Bug 251041 - Squid cannot start NTLM auth helpers due to SELinux policy
Summary: Squid cannot start NTLM auth helpers due to SELinux policy
Alias: None
Product: Fedora
Classification: Fedora
Component: squid (Show other bugs)
(Show other bugs)
Version: 7
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-08-06 18:12 UTC by Leonid Zeitlin
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-12 23:02:01 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Leonid Zeitlin 2007-08-06 18:12:21 UTC
Description of problem:
When Squid is configured to use NTLM authentication it starts a number of 
ntlm_auth helper processes (the helpers themselves are part of samba-common 
package). However, SELinux policy prevents the helpers from functioning. As the 
result the helpers exist, and so does Squid.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure squid to use NTLM authentication. Have the following in squid.conf:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on

The only essential line is the first one.

2. Configure Samba and join your computer to an Active Directory domain. Start 
smbd, nmbd and winbind.

3. Start squid
Actual results:
After a few secods squid exits abormally. 

In /var/log/squid/cache.log:

2007/08/06 21:08:28| WARNING: ntlmauthenticator #9 (FD 14) exited
2007/08/06 21:08:28| WARNING: ntlmauthenticator #8 (FD 13) exited
2007/08/06 21:08:28| WARNING: ntlmauthenticator #7 (FD 12) exited
2007/08/06 21:08:28| WARNING: ntlmauthenticator #6 (FD 11) exited
2007/08/06 21:08:28| WARNING: ntlmauthenticator #5 (FD 10) exited
2007/08/06 21:08:28| Too few ntlmauthenticator processes are running
FATAL: The ntlmauthenticator helpers are crashing too rapidly, need help!

Squid Cache (Version 2.6.STABLE13): Terminated abnormally.

In /var/log/audit/audit.log:

type=AVC msg=audit(1186423708.180:117122): avc:  denied  { read write } for  pid
=27642 comm="ntlm_auth" name="[22993981]" dev=sockfs ino=22993981 scontext=root:
system_r:winbind_helper_t:s0 tcontext=root:system_r:squid_t:s0 tclass=unix_strea

Expected results:
Squid starts normally and uses NTLM authentication

Additional info:
Audit2allow reports that the following rule is needed:

allow winbind_helper_t squid_t:unix_stream_socket { read write };

Comment 1 Daniel Walsh 2007-08-06 22:53:37 UTC
Fixed in selinux-policy-2.6.4-34

Comment 2 Leonid Zeitlin 2007-08-07 09:14:13 UTC
Please pardon an ignorant question, but where can I find version 2.6.4-34? 
Can't seem to find it in updates or even CVS. Thanks.

Comment 3 Daniel Walsh 2007-08-07 13:28:34 UTC
I have just submitted it for build.  I am trying to only release on a weekly
basis.  So it should go to Fedora Testing on Friday.

Comment 4 Leonid Zeitlin 2007-08-14 17:54:13 UTC
Confirm that selinux-policy-2.6.4-35 from testing solves the problem. Thanks!

Comment 5 Leonid Zeitlin 2007-10-09 09:43:37 UTC
While the issue is fixed as of selinux-policy-2.6.4-35, now my audit log is 
full of these messages:

type=AVC msg=audit(1191922803.673:467268): avc:  denied  { create } for  pid=150
84 comm="ntlm_auth" scontext=root:system_r:winbind_helper_t:s0 tcontext=root:sys
tem_r:winbind_helper_t:s0 tclass=udp_socket

I wonder of these should be allowed, or else not audited.

Comment 6 Daniel Walsh 2007-10-09 14:46:34 UTC
Looks like winbind_helper might be talking to dns?

In Rawhide I allow this so I guess I will back port to FC7.
Added in selinux-policy-2.6.4-48

Comment 7 Leonid Zeitlin 2007-10-18 08:53:03 UTC
With selinux-policy-2.6.4-48 the denials above are gone, thank you. However, 
when squid starts, a few denials are still logged:

type=AVC msg=audit(1192697265.873:16787): avc:  denied  { read } for  pid=7454 c
omm="ntlm_auth" name="host.conf" dev=dm-3 ino=66420761 scontext=root:system_r:wi
nbind_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

type=AVC msg=audit(1192697265.873:16786): avc:  denied  { read } for  pid=7454 c
omm="ntlm_auth" name="nsswitch.conf" dev=dm-3 ino=66420786 scontext=root:system_
r:winbind_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

type=AVC msg=audit(1192697162.366:16783): avc:  denied  { getattr } for  pid=746
1 comm="ntlm_auth" name="[3631756]" dev=sockfs ino=3631756 scontext=root:system_
r:winbind_helper_t:s0 tcontext=root:system_r:squid_t:s0 tclass=unix_stream_socke

Comment 8 Daniel Walsh 2007-10-18 21:07:42 UTC
Fixed selinux-policy-2.6.4-49

Comment 9 Leonid Zeitlin 2007-11-09 17:51:25 UTC
Confirm that selinux-policy-2.6.4-49 fixes the denials on startup. I think the 
issue can be closed.

Note You need to log in before you can comment on or make changes to this bug.