Description of problem: When Squid is configured to use NTLM authentication it starts a number of ntlm_auth helper processes (the helpers themselves are part of samba-common package). However, SELinux policy prevents the helpers from functioning. As the result the helpers exist, and so does Squid. Version-Release number of selected component (if applicable): squid-2.6.STABLE13-1.fc7 samba-common-3.0.25b-2.fc7 selinux-policy-2.6.4-30.fc7 selinux-policy-targeted-2.6.4-30.fc7 How reproducible: Aleays Steps to Reproduce: 1. Configure squid to use NTLM authentication. Have the following in squid.conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate on The only essential line is the first one. 2. Configure Samba and join your computer to an Active Directory domain. Start smbd, nmbd and winbind. 3. Start squid Actual results: After a few secods squid exits abormally. In /var/log/squid/cache.log: 2007/08/06 21:08:28| WARNING: ntlmauthenticator #9 (FD 14) exited 2007/08/06 21:08:28| WARNING: ntlmauthenticator #8 (FD 13) exited 2007/08/06 21:08:28| WARNING: ntlmauthenticator #7 (FD 12) exited 2007/08/06 21:08:28| WARNING: ntlmauthenticator #6 (FD 11) exited 2007/08/06 21:08:28| WARNING: ntlmauthenticator #5 (FD 10) exited 2007/08/06 21:08:28| Too few ntlmauthenticator processes are running FATAL: The ntlmauthenticator helpers are crashing too rapidly, need help! Squid Cache (Version 2.6.STABLE13): Terminated abnormally. In /var/log/audit/audit.log: type=AVC msg=audit(1186423708.180:117122): avc: denied { read write } for pid =27642 comm="ntlm_auth" name="[22993981]" dev=sockfs ino=22993981 scontext=root: system_r:winbind_helper_t:s0 tcontext=root:system_r:squid_t:s0 tclass=unix_strea m_socket Expected results: Squid starts normally and uses NTLM authentication Additional info: Audit2allow reports that the following rule is needed: allow winbind_helper_t squid_t:unix_stream_socket { read write };
Fixed in selinux-policy-2.6.4-34
Please pardon an ignorant question, but where can I find version 2.6.4-34? Can't seem to find it in updates or even CVS. Thanks.
I have just submitted it for build. I am trying to only release on a weekly basis. So it should go to Fedora Testing on Friday.
Confirm that selinux-policy-2.6.4-35 from testing solves the problem. Thanks!
While the issue is fixed as of selinux-policy-2.6.4-35, now my audit log is full of these messages: type=AVC msg=audit(1191922803.673:467268): avc: denied { create } for pid=150 84 comm="ntlm_auth" scontext=root:system_r:winbind_helper_t:s0 tcontext=root:sys tem_r:winbind_helper_t:s0 tclass=udp_socket I wonder of these should be allowed, or else not audited.
Looks like winbind_helper might be talking to dns? In Rawhide I allow this so I guess I will back port to FC7. Added in selinux-policy-2.6.4-48
With selinux-policy-2.6.4-48 the denials above are gone, thank you. However, when squid starts, a few denials are still logged: type=AVC msg=audit(1192697265.873:16787): avc: denied { read } for pid=7454 c omm="ntlm_auth" name="host.conf" dev=dm-3 ino=66420761 scontext=root:system_r:wi nbind_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1192697265.873:16786): avc: denied { read } for pid=7454 c omm="ntlm_auth" name="nsswitch.conf" dev=dm-3 ino=66420786 scontext=root:system_ r:winbind_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1192697162.366:16783): avc: denied { getattr } for pid=746 1 comm="ntlm_auth" name="[3631756]" dev=sockfs ino=3631756 scontext=root:system_ r:winbind_helper_t:s0 tcontext=root:system_r:squid_t:s0 tclass=unix_stream_socke t
Fixed selinux-policy-2.6.4-49
Confirm that selinux-policy-2.6.4-49 fixes the denials on startup. I think the issue can be closed.