376621 – selinux prevents squid from accessing pam

Bug 376621 - selinux prevents squid from accessing pam

Summary: selinux prevents squid from accessing pam

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	8
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Radek Vokál
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-11-11 22:41 UTC by Tobias Ottmar
Modified:	2008-11-17 22:02 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-11-17 22:02:37 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Alert from setroubleshoot. (2.45 KB, text/plain) 2007-11-14 14:18 UTC, Scott Bambrough	no flags	Details
/etc/pam.d/squid, as requested. (67 bytes, text/plain) 2008-03-11 14:58 UTC, Tobias Ottmar	no flags	Details
/etc/squid/squid.conf, as requested. (145.33 KB, text/plain) 2008-03-11 14:59 UTC, Tobias Ottmar	no flags	Details
Selinux alerts (5.43 KB, text/plain) 2008-03-11 16:53 UTC, Martin Nagy	no flags	Details
Audit log (4.97 KB, text/plain) 2008-03-12 15:07 UTC, Martin Nagy	no flags	Details
View All

Description Tobias Ottmar 2007-11-11 22:41:58 UTC

Description of problem:
Configured squid to use pam_auth (/usr/lib/squid/pam_auth) which authenticates
squid users against local users using pam. Selinux denies this, saying:

avc: denied { execute } for comm=pam_auth dev=md0 name=unix_chkpwd pid=10491
scontext=root:system_r:squid_t:s0 tclass=file
tcontext=system_u:object_r:chkpwd_exec_t:s0 

Version-Release number of selected component (if applicable):
squid-2.6.STABLE16-2.fc8

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:
selinux should allow squid to authenticate local users.

Additional info:
Please contact me if anything is missing. I'm happy to help! :)

Comment 1 Scott Bambrough 2007-11-14 14:17:27 UTC

This particular bug also occurs on RHEL 5.1.

Comment 2 Scott Bambrough 2007-11-14 14:18:08 UTC

Created attachment 258061 [details]
Alert from setroubleshoot.

Comment 3 Martin Nagy 2008-03-11 12:47:37 UTC

Please attach your /etc/squid/squid.conf and /etc/pam.d/squid
Thanks.

Comment 4 Tobias Ottmar 2008-03-11 14:58:20 UTC

Created attachment 297620 [details]
/etc/pam.d/squid, as requested.

Comment 5 Tobias Ottmar 2008-03-11 14:59:08 UTC

Created attachment 297622 [details]
/etc/squid/squid.conf, as requested.

Comment 6 Martin Nagy 2008-03-11 16:50:16 UTC

Reassigning to selinux-policy.

Comment 7 Martin Nagy 2008-03-11 16:53:08 UTC

Created attachment 297643 [details]
Selinux alerts

I saw these.

Comment 8 Martin Nagy 2008-03-12 15:07:49 UTC

Created attachment 297782 [details]
Audit log

Comment 9 Josef Kubin 2008-03-12 21:30:19 UTC

The new packages are available: http://people.redhat.com/jkubin/selinux/F8/
Test them please, thank you.

Comment 10 Martin Nagy 2008-03-13 08:04:38 UTC

These packages work for me

Comment 11 Tony Fu 2008-10-06 01:27:45 UTC

User jkubin's account has been closed

Comment 12 Daniel Walsh 2008-11-17 22:02:37 UTC

Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.