Bug 251041 - Squid cannot start NTLM auth helpers due to SELinux policy
Squid cannot start NTLM auth helpers due to SELinux policy
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: squid (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-06 14:12 EDT by Leonid Zeitlin
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-12 18:02:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Leonid Zeitlin 2007-08-06 14:12:21 EDT
Description of problem:
When Squid is configured to use NTLM authentication it starts a number of 
ntlm_auth helper processes (the helpers themselves are part of samba-common 
package). However, SELinux policy prevents the helpers from functioning. As the 
result the helpers exist, and so does Squid.

Version-Release number of selected component (if applicable):
squid-2.6.STABLE13-1.fc7
samba-common-3.0.25b-2.fc7
selinux-policy-2.6.4-30.fc7
selinux-policy-targeted-2.6.4-30.fc7


How reproducible:
Aleays

Steps to Reproduce:
1. Configure squid to use NTLM authentication. Have the following in squid.conf:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on

The only essential line is the first one.

2. Configure Samba and join your computer to an Active Directory domain. Start 
smbd, nmbd and winbind.

3. Start squid
  
Actual results:
After a few secods squid exits abormally. 

In /var/log/squid/cache.log:

2007/08/06 21:08:28| WARNING: ntlmauthenticator #9 (FD 14) exited
2007/08/06 21:08:28| WARNING: ntlmauthenticator #8 (FD 13) exited
2007/08/06 21:08:28| WARNING: ntlmauthenticator #7 (FD 12) exited
2007/08/06 21:08:28| WARNING: ntlmauthenticator #6 (FD 11) exited
2007/08/06 21:08:28| WARNING: ntlmauthenticator #5 (FD 10) exited
2007/08/06 21:08:28| Too few ntlmauthenticator processes are running
FATAL: The ntlmauthenticator helpers are crashing too rapidly, need help!

Squid Cache (Version 2.6.STABLE13): Terminated abnormally.

In /var/log/audit/audit.log:

type=AVC msg=audit(1186423708.180:117122): avc:  denied  { read write } for  pid
=27642 comm="ntlm_auth" name="[22993981]" dev=sockfs ino=22993981 scontext=root:
system_r:winbind_helper_t:s0 tcontext=root:system_r:squid_t:s0 tclass=unix_strea
m_socket

Expected results:
Squid starts normally and uses NTLM authentication

Additional info:
Audit2allow reports that the following rule is needed:

allow winbind_helper_t squid_t:unix_stream_socket { read write };
Comment 1 Daniel Walsh 2007-08-06 18:53:37 EDT
Fixed in selinux-policy-2.6.4-34
Comment 2 Leonid Zeitlin 2007-08-07 05:14:13 EDT
Please pardon an ignorant question, but where can I find version 2.6.4-34? 
Can't seem to find it in updates or even CVS. Thanks.
Comment 3 Daniel Walsh 2007-08-07 09:28:34 EDT
I have just submitted it for build.  I am trying to only release on a weekly
basis.  So it should go to Fedora Testing on Friday.
Comment 4 Leonid Zeitlin 2007-08-14 13:54:13 EDT
Confirm that selinux-policy-2.6.4-35 from testing solves the problem. Thanks!
Comment 5 Leonid Zeitlin 2007-10-09 05:43:37 EDT
While the issue is fixed as of selinux-policy-2.6.4-35, now my audit log is 
full of these messages:

type=AVC msg=audit(1191922803.673:467268): avc:  denied  { create } for  pid=150
84 comm="ntlm_auth" scontext=root:system_r:winbind_helper_t:s0 tcontext=root:sys
tem_r:winbind_helper_t:s0 tclass=udp_socket

I wonder of these should be allowed, or else not audited.
Comment 6 Daniel Walsh 2007-10-09 10:46:34 EDT
Looks like winbind_helper might be talking to dns?

In Rawhide I allow this so I guess I will back port to FC7.
Added in selinux-policy-2.6.4-48
Comment 7 Leonid Zeitlin 2007-10-18 04:53:03 EDT
With selinux-policy-2.6.4-48 the denials above are gone, thank you. However, 
when squid starts, a few denials are still logged:

type=AVC msg=audit(1192697265.873:16787): avc:  denied  { read } for  pid=7454 c
omm="ntlm_auth" name="host.conf" dev=dm-3 ino=66420761 scontext=root:system_r:wi
nbind_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

type=AVC msg=audit(1192697265.873:16786): avc:  denied  { read } for  pid=7454 c
omm="ntlm_auth" name="nsswitch.conf" dev=dm-3 ino=66420786 scontext=root:system_
r:winbind_helper_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

type=AVC msg=audit(1192697162.366:16783): avc:  denied  { getattr } for  pid=746
1 comm="ntlm_auth" name="[3631756]" dev=sockfs ino=3631756 scontext=root:system_
r:winbind_helper_t:s0 tcontext=root:system_r:squid_t:s0 tclass=unix_stream_socke
t
Comment 8 Daniel Walsh 2007-10-18 17:07:42 EDT
Fixed selinux-policy-2.6.4-49

Comment 9 Leonid Zeitlin 2007-11-09 12:51:25 EST
Confirm that selinux-policy-2.6.4-49 fixes the denials on startup. I think the 
issue can be closed.

Note You need to log in before you can comment on or make changes to this bug.