Bug 163143 - Squid does not start when /usr/bin/ntlm_auth is used for NTLM authentication
Squid does not start when /usr/bin/ntlm_auth is used for NTLM authentication
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-13 10:04 EDT by Jirka Pech
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.25.2-4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-19 09:10:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jirka Pech 2005-07-13 10:04:01 EDT
Description of problem:
If I use ntlm_auth winbind helper for Squid to support NTLM authentication, I'm
getting these messages in audit log (after set enforce to 0):

type=SELINUX_ERR msg=audit(1121261809.389:921981): security_compute_sid: 
invalid context root:system_r:winbind_helper_t for
scontext=root:system_r:squid_t tcontext=system_u:object_r:winbind_helper_exec_t
tclass=process
type=AVC msg=audit(1121261809.389:921981): avc:  denied  { read write } for 
pid=25466 comm="ntlm_auth" name=[315468] dev=sockfs ino=315468
scontext=root:system_r:winbind_helper_t tcontext=root:system_r:squid_t
tclass=tcp_socket
type=AVC msg=audit(1121261809.389:921981): avc:  denied  { read append } for 
pid=25466 comm="ntlm_auth" name=cache.log dev=sda5 ino=448451
scontext=root:system_r:winbind_helper_t tcontext=root:object_r:squid_log_t
tclass=file
type=SYSCALL msg=audit(1121261809.389:921981): arch=40000003 syscall=11
success=yes exit=0 a0=8c882f8 a1=bfb7a184 a2=8c995b8 a3=400 items=2 pid=25466
auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23
comm="ntlm_auth" exe="/usr/bin/ntlm_auth"
type=AVC_PATH msg=audit(1121261809.389:921981):  path="/var/log/squid/cache.log"
type=AVC_PATH msg=audit(1121261809.389:921981):  path="socket:[315468]"
type=PATH msg=audit(1121261809.389:921981): item=0 name="/usr/bin/ntlm_auth"
inode=488268 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1121261809.389:921981): item=1 inode=129520 dev=08:03
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=SELINUX_ERR msg=audit(1121261809.411:923434): security_compute_sid: 
invalid context root:system_r:winbind_helper_t for
scontext=root:system_r:squid_t tcontext=system_u:object_r:winbind_helper_exec_t
tclass=process
type=SYSCALL msg=audit(1121261809.411:923434): arch=40000003 syscall=11
success=yes exit=0 a0=8c882f8 a1=bfb7a184 a2=8c97518 a3=400 items=2 pid=25465
auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23
comm="ntlm_auth" exe="/usr/bin/ntlm_auth"
type=PATH msg=audit(1121261809.411:923434): item=0 name="/usr/bin/ntlm_auth"
inode=488268 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1121261809.411:923434): item=1 inode=129520 dev=08:03
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=SELINUX_ERR msg=audit(1121261809.432:924714): security_compute_sid: 
invalid context root:system_r:winbind_helper_t for
scontext=root:system_r:squid_t tcontext=system_u:object_r:winbind_helper_exec_t
tclass=process
type=SYSCALL msg=audit(1121261809.432:924714): arch=40000003 syscall=11
success=yes exit=0 a0=8c882f8 a1=bfb7a184 a2=8c9b658 a3=400 items=2 pid=25467
auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23
comm="ntlm_auth" exe="/usr/bin/ntlm_auth"
type=PATH msg=audit(1121261809.432:924714): item=0 name="/usr/bin/ntlm_auth"
inode=488268 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1121261809.432:924714): item=1 inode=129520 dev=08:03
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=SELINUX_ERR msg=audit(1121261809.460:925960): security_compute_sid: 
invalid context root:system_r:winbind_helper_t for
scontext=root:system_r:squid_t tcontext=system_u:object_r:winbind_helper_exec_t
tclass=process
type=SYSCALL msg=audit(1121261809.460:925960): arch=40000003 syscall=11
success=yes exit=0 a0=8c882f8 a1=bfb7a184 a2=8c9d6f8 a3=400 items=2 pid=25468
auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23
comm="ntlm_auth" exe="/usr/bin/ntlm_auth"
type=PATH msg=audit(1121261809.460:925960): item=0 name="/usr/bin/ntlm_auth"
inode=488268 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1121261809.460:925960): item=1 inode=129520 dev=08:03
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=SELINUX_ERR msg=audit(1121261809.470:927143): security_compute_sid: 
invalid context root:system_r:winbind_helper_t for
scontext=root:system_r:squid_t tcontext=system_u:object_r:winbind_helper_exec_t
tclass=process
type=SYSCALL msg=audit(1121261809.470:927143): arch=40000003 syscall=11
success=yes exit=0 a0=8c882f8 a1=bfb7a184 a2=8c9f798 a3=400 items=2 pid=25469
auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23
comm="ntlm_auth" exe="/usr/bin/ntlm_auth"
type=PATH msg=audit(1121261809.470:927143): item=0 name="/usr/bin/ntlm_auth"
inode=488268 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1121261809.470:927143): item=1 inode=129520 dev=08:03
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1121261810.017:927486): avc:  denied  { getattr } for 
pid=25465 comm="ntlm_auth" name=[315465] dev=sockfs ino=315465
scontext=root:system_r:winbind_helper_t tcontext=root:system_r:squid_t
tclass=tcp_socket
type=SYSCALL msg=audit(1121261810.017:927486): arch=40000003 syscall=197
success=yes exit=0 a0=0 a1=bfbf117c a2=3bbff4 a3=0 items=0 pid=25465 auid=0
uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 comm="ntlm_auth"
exe="/usr/bin/ntlm_auth"
type=AVC_PATH msg=audit(1121261810.017:927486):  path="socket:[315465]"

Also I have this output in /var/log/messages (enforce set to 1):
Jul 13 15:10:30 proxy squid[24695]: Squid Parent: child process 24697 started
Jul 13 15:10:31 proxy (squid): The ntlmauthenticator helpers are crashing too
rapidly, need help!
Jul 13 15:10:31 proxy squid[24695]: Squid Parent: child process 24697 exited due
to signal 6
Jul 13 15:10:34 proxy squid[24695]: Squid Parent: child process 24729 started
Jul 13 15:10:35 proxy (squid): The ntlmauthenticator helpers are crashing too
rapidly, need help!
Jul 13 15:10:35 proxy squid[24695]: Squid Parent: child process 24729 exited due
to signal 6
Jul 13 15:10:38 proxy squid[24695]: Squid Parent: child process 24759 started
Jul 13 15:10:38 proxy (squid): The ntlmauthenticator helpers are crashing too
rapidly, need help!
Jul 13 15:10:38 proxy squid[24695]: Squid Parent: child process 24759 exited due
to signal 6
Jul 13 15:10:41 proxy squid[24695]: Squid Parent: child process 24788 started
Jul 13 15:10:42 proxy (squid): The ntlmauthenticator helpers are crashing too
rapidly, need help!
Jul 13 15:10:42 proxy squid[24695]: Squid Parent: child process 24788 exited due
to signal 6
Jul 13 15:10:45 proxy squid[24695]: Squid Parent: child process 24817 started
Jul 13 15:10:45 proxy (squid): The ntlmauthenticator helpers are crashing too
rapidly, need help!
Jul 13 15:10:45 proxy squid[24695]: Squid Parent: child process 24817 exited due
to signal 6
Jul 13 15:10:45 proxy squid[24695]: Exiting due to repeated, frequent failures

This is probably the policy problem, because everything was going fine before
policy yum auto-update during the week and squid restart today.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.2-1

How reproducible:
Every time.

Steps to Reproduce:
1. Install squid on FC4 box with SELinux enforcing enabled and edit the config
file to include:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm max_challenge_reuses 10
auth_param ntlm children 5
 
2. Start squid.
  
Actual results:
Squid exits because it can't start ntlm helper children and errors are logged.

Expected results:
Normal squid startup.

Additional info:
There are some local policy rules in place, which were needed to run Squid with
NTLM support (in a fresh FC4 installation):

# samba
allow squid_t port_t:tcp_socket                 { name_connect };
allow squid_t samba_etc_t:dir                   { search read };
allow squid_t samba_etc_t:file                  { getattr read };
allow squid_t samba_var_t:dir                   { search read };
allow squid_t samba_var_t:file                  { getattr read };

# winbind
allow squid_t winbind_var_run_t:dir             { getattr read search };
allow squid_t winbind_var_run_t:file            { getattr read };
allow squid_t winbind_var_run_t:sock_file       { getattr write };
allow squid_t winbind_t:unix_stream_socket      { connectto };
Comment 1 Daniel Walsh 2005-07-13 10:48:41 EDT
Something went wrong with your update???

Do you have selinux-policy-targeted-sources installed?

If yes could you do a 

cd /etc/selinux/targeted/src/policy
make load
And then try again.

Comment 2 Jirka Pech 2005-07-13 11:14:18 EDT
I don't know about anything went wrong during update.

Yes, I have sources installed and I already did policy build and reload before
restarting squid, because I have some custom rules.
So, I can handle local directory relocations and file TE settings by customizing
local policy, but what I really don't understand is why is winbind not allowed
to read/write/getattr the socket and the worst thing of all is

security_compute_sid: invalid context root:system_r:winbind_helper_t for
scontext=root:system_r:squid_t tcontext=system_u:object_r:winbind_helper_exec_t
tclass=process

what I really don't understand at all. I suppose that squid_t wants transition
to winbind_helper_exec_t domain, but I'm not sure why. And when I rolled back to
selinux-policy-targeted-1.24-3, everything goes fine again.
Comment 3 Daniel Walsh 2005-07-13 11:27:16 EDT
Does adding

role system_r type winbind_helper_t to windbind.te 
fix the problem?
Comment 4 Jirka Pech 2005-07-13 12:07:05 EDT
Yes it fixed invalid context error on transition, but it should be "types" not
"type".

role system_r types winbind_helper_t

Have you removed these from 1.25.2-1 (this is audit2allow output after squid
restart with fixed role types)?

allow winbind_helper_t squid_t:tcp_socket { read getattr write };

Comment 5 Daniel Walsh 2005-07-13 12:23:53 EDT
Did it work in enforcing mode?  Or does it need this rule?  This could just be a
bug in squid not closing the tcp_socket on exec of ntlm_auth?

Dan
Comment 6 Jirka Pech 2005-07-13 13:01:35 EDT
Yes, it works in enforcing mode.

I'm not sure, but I think that NTLM authentication needs keep-alive (proxy
server to domain controller) connection, so it is probably not a squid bug.
Comment 7 Jirka Pech 2005-07-14 06:21:39 EDT
I'm sorry Dan, I didn't respond to your second question. The rule is needed for
squid to work.

Jirka Pech
Comment 8 Daniel Walsh 2005-07-14 10:40:14 EDT
Fixed in selinux-policy-strict-1.25.2-4
Comment 9 Walter Justen 2005-08-19 09:10:47 EDT
Thanks for the bug report. This particular bug was fixed and a update package
was published for download. Please feel free to report any further bugs you find.

Note You need to log in before you can comment on or make changes to this bug.