Bug 166269 - SELinux blocks Squid's sasl_auth module from contacting saslauthd
SELinux blocks Squid's sasl_auth module from contacting saslauthd
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-08-18 10:25 EDT by Aleksandar Milivojevic
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: u2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-12 14:15:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Aleksandar Milivojevic 2005-08-18 10:25:32 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050721 CentOS/1.0.6-1.4.1.centos4 Firefox/1.0.6

Description of problem:
I've configured squid to check passwords using SASL like this:

# grep 'sasl_auth' /etc/squid/squid.conf
auth_param basic program /usr/lib/squid/sasl_auth

# cat /usr/lib/sasl2/squid_sasl_auth.conf
pwcheck_method: saslauthd

However, SELinux is blocking Squid's sasl_auth module from connecting to saslauthd's socket:

Aug 17 15:51:09 t112 kernel: audit(1124311869.679:0): avc:  denied  { write } for  pid=6417 comm=sasl_auth name=mux dev=dm-3 ino=180280 scontext=root:system_r:squid_t tcontext=root:object_r:var_run_t tclass=sock_file

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. configure squid and sasl_auth as described above

Additional info:
Comment 1 Aleksandar Milivojevic 2005-08-18 10:38:28 EDT
Just a small note.  sasl_auth is not a "loadable module".  It is stand-alone
helper application (runs as separate process, started by Squid).  So it is
sufficient for sasl_auth process to have access to saslauthd's socket.  Squid
itself does not need access to it.
Comment 2 Daniel Walsh 2005-09-27 15:46:17 EDT
Fixed in U2.

Note You need to log in before you can comment on or make changes to this bug.