what happens when the system boots up.
However, i just tested now (since you mentioned it) an "/etc/init.d/squid stop"
then start (from a "su -" session) and it's the same thing. Something's not
right with selinux and squid.
Comment 3 Daniel Walsh 2005-01-19 11:01:40 EST
Looks like your system needs to be relabeled.  

touch /.autorelabel
reboot

Comment 4 Florin Andrei 2005-01-19 13:02:06 EST
It did not help (see messages below).
Does it have to do anything with the partitioning scheme?

#################################
# cat /etc/fstab
# This file is edited by fstab-sync - see 'man fstab-sync' for details
LABEL=/                 /                       ext3    defaults     
  1 1
LABEL=/boot             /boot                   ext3    defaults     
  1 2
none                    /dev/pts                devpts  gid=5,mode=620
 0 0
none                    /dev/shm                tmpfs   defaults     
  0 0
LABEL=/home             /home                   ext3    defaults     
  1 2
none                    /proc                   proc    defaults     
  0 0
none                    /sys                    sysfs   defaults     
  0 0
LABEL=/var/cyrus        /var/cyrus              ext3    defaults     
  1 2
LABEL=/var/ftp          /var/ftp                ext3    defaults     
  1 2
LABEL=/var/log          /var/log                ext3    defaults     
  1 2
LABEL=/var/spool        /var/spool              ext3    defaults     
  1 2
LABEL=/var/squid        /var/squid              ext3    defaults     
  1 2
LABEL=/vmware           /vmware                 ext3    defaults     
  1 2
/dev/sda2               swap                    swap    defaults     
  0 0
/dev/hda                /media/cdrom            auto   
pamconsole,fscontext=system_u:object_r:removable_t,exec,noauto,managed 0 0
/dev/fd0                /media/floppy           auto   
pamconsole,fscontext=system_u:object_r:removable_t,exec,noauto,managed 0 0
#################################

#######################################################
Jan 19 09:59:11 stantz squid[5085]: Squid Parent: child process 5088
started
Jan 19 09:59:12 stantz kernel: audit(1106157552.115:0): avc:  denied 
{ getattr } for  pid=5088 exe=/usr/sbin/squid path=/var/spool dev=sda3
ino=2 scontext=root:system_r:squid_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Jan 19 09:59:12 stantz kernel: audit(1106157552.115:0): avc:  denied 
{ getattr } for  pid=5088 exe=/usr/sbin/squid path=/vmware dev=sdb2
ino=2 scontext=root:system_r:squid_t
tcontext=system_u:object_r:default_t tclass=dir
Jan 19 09:59:12 stantz kernel: audit(1106157552.115:0): avc:  denied 
{ getattr } for  pid=5088 exe=/usr/sbin/squid path=/proc/bus/usb
dev=usbfs ino=1550 scontext=root:system_r:squid_t
tcontext=system_u:object_r:usbfs_t tclass=dir
Jan 19 09:59:12 stantz kernel: audit(1106157552.115:0): avc:  denied 
{ getattr } for  pid=5088 exe=/usr/sbin/squid path=/dev/shm dev=tmpfs
ino=5330 scontext=root:system_r:squid_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
Jan 19 09:59:12 stantz kernel: audit(1106157552.115:0): avc:  denied 
{ getattr } for  pid=5088 exe=/usr/sbin/squid path=/var/spool dev=sda3
ino=2 scontext=root:system_r:squid_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Jan 19 09:59:12 stantz kernel: audit(1106157552.115:0): avc:  denied 
{ getattr } for  pid=5088 exe=/usr/sbin/squid path=/vmware dev=sdb2
ino=2 scontext=root:system_r:squid_t
tcontext=system_u:object_r:default_t tclass=dir
Jan 19 09:59:12 stantz kernel: audit(1106157552.116:0): avc:  denied 
{ getattr } for  pid=5088 exe=/usr/sbin/squid
path=/proc/sys/fs/binfmt_misc dev=binfmt_misc ino=64290
scontext=root:system_r:squid_t
tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir
Jan 19 09:59:12 stantz kernel: audit(1106157552.116:0): avc:  denied 
{ search } for  pid=5088 exe=/usr/sbin/squid name=lib dev=sdb4
ino=960999 scontext=root:system_r:squid_t
tcontext=system_u:object_r:var_lib_t tclass=dir
Jan 19 09:59:12 stantz kernel: audit(1106157552.116:0): avc:  denied 
{ getattr } for  pid=5088 exe=/usr/sbin/squid path=/proc/fs/nfsd
dev=nfsd ino=65878 scontext=root:system_r:squid_t
tcontext=system_u:object_r:nfsd_fs_t tclass=dir
#######################################################
Comment 5 Florin Andrei 2005-02-03 13:31:52 EST
Ok, i applied all the latest updates and the problem still persists.
Should i try to relabel the system again? First time i did it, it
didn't help.

# rpm -q kernel-smp
kernel-smp-2.6.10-1.760_FC3
# rpm -q squid
squid-2.5.STABLE7-1.FC3.1
# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.75

#######################################################
Feb  3 10:23:46 stantz squid: Starting squid:
Feb  3 10:23:47 stantz squid[3616]: Squid Parent: child process 3618
started
Feb  3 10:23:47 stantz kernel: audit(1107455027.408:0): avc:  denied 
{ getattr } for  pid=3618 exe=/usr/sbin/squid path=/var/spool dev=sda3
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Feb  3 10:23:47 stantz kernel: audit(1107455027.420:0): avc:  denied 
{ getattr } for  pid=3618 exe=/usr/sbin/squid path=/vmware dev=sdb2
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:default_t tclass=dir
Feb  3 10:23:47 stantz kernel: audit(1107455027.434:0): avc:  denied 
{ getattr } for  pid=3618 exe=/usr/sbin/squid path=/proc/bus/usb
dev=usbfs ino=1556 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:usbfs_t tclass=dir
Feb  3 10:23:47 stantz kernel: audit(1107455027.448:0): avc:  denied 
{ getattr } for  pid=3618 exe=/usr/sbin/squid path=/dev/shm dev=tmpfs
ino=5368 scontext=user_u:system_r:squid_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
Feb  3 10:23:47 stantz kernel: audit(1107455027.448:0): avc:  denied 
{ getattr } for  pid=3618 exe=/usr/sbin/squid path=/var/spool dev=sda3
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Feb  3 10:23:47 stantz kernel: audit(1107455027.448:0): avc:  denied 
{ getattr } for  pid=3618 exe=/usr/sbin/squid path=/vmware dev=sdb2
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:default_t tclass=dir
Feb  3 10:23:47 stantz kernel: audit(1107455027.448:0): avc:  denied 
{ getattr } for  pid=3618 exe=/usr/sbin/squid
path=/proc/sys/fs/binfmt_misc dev=binfmt_misc ino=5410
scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir
Feb  3 10:23:47 stantz kernel: audit(1107455027.448:0): avc:  denied 
{ search } for  pid=3618 exe=/usr/sbin/squid name=lib dev=sdb4
ino=960999 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:var_lib_t tclass=dir
Feb  3 10:23:47 stantz kernel: audit(1107455027.448:0): avc:  denied 
{ getattr } for  pid=3618 exe=/usr/sbin/squid path=/proc/fs/nfsd
dev=nfsd ino=7438 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:nfsd_fs_t tclass=dir
Feb  3 10:23:48 stantz squid: .
Feb  3 10:23:48 stantz squid: ESC[60G
Feb  3 10:23:48 stantz squid:
Feb  3 10:23:48 stantz rc: Starting squid:  succeeded
#######################################################
Comment 6 Daniel Walsh 2005-02-03 13:35:22 EST
Yes
Comment 7 Florin Andrei 2005-02-03 14:20:43 EST
No workie. :-(

################################################
Feb  3 11:02:41 stantz squid: Starting squid:
Feb  3 11:02:42 stantz squid[3645]: Squid Parent: child process 3647
started
Feb  3 11:02:42 stantz kernel: audit(1107457362.434:0): avc:  denied 
{ getattr } for  pid=3647 exe=/usr/sbin/squid path=/var/spool dev=sda3
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Feb  3 11:02:42 stantz kernel: audit(1107457362.445:0): avc:  denied 
{ getattr } for  pid=3647 exe=/usr/sbin/squid path=/vmware dev=sdb2
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:default_t tclass=dir
Feb  3 11:02:42 stantz kernel: audit(1107457362.458:0): avc:  denied 
{ getattr } for  pid=3647 exe=/usr/sbin/squid path=/proc/bus/usb
dev=usbfs ino=1575 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:usbfs_t tclass=dir
Feb  3 11:02:42 stantz kernel: audit(1107457362.471:0): avc:  denied 
{ getattr } for  pid=3647 exe=/usr/sbin/squid path=/dev/shm dev=tmpfs
ino=5390 scontext=user_u:system_r:squid_t
tcontext=user_u:object_r:tmpfs_t tclass=dir
Feb  3 11:02:42 stantz kernel: audit(1107457362.486:0): avc:  denied 
{ getattr } for  pid=3647 exe=/usr/sbin/squid path=/var/spool dev=sda3
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Feb  3 11:02:42 stantz kernel: audit(1107457362.502:0): avc:  denied 
{ getattr } for  pid=3647 exe=/usr/sbin/squid path=/vmware dev=sdb2
ino=2 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:default_t tclass=dir
Feb  3 11:02:42 stantz kernel: audit(1107457362.502:0): avc:  denied 
{ getattr } for  pid=3647 exe=/usr/sbin/squid
path=/proc/sys/fs/binfmt_misc dev=binfmt_misc ino=5900
scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir
Feb  3 11:02:42 stantz kernel: audit(1107457362.502:0): avc:  denied 
{ search } for  pid=3647 exe=/usr/sbin/squid name=lib dev=sdb4
ino=960999 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:var_lib_t tclass=dir
Feb  3 11:02:42 stantz kernel: audit(1107457362.502:0): avc:  denied 
{ getattr } for  pid=3647 exe=/usr/sbin/squid path=/proc/fs/nfsd
dev=nfsd ino=7556 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:nfsd_fs_t tclass=dir
Feb  3 11:02:43 stantz squid: .
Feb  3 11:02:43 stantz squid: ESC[60G
Feb  3 11:02:43 stantz squid:
################################################
Comment 8 Sitsofe Wheeler 2005-02-03 15:41:54 EST
Is there anything special about your setup? Is it a "real" computer or is it
some sort of emulation?
Comment 9 Florin Andrei 2005-02-03 16:08:20 EST
Good old 2xPIII, SCSI, old NVidia card, i just installed FC3 a while ago,
applied all updates via yum, installed a few packages from freshrpms, dag and
atrpms, kept it updated via yum regularly...
Nothing special, really.
Comment 10 Daniel Walsh 2005-02-03 16:34:42 EST
These look pretty harmless.  Must be something about the config.

If you look at audit2allow

allow squid_t binfmt_misc_fs_t:dir getattr;
allow squid_t default_t:dir getattr;
allow squid_t nfsd_fs_t:dir getattr;
allow squid_t tmpfs_t:dir getattr;
allow squid_t usbfs_t:dir getattr;
allow squid_t var_lib_t:dir search;
allow squid_t var_spool_t:dir getattr;

Which looks like squid is cearching some directories for something.

Comment 11 Tim Powers 2005-06-09 09:06:14 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-251.html

Note You need to log in before you can comment on or make changes to this bug.