Bug 199083 - selinux stops squid
selinux stops squid
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-17 03:30 EDT by Frank Büttner
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-28 16:02:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Frank Büttner 2006-07-17 03:30:00 EDT
Description of problem:
when selinux is in enforce mode squid will fail

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.47-3.fc5

How reproducible:
run service squid start

Actual results:
start fails

Expected results:
running squid

Additional info:
audit:
Jul 17 09:36:18 kernel: audit(1153121778.649:71): avc:  denied  { read write }
for  pid=3357 comm=squid name="SYSV00347402" dev=tmpfs ino=884761
scontext=user_u:system_r:squid_t tcontext=user_u:object_r:tmpfs_t tclass=file
Jul 17 09:36:21 kernel: audit(1153121781.993:72): avc:  denied  { read write }
for  pid=3364 comm=squid name="SYSV00349002" dev=tmpfs ino=917530
scontext=user_u:system_r:squid_t tcontext=user_u:object_r:tmpfs_t tclass=file
Jul 17 09:36:26 kernel: audit(1153121786.085:73): avc:  denied  { read write }
for  pid=3370 comm=squid name="SYSV0034a802" dev=tmpfs ino=950299
scontext=user_u:system_r:squid_t tcontext=user_u:object_r:tmpfs_t tclass=file
Comment 1 Daniel Walsh 2006-07-17 10:33:15 EDT
You have a labling problem.  Looks like some kind of tmp directory is being
mounted and not labeled correctly or you created files on a tmp directory and
moved it to a directory squid is trying to access?
Comment 2 Frank Büttner 2006-07-17 11:40:43 EDT
I can't find an unlabled file. But it is very interesting. When change the
access method in the squid config file from diskd to ufs then I get an other error:
type=AVC msg=audit(1153151192.075:937): avc:  denied  { name_bind } for 
pid=8719 comm="squid" src=3130 scontext=user_u:system_r:squid_t:s0 tcontext
=system_u:object_r:http_cache_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1153151192.075:937): arch=40000003 syscall=102 success=no
exit=-13 a0=2 a1=bf9f85f4 a2=8499a4 a3=bf9f8604 items=0 pid=8719 au
id=500 uid=23 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none)
comm="squid" exe="/usr/sbin/squid" subj=user_u:system_r:squid_t:s0
type=SOCKADDR msg=audit(1153151192.075:937): saddr=02000C3A000000000000000000000000
type=SOCKETCALL msg=audit(1153151192.075:937): nargs=3 a0=c a1=bf9f8604 a2=10
type=AVC msg=audit(1153151195.403:938): avc:  denied  { name_bind } for 
pid=8726 comm="squid" src=3130 scontext=user_u:system_r:squid_t:s0 tcontext
=system_u:object_r:http_cache_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1153151195.403:938): arch=40000003 syscall=102 success=no
exit=-13 a0=2 a1=bfef32f4 a2=4129a4 a3=bfef3304 items=0 pid=8726 au
id=500 uid=23 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none)
comm="squid" exe="/usr/sbin/squid" subj=user_u:system_r:squid_t:s0
type=SOCKADDR msg=audit(1153151195.403:938): saddr=02000C3A000000000000000000000000
type=SOCKETCALL msg=audit(1153151195.403:938): nargs=3 a0=c a1=bfef3304 a2=10
type=AVC msg=audit(1153151198.723:939): avc:  denied  { name_bind } for 
pid=8733 comm="squid" src=3130 scontext=user_u:system_r:squid_t:s0 tcontext
=system_u:object_r:http_cache_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1153151198.723:939): arch=40000003 syscall=102 success=no
exit=-13 a0=2 a1=bfc96094 a2=4709a4 a3=bfc960a4 items=0 pid=8733 au
id=500 uid=23 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none)
comm="squid" exe="/usr/sbin/squid" subj=user_u:system_r:squid_t:s0
type=SOCKADDR msg=audit(1153151198.723:939): saddr=02000C3A000000000000000000000000
type=SOCKETCALL msg=audit(1153151198.723:939): nargs=3 a0=c a1=bfc960a4 a2=10
type=AVC msg=audit(1153151202.040:940): avc:  denied  { name_bind } for 
pid=8739 comm="squid" src=3130 scontext=user_u:system_r:squid_t:s0 tcontext
=system_u:object_r:http_cache_port_t:s0 tclass=udp_socket
Comment 3 Daniel Walsh 2006-07-17 14:56:43 EDT
Fixed in 	selinux-policy-2.3.2-1.fc5
Comment 4 Daniel Walsh 2007-03-28 16:02:06 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.