Bug 150465 - squid -v outputs nothing if logged on pts
squid -v outputs nothing if logged on pts
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-03-07 08:04 EST by JuanJo Ciarlante
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-04-21 12:21:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description JuanJo Ciarlante 2005-03-07 08:04:17 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6)
Gecko/20050302 Firefox/1.0.1 Fedora/1.0.1-1.3.2

Description of problem:
If logged in on a pts (eg. xterm, ssh), "squid -v" outputs nothing 
(it should output version and ./configure information).
avc messages don't appear because of squid.te dontaudit rule.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
0. (using little customized policy src). ie: 
   make -C /etc/selinux/targeted/src/policy reload
1. Open an xterm or login via ssh
2. run /usr/sbin/squid -v
3. dmesg| tail -1

Actual Results:  2. no output
3. no avc related msgs

Expected Results:  Something like this:
Squid Cache: Version 2.5.STABLE8
configure options:  --build=i386-redhat-linux --host=i386-redhat-linux
--target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr ...
... alot of configure options ...

Additional info:

* Workaround: 
   squid -v | cat

* Patch (selinux-policy-targeted-sources-1.17.30-2.83):
--- domains/program/squid.te.dist       2005-03-06 22:13:15.000000000
+++ domains/program/squid.te    2005-03-06 22:12:39.000000000 -0300
@@ -39,6 +39,7 @@
 allow squid_t sysctl_kernel_t:file read;

 allow squid_t devtty_t:chr_file rw_file_perms;
+allow squid_t devpts_t:chr_file rw_file_perms;

 allow squid_t { self proc_t }:file { read getattr };
Comment 1 Daniel Walsh 2005-03-07 13:33:53 EST
+allow squid_t devpts_t:chr_file rw_file_perms;  

This a potentially dangerous rule, and the previous line probably
should be removed also.

If you change it to 

allow squid_t devtty_t:chr_file write;
allow squid_t devpts_t:chr_file write;

Does it work?


Comment 2 JuanJo Ciarlante 2005-03-08 09:43:44 EST
Nop; write it's not sufficient.

I started from rw_file_perms down to this minimun:
  allow squid_t devpts_t:chr_file { read write };
to get squid -v output again.

Comment 3 Daniel Walsh 2005-04-21 12:21:16 EDT
Ok This is fixed in Rawhide, unconfined_t no longer transitions to squid_t, so 
it will run in the unconfined domain and have this priv.

Note You need to log in before you can comment on or make changes to this bug.