From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.7) Gecko/20040616 Description of problem: If an externtal ACL-File is configured like that: acl blocked_domains dstdomain "/home/domains.txt" it is ignored during the restart-process. Version-Release number of selected component (if applicable): squid-2.5.STABLE9-8 How reproducible: Always Steps to Reproduce: 1. Add acl blocked_domains dstdomain "/home/domains.txt" 2. /etc/init.d/squid restart Actual Results: The external ACL-File is ignored Expected Results: The external ACL-File should have been added to the configuration Additional info: /var/log/squid.out shows: 2005/09/15 12:01:41| strtokFile: /home/domains.txt not found 2005/09/15 12:01:41| aclParseAclLine: WARNING: empty ACL: acl blocked_domains dstdomain "/home/domains.txt" 2005/09/15 12:02:13| strtokFile: /home/domains.txt not found 2005/09/15 12:02:13| aclParseAclLine: WARNING: empty ACL: acl blocked_domains dstdomain "/home/domains.txt" However, the file domains.txt exists and domains.txt and home have the correct rights: # ll /home/domains.txt -rw-r--r-- 1 root root 1104 15. Sep 11:37 /home/domains.txt # ll / | grep home drwxr-xr-x 6 root root 4096 15. Sep 12:06 home Placing the domains.txt under / or under /etc/squid/ works.
Seems that SELinux get's the hand on it, in the audit.log I've found: type=PATH msg=audit(1126778838.221:11646933): item=0 name="/home/domains.txt" flags=101 inode=5439489 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1126778870.293:4650569): avc: denied { search } for pid=21036 comm="squid" name="home" dev=dm-0 ino=5439489 scontext=root:system_r:squid_t tcontext=system_u:object_r:home_root_t tclass=dir
Sure, the essential function of the selinux is disabling access to directories which aren't explicidly allowed for access.