Description of problem: When using squid's cachemgr.cgi as configured by the Fedora squid package I get: Jan 24 16:47:09 hawk kernel: audit(1169682429.577:42): avc: denied { search } for pid=22647 comm="cachemgr.cgi" name="squid" dev=dm-0 ino=47143 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:squid_conf_t:s0 tclass=dir This is trying to search /etc/squid. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-27.fc6
*** Bug 224412 has been marked as a duplicate of this bug. ***
Why is cachemgr.cgi in /etc/squid directory?
It's not. It's in /usr/lib/squid/cachemgr.cgi, but it's trying to read /etc/squid/cachemgr.conf. It may be trying to do other stuff too, not sure. Running from the command line under strace I see: 8115 open("/etc/squid/cachemgr.conf", O_RDONLY|O_LARGEFILE) = 3
Note that it seems to run fine.
Created attachment 146614 [details] Loadable policy module to fix your problem. Could you save this te file and execute make -f /usr/share/selinux/devel/Makefile semodule -i squid-cgi.pp chcon -t httpd_squid_script_exec_t /usr/lib/squid/cachemgr.cgi And try it out. This fix will be in the next policy.
Similar but different: Jan 25 13:18:42 hawk kernel: audit(1169756322.593:47): avc: denied { search } for pid=9004 comm="cachemgr.cgi" name="squid" dev=dm-0 ino=47143 scontext=system_u:system_r:httpd_squid_script_t:s0 tcontext=system_u:object_r:squid_conf_t:s0 tclass=dir
Yes I knew about that one. Sorry forgot to tell you. That was added to /usr/share/selinux/devel/include/services/squid.if ######################################## ## <summary> ## Read squid configuration file. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`squid_read_config',` gen_require(` type squid_conf_t; ') files_search_etc($1) allow $1 squid_conf_t:dir search_dir_perms; allow $1 squid_conf_t:file r_file_perms; ')
Fixed in selinux-policy-2.4.6-37.fc6
Still see it: audit(1171651371.459:7): avc: denied { search } for pid=3384 comm="cachemgr.cgi" name="squid" dev=dm-0 ino=47143 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:squid_conf_t:s0 tclass=dir [root@hawk ~]# restorecon -r -v /usr/lib/squid/ /etc/squid [root@hawk ~]# rpm -q selinux-policy selinux-policy-2.4.6-37.fc6
For some reason cachemgr.cgi is not transitioning to httpd_squid_script_t? getsebool -a | grep http
allow_httpd_anon_write --> off allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_network_connect --> on httpd_can_network_connect_db --> off httpd_can_network_relay --> off httpd_disable_trans --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_rotatelogs_disable_trans --> off httpd_ssi_exec --> off httpd_suexec_disable_trans --> off httpd_tty_comm --> off httpd_unified --> on
ls -lZ /usr/lib/squid/cachemgr.cgi
-rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/lib/squid/cachemgr.cgi
restorecon -F -R -v /usr/lib/squid/cachemgr.cgi The context is wrong.
That indeed fixed the context and removed the denial.