Bug 149815 - squid doesn't start when spool is in a non selinux supported partition
squid doesn't start when spool is in a non selinux supported partition
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-02-27 12:46 EST by Nerijus Baliūnas
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-05 02:49:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nerijus Baliūnas 2005-02-27 12:46:34 EST
/mnt/cache1 is reiserfs partition. squid.conf:
cache_dir ufs /mnt/cache1 4000 16 256
# ls -Zd /mnt/cache1 
drwxr-xr-x  squid    squid    system_u:object_r:squid_cache_t  /mnt/cache1
# ls -Zd /mnt/cache1/00                                                        
drwxr-xr-x  squid    squid                                     /mnt/cache1/00

Squid cannot start. /var/log/squid/cache.log:
/mnt/cache1: (13) Permission denied
kernel: audit(1109525545.287:0): avc:  denied  { getattr } for  pid=3373
exe=/usr/sbin/squid path=/mnt/cache1 dev=hda6 ino=2
scontext=user_u:system_r:squid_t tcontext=system_u:object_r:nfs_t tclass=dir

Where is nfs_t coming from? Could it be that all files in /mnt/cache1 get it by

System is fully updated as of today.
Comment 1 Daniel Walsh 2005-02-28 08:37:14 EST
Not sure, but I know that reiserfs is not supported with SELinux at the current
time.  There are many bugs in its handling of Extended Attributes.

Comment 2 Nerijus Baliūnas 2005-02-28 08:48:13 EST
You probably misunderstood. Yes, I know that reiserfs is not supported with
SELinux. But I showed that reiserfs partition doesn't have EAs at all:
# ls -Zd /mnt/cache1/00
drwxr-xr-x  squid    squid                    /mnt/cache1/00

Directory 00 in reiserfs partition does not have any SELinux attributes. And I
showed that I changed type to squid_cache_t for /mnt/cache1, i.e. a mountpoint.

So the question is - why squid doesn't work on a filesystem, which does not have
ANY SELinux attributes?
Comment 3 Daniel Walsh 2005-02-28 09:02:06 EST
Do you have nfs running on this machine?  Or is the kernel/reiserfs getting

James do you have any ideas?
Comment 4 Nerijus Baliūnas 2005-02-28 09:17:04 EST
No nfs running.
Comment 5 Daniel Walsh 2005-02-28 09:18:33 EST
Which tells me the kernel/reiser is very confused.  So this is not a policy
Comment 6 James Morris 2005-02-28 10:28:33 EST
(In reply to comment #3)
> James do you have any ideas?

Does the policy contain a line like this:

genfscon reiserfs /                     system_u:object_r:nfs_t
Comment 7 Daniel Walsh 2005-02-28 10:40:28 EST
Excellent catch.  Yes that is whats causing the nfs.  Sorry I missed it but if
he is mounting with a context why is nfs_t still showing up?

Comment 8 James Morris 2005-02-28 10:57:58 EST
(In reply to comment #7)
> Excellent catch.  Yes that is whats causing the nfs.  Sorry I missed it but if
> he is mounting with a context why is nfs_t still showing up?

I don't think it's a context mount, it was just the first idea thing I came up
with to check.
Comment 9 Daniel Walsh 2005-02-28 11:47:38 EST

Could you try to mount the /mnt/cache1 directory with 


mount -t reiserfs -o fscontext=system_u:object_r:squid_cache_t /dev/ABC /mnt/cache1
Comment 10 Nerijus Baliūnas 2005-02-28 11:50:03 EST
I don't mount with a context, I just changed SELinux attribute for a mount point
(as otherwise squid was not able to access /mnt/cache1; btw, I had to change
type to squid_cache_t for /mnt also). /etc/fstab:
/dev/hda6     /mnt/cache1       reiserfs defaults    0 0

Any ideas how to use reiserfs for squid cache? Changing nfs_t to squid_cache_t in
genfscon reiserfs /                     system_u:object_r:nfs_t
should help?
Comment 11 Nerijus Baliūnas 2005-02-28 12:05:27 EST
/dev/hda6 on /mnt/cache1 type reiserfs

Still no go:
kernel: audit(1109609802.473:0): avc:  denied  { associate } for  pid=4340
exe=/usr/sbin/squid name=00 scontext=root:object_r:squid_cache_t
tcontext=system_u:object_r:squid_cache_t tclass=filesystem
squid: Failed to make swap directory /mnt/cache1/00: (13) Permission denied

BTW, I even cannot create file as root:
# touch /mnt/cache1/aa
touch: cannot touch `/mnt/cache1/aa': Permission denied
kernel: audit(1109610143.996:0): avc:  denied  { associate } for  pid=4436
exe=/bin/touch name=aa scontext=root:object_r:squid_cache_t
tcontext=system_u:object_r:squid_cache_t tclass=filesystem
Comment 12 Daniel Walsh 2005-02-28 12:10:49 EST
Ok you are going to need a rule 

allow squid_cache_t self:filesystem associate;

Comment 13 Nerijus Baliūnas 2005-02-28 12:31:59 EST
I added to domains/misc/local.te
allow squid_cache_t self:filesystem { associate };
and ran make reload. Squid starts, but I see in cache.log:
Rebuilding storage in /mnt/cache1 (DIRTY)
/mnt/cache1: (13) Permission denied
Done scanning /mnt/cache1 swaplog (0 entries)

kernel: audit(1109611258.279:0): avc:  denied  { getattr } for  pid=4871
exe=/usr/sbin/squid name=/ dev=hda6 ino=2 scontext=root:system_r:squid_t
tcontext=system_u:object_r:squid_cache_t tclass=filesystem
Comment 14 Daniel Walsh 2005-05-12 14:11:55 EDT
You should use context= instead of fscontext=

Note You need to log in before you can comment on or make changes to this bug.