Bug 376621 - selinux prevents squid from accessing pam
Summary: selinux prevents squid from accessing pam
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Radek Vokal
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-11 22:41 UTC by Tobias Ottmar
Modified: 2008-11-17 22:02 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 22:02:37 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Alert from setroubleshoot. (2.45 KB, text/plain)
2007-11-14 14:18 UTC, Scott Bambrough 		no flags Details
/etc/pam.d/squid, as requested. (67 bytes, text/plain)
2008-03-11 14:58 UTC, Tobias Ottmar 		no flags Details
/etc/squid/squid.conf, as requested. (145.33 KB, text/plain)
2008-03-11 14:59 UTC, Tobias Ottmar 		no flags Details
Selinux alerts (5.43 KB, text/plain)
2008-03-11 16:53 UTC, Martin Nagy 		no flags Details
Audit log (4.97 KB, text/plain)
2008-03-12 15:07 UTC, Martin Nagy 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

Description Tobias Ottmar 2007-11-11 22:41:58 UTC 
Description of problem:
Configured squid to use pam_auth (/usr/lib/squid/pam_auth) which authenticates
squid users against local users using pam. Selinux denies this, saying:

avc: denied { execute } for comm=pam_auth dev=md0 name=unix_chkpwd pid=10491
scontext=root:system_r:squid_t:s0 tclass=file
tcontext=system_u:object_r:chkpwd_exec_t:s0 

Version-Release number of selected component (if applicable):
squid-2.6.STABLE16-2.fc8

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:
selinux should allow squid to authenticate local users.

Additional info:
Please contact me if anything is missing. I'm happy to help! :)
Comment 1 Scott Bambrough 2007-11-14 14:17:27 UTC 
This particular bug also occurs on RHEL 5.1.
Comment 2 Scott Bambrough 2007-11-14 14:18:08 UTC 
Created attachment 258061 [details]
Alert from setroubleshoot.
Comment 3 Martin Nagy 2008-03-11 12:47:37 UTC 
Please attach your /etc/squid/squid.conf and /etc/pam.d/squid
Thanks.
Comment 4 Tobias Ottmar 2008-03-11 14:58:20 UTC 
Created attachment 297620 [details]
/etc/pam.d/squid, as requested.
Comment 5 Tobias Ottmar 2008-03-11 14:59:08 UTC 
Created attachment 297622 [details]
/etc/squid/squid.conf, as requested.
Comment 6 Martin Nagy 2008-03-11 16:50:16 UTC 
Reassigning to selinux-policy.
Comment 7 Martin Nagy 2008-03-11 16:53:08 UTC 
Created attachment 297643 [details]
Selinux alerts

I saw these.
Comment 8 Martin Nagy 2008-03-12 15:07:49 UTC 
Created attachment 297782 [details]
Audit log
Comment 9 Josef Kubin 2008-03-12 21:30:19 UTC 
The new packages are available: http://people.redhat.com/jkubin/selinux/F8/
Test them please, thank you.
Comment 10 Martin Nagy 2008-03-13 08:04:38 UTC 
These packages work for me
Comment 11 Tony Fu 2008-10-06 01:27:45 UTC 
User jkubin@redhat.com's account has been closed
Comment 12 Daniel Walsh 2008-11-17 22:02:37 UTC 
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.
Note You need to log in before you can comment on or make changes to this bug.