Bug 168349 - External ACL-Files are ignored if they are stored under the home-directory
External ACL-Files are ignored if they are stored under the home-directory
Product: Fedora
Classification: Fedora
Component: squid (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Martin Stransky
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-09-15 06:11 EDT by Alex Pircher
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-19 04:04:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Alex Pircher 2005-09-15 06:11:50 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.7) Gecko/20040616

Description of problem:
If an externtal ACL-File is configured like that:
acl blocked_domains dstdomain "/home/domains.txt"
it is ignored during the restart-process.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Add acl blocked_domains dstdomain "/home/domains.txt"
2. /etc/init.d/squid restart

Actual Results:  The external ACL-File is ignored

Expected Results:  The external ACL-File should have been added to the configuration

Additional info:

/var/log/squid.out shows:
2005/09/15 12:01:41| strtokFile: /home/domains.txt not found
2005/09/15 12:01:41| aclParseAclLine: WARNING: empty ACL: acl blocked_domains dstdomain "/home/domains.txt"
2005/09/15 12:02:13| strtokFile: /home/domains.txt not found
2005/09/15 12:02:13| aclParseAclLine: WARNING: empty ACL: acl blocked_domains dstdomain "/home/domains.txt"

However, the file domains.txt exists and domains.txt and home have the correct

# ll /home/domains.txt
-rw-r--r--  1 root root 1104 15. Sep 11:37 /home/domains.txt

# ll / | grep home
drwxr-xr-x    6 root root  4096 15. Sep 12:06 home

Placing the domains.txt under / or under /etc/squid/ works.
Comment 1 Alex Pircher 2005-09-15 19:02:26 EDT
Seems that SELinux get's the hand on it, in the audit.log I've found:

type=PATH msg=audit(1126778838.221:11646933): item=0 name="/home/domains.txt"
flags=101  inode=5439489 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1126778870.293:4650569): avc:  denied  { search } for 
pid=21036 comm="squid" name="home" dev=dm-0 ino=5439489
scontext=root:system_r:squid_t tcontext=system_u:object_r:home_root_t tclass=dir
Comment 2 Martin Stransky 2005-09-19 04:04:10 EDT
Sure, the essential function of the selinux is disabling access to directories
which aren't explicidly allowed for access. 

Note You need to log in before you can comment on or make changes to this bug.