1498809 – Squid fails to start: denied map on /dev/shm/squid-cf__metadata.shm

Bug 1498809 - Squid fails to start: denied map on /dev/shm/squid-cf__metadata.shm

Summary: Squid fails to start: denied map on /dev/shm/squid-cf__metadata.shm

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	27
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-05 10:07 UTC by Matthew Booth
Modified:	2017-11-28 23:55 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-11-28 23:55:00 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matthew Booth 2017-10-05 10:07:07 UTC

Description of problem:
Squid fails to start. Service status shows:

Oct 05 10:43:42 workstation.marston squid[9300]: Ipc::Mem::Segment::attach failed to mmap(/squid-cf__metadata.shm): (13) Permission denied

audit.log contains:

type=AVC msg=audit(1507196622.502:322): avc:  denied  { map } for  pid=9300 comm="squid" path="/dev/shm/squid-cf__metadata.shm" dev="tmpfs" ino=111601 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:squid_tmpfs_t:s0 tclass=file permissive=0


Version-Release number of selected component (if applicable):
squid-4.0.21-1.fc27.x86_64
selinux-policy-targeted-3.13.1-283.4.fc27.noarch

How reproducible:
100% on my system, freshly upgraded to F27 from F26, where squid was working fine.


Steps to Reproduce:

squid.conf is almost stock. Only significant different is this stanza:

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid 16000 16 256 max-size=8589934592
maximum_object_size 8192 MB

Additional information:

The following policy, auto-generated by audit2allow, allows squid to start:

policy_module(squid-local, 1.0)

require {
	type squid_t;
	type squid_tmpfs_t;
	class file map;
}

#============= squid_t ==============
allow squid_t squid_tmpfs_t:file map;

Comment 1 Richi Plana 2017-11-15 17:50:25 UTC

Came to report the same bug and saw this. Unfortunately, something is preventing me from applying the WA:

[root@legacy ~]# semodule -i squid.pp
libsemanage.semanage_direct_install_info: Overriding squid module at lower priority 100 with module at priority 400.
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/squid/cil:1
semodule:  Failed!

Comment 2 Fedora Update System 2017-11-22 08:56:47 UTC

selinux-policy-3.13.1-283.17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9

Comment 3 Fedora Update System 2017-11-22 21:42:09 UTC

selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9

Comment 4 Fedora Update System 2017-11-28 23:55:00 UTC

selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.