/mnt/cache1 is reiserfs partition. squid.conf: cache_dir ufs /mnt/cache1 4000 16 256 # ls -Zd /mnt/cache1 drwxr-xr-x squid squid system_u:object_r:squid_cache_t /mnt/cache1 # ls -Zd /mnt/cache1/00 drwxr-xr-x squid squid /mnt/cache1/00 Squid cannot start. /var/log/squid/cache.log: /mnt/cache1: (13) Permission denied /var/log/messages: kernel: audit(1109525545.287:0): avc: denied { getattr } for pid=3373 exe=/usr/sbin/squid path=/mnt/cache1 dev=hda6 ino=2 scontext=user_u:system_r:squid_t tcontext=system_u:object_r:nfs_t tclass=dir Where is nfs_t coming from? Could it be that all files in /mnt/cache1 get it by default? System is fully updated as of today.
Not sure, but I know that reiserfs is not supported with SELinux at the current time. There are many bugs in its handling of Extended Attributes. Dan
You probably misunderstood. Yes, I know that reiserfs is not supported with SELinux. But I showed that reiserfs partition doesn't have EAs at all: # ls -Zd /mnt/cache1/00 drwxr-xr-x squid squid /mnt/cache1/00 Directory 00 in reiserfs partition does not have any SELinux attributes. And I showed that I changed type to squid_cache_t for /mnt/cache1, i.e. a mountpoint. So the question is - why squid doesn't work on a filesystem, which does not have ANY SELinux attributes?
Do you have nfs running on this machine? Or is the kernel/reiserfs getting confused? James do you have any ideas?
No nfs running.
Which tells me the kernel/reiser is very confused. So this is not a policy problem...
(In reply to comment #3) > James do you have any ideas? Does the policy contain a line like this: genfscon reiserfs / system_u:object_r:nfs_t
Excellent catch. Yes that is whats causing the nfs. Sorry I missed it but if he is mounting with a context why is nfs_t still showing up? Dan
(In reply to comment #7) > Excellent catch. Yes that is whats causing the nfs. Sorry I missed it but if > he is mounting with a context why is nfs_t still showing up? > I don't think it's a context mount, it was just the first idea thing I came up with to check.
Nerijus Could you try to mount the /mnt/cache1 directory with fscontext=system_u:object_r:squid_cache_t mount -t reiserfs -o fscontext=system_u:object_r:squid_cache_t /dev/ABC /mnt/cache1
I don't mount with a context, I just changed SELinux attribute for a mount point (as otherwise squid was not able to access /mnt/cache1; btw, I had to change type to squid_cache_t for /mnt also). /etc/fstab: /dev/hda6 /mnt/cache1 reiserfs defaults 0 0 Any ideas how to use reiserfs for squid cache? Changing nfs_t to squid_cache_t in genfscon reiserfs / system_u:object_r:nfs_t should help?
mount: /dev/hda6 on /mnt/cache1 type reiserfs (rw,fscontext=system_u:object_r:squid_cache_t) Still no go: kernel: audit(1109609802.473:0): avc: denied { associate } for pid=4340 exe=/usr/sbin/squid name=00 scontext=root:object_r:squid_cache_t tcontext=system_u:object_r:squid_cache_t tclass=filesystem squid: Failed to make swap directory /mnt/cache1/00: (13) Permission denied BTW, I even cannot create file as root: # touch /mnt/cache1/aa touch: cannot touch `/mnt/cache1/aa': Permission denied kernel: audit(1109610143.996:0): avc: denied { associate } for pid=4436 exe=/bin/touch name=aa scontext=root:object_r:squid_cache_t tcontext=system_u:object_r:squid_cache_t tclass=filesystem
Ok you are going to need a rule allow squid_cache_t self:filesystem associate; Dan
I added to domains/misc/local.te allow squid_cache_t self:filesystem { associate }; and ran make reload. Squid starts, but I see in cache.log: Rebuilding storage in /mnt/cache1 (DIRTY) /mnt/cache1: (13) Permission denied ... Done scanning /mnt/cache1 swaplog (0 entries) /var/log/messages: kernel: audit(1109611258.279:0): avc: denied { getattr } for pid=4871 exe=/usr/sbin/squid name=/ dev=hda6 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:squid_cache_t tclass=filesystem
You should use context= instead of fscontext=