Bug 150465 - squid -v outputs nothing if logged on pts
Summary: squid -v outputs nothing if logged on pts
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 3
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-03-07 13:04 UTC by JuanJo Ciarlante
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-04-21 16:21:16 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description JuanJo Ciarlante 2005-03-07 13:04:17 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6)
Gecko/20050302 Firefox/1.0.1 Fedora/1.0.1-1.3.2

Description of problem:
If logged in on a pts (eg. xterm, ssh), "squid -v" outputs nothing 
(it should output version and ./configure information).
avc messages don't appear because of squid.te dontaudit rule.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
0. (using little customized policy src). ie: 
   make -C /etc/selinux/targeted/src/policy reload
1. Open an xterm or login via ssh
2. run /usr/sbin/squid -v
3. dmesg| tail -1

Actual Results:  2. no output
3. no avc related msgs

Expected Results:  Something like this:
Squid Cache: Version 2.5.STABLE8
configure options:  --build=i386-redhat-linux --host=i386-redhat-linux
--target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr ...
... alot of configure options ...

Additional info:

* Workaround: 
   squid -v | cat

* Patch (selinux-policy-targeted-sources-1.17.30-2.83):
--- domains/program/squid.te.dist       2005-03-06 22:13:15.000000000
+++ domains/program/squid.te    2005-03-06 22:12:39.000000000 -0300
@@ -39,6 +39,7 @@
 allow squid_t sysctl_kernel_t:file read;

 allow squid_t devtty_t:chr_file rw_file_perms;
+allow squid_t devpts_t:chr_file rw_file_perms;

 allow squid_t { self proc_t }:file { read getattr };

Comment 1 Daniel Walsh 2005-03-07 18:33:53 UTC
+allow squid_t devpts_t:chr_file rw_file_perms;  

This a potentially dangerous rule, and the previous line probably
should be removed also.

If you change it to 

allow squid_t devtty_t:chr_file write;
allow squid_t devpts_t:chr_file write;

Does it work?


Comment 2 JuanJo Ciarlante 2005-03-08 14:43:44 UTC
Nop; write it's not sufficient.

I started from rw_file_perms down to this minimun:
  allow squid_t devpts_t:chr_file { read write };
to get squid -v output again.

Comment 3 Daniel Walsh 2005-04-21 16:21:16 UTC
Ok This is fixed in Rawhide, unconfined_t no longer transitions to squid_t, so 
it will run in the unconfined domain and have this priv.

Note You need to log in before you can comment on or make changes to this bug.