Bug 224409 - Denials with squid's cachemgr.cgi
Denials with squid's cachemgr.cgi
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
: 224412 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-25 11:22 EST by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.4.6-37.fc6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-22 13:12:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Loadable policy module to fix your problem. (315 bytes, application/octet-stream)
2007-01-25 15:13 EST, Daniel Walsh
no flags Details

  None (edit)
Description Orion Poplawski 2007-01-25 11:22:28 EST
Description of problem:

When using squid's cachemgr.cgi as configured by the Fedora squid package I get:

Jan 24 16:47:09 hawk kernel: audit(1169682429.577:42): avc:  denied  { search }
for  pid=22647 comm="cachemgr.cgi" name="squid" dev=dm-0 ino=47143
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:squid_conf_t:s0
tclass=dir

This is trying to search /etc/squid.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-27.fc6
Comment 1 Orion Poplawski 2007-01-25 11:27:14 EST
*** Bug 224412 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2007-01-25 14:10:53 EST
Why is cachemgr.cgi in /etc/squid directory?
Comment 3 Orion Poplawski 2007-01-25 14:20:45 EST
It's not.  It's in /usr/lib/squid/cachemgr.cgi, but it's trying to read
/etc/squid/cachemgr.conf.  It may be trying to do other stuff too, not sure. 
Running from the command line under strace I see:

8115  open("/etc/squid/cachemgr.conf", O_RDONLY|O_LARGEFILE) = 3
Comment 4 Orion Poplawski 2007-01-25 14:21:45 EST
Note that it seems to run fine.
Comment 5 Daniel Walsh 2007-01-25 15:13:03 EST
Created attachment 146614 [details]
Loadable policy module to fix your problem.

Could you save this te file and execute

make -f /usr/share/selinux/devel/Makefile 
semodule -i squid-cgi.pp 
chcon -t httpd_squid_script_exec_t /usr/lib/squid/cachemgr.cgi 

And try it out.
This fix will be in the next policy.
Comment 6 Orion Poplawski 2007-01-25 15:19:44 EST
Similar but different:

Jan 25 13:18:42 hawk kernel: audit(1169756322.593:47): avc:  denied  { search }
for  pid=9004 comm="cachemgr.cgi" name="squid" dev=dm-0 ino=47143
scontext=system_u:system_r:httpd_squid_script_t:s0
tcontext=system_u:object_r:squid_conf_t:s0 tclass=dir
Comment 7 Daniel Walsh 2007-01-25 15:28:33 EST
Yes I knew about that one.  Sorry forgot to tell you.  

That was added to /usr/share/selinux/devel/include/services/squid.if

########################################
## <summary>
##	Read squid configuration file.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`squid_read_config',`
	gen_require(`
		type squid_conf_t;
	')

	files_search_etc($1)
	allow $1 squid_conf_t:dir search_dir_perms;
	allow $1 squid_conf_t:file r_file_perms;
')
Comment 8 Daniel Walsh 2007-02-14 15:33:04 EST
Fixed in selinux-policy-2.4.6-37.fc6
Comment 9 Orion Poplawski 2007-02-16 13:45:20 EST
Still see it:

audit(1171651371.459:7): avc:  denied  { search } for  pid=3384
comm="cachemgr.cgi" name="squid" dev=dm-0 ino=47143
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:squid_conf_t:s0
tclass=dir

[root@hawk ~]# restorecon -r -v /usr/lib/squid/ /etc/squid
[root@hawk ~]# rpm -q selinux-policy
selinux-policy-2.4.6-37.fc6
                             
Comment 10 Daniel Walsh 2007-02-16 16:05:43 EST
For some reason cachemgr.cgi is not transitioning to httpd_squid_script_t?

getsebool -a | grep http

Comment 11 Orion Poplawski 2007-02-16 16:07:33 EST
allow_httpd_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> off
httpd_unified --> on
Comment 12 Daniel Walsh 2007-02-20 14:48:36 EST
ls -lZ /usr/lib/squid/cachemgr.cgi
Comment 13 Orion Poplawski 2007-02-20 14:56:54 EST
-rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/lib/squid/cachemgr.cgi
Comment 14 Daniel Walsh 2007-02-22 12:53:29 EST
restorecon -F -R -v /usr/lib/squid/cachemgr.cgi

The context is wrong.
Comment 15 Orion Poplawski 2007-02-22 13:12:44 EST
That indeed fixed the context and removed the denial.

Note You need to log in before you can comment on or make changes to this bug.