Bug 376621 – selinux prevents squid from accessing pam

Bug 376621 - selinux prevents squid from accessing pam

Summary:	selinux prevents squid from accessing pam

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	8
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Radek Vokal
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2007-11-11 17:41 EST by Tobias Ottmar
Modified:	2008-11-17 17:02 EST (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-11-17 17:02:37 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Alert from setroubleshoot. (2.45 KB, text/plain) 2007-11-14 09:18 EST, Scott Bambrough	no flags	Details
/etc/pam.d/squid, as requested. (67 bytes, text/plain) 2008-03-11 10:58 EDT, Tobias Ottmar	no flags	Details
/etc/squid/squid.conf, as requested. (145.33 KB, text/plain) 2008-03-11 10:59 EDT, Tobias Ottmar	no flags	Details
Selinux alerts (5.43 KB, text/plain) 2008-03-11 12:53 EDT, Martin Nagy	no flags	Details
Audit log (4.97 KB, text/plain) 2008-03-12 11:07 EDT, Martin Nagy	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Tobias Ottmar 2007-11-11 17:41:58 EST

Description of problem:
Configured squid to use pam_auth (/usr/lib/squid/pam_auth) which authenticates
squid users against local users using pam. Selinux denies this, saying:

avc: denied { execute } for comm=pam_auth dev=md0 name=unix_chkpwd pid=10491
scontext=root:system_r:squid_t:s0 tclass=file
tcontext=system_u:object_r:chkpwd_exec_t:s0 

Version-Release number of selected component (if applicable):
squid-2.6.STABLE16-2.fc8

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:
selinux should allow squid to authenticate local users.

Additional info:
Please contact me if anything is missing. I'm happy to help! :)

Comment 1 Scott Bambrough 2007-11-14 09:17:27 EST

This particular bug also occurs on RHEL 5.1.

Comment 2 Scott Bambrough 2007-11-14 09:18:08 EST

Created attachment 258061 [details]
Alert from setroubleshoot.

Comment 3 Martin Nagy 2008-03-11 08:47:37 EDT

Please attach your /etc/squid/squid.conf and /etc/pam.d/squid
Thanks.

Comment 4 Tobias Ottmar 2008-03-11 10:58:20 EDT

Created attachment 297620 [details]
/etc/pam.d/squid, as requested.

Comment 5 Tobias Ottmar 2008-03-11 10:59:08 EDT

Created attachment 297622 [details]
/etc/squid/squid.conf, as requested.

Comment 6 Martin Nagy 2008-03-11 12:50:16 EDT

Reassigning to selinux-policy.

Comment 7 Martin Nagy 2008-03-11 12:53:08 EDT

Created attachment 297643 [details]
Selinux alerts

I saw these.

Comment 8 Martin Nagy 2008-03-12 11:07:49 EDT

Created attachment 297782 [details]
Audit log

Comment 9 Josef Kubin 2008-03-12 17:30:19 EDT

The new packages are available: http://people.redhat.com/jkubin/selinux/F8/
Test them please, thank you.

Comment 10 Martin Nagy 2008-03-13 04:04:38 EDT

These packages work for me

Comment 11 Tony Fu 2008-10-05 21:27:45 EDT

User jkubin@redhat.com's account has been closed

Comment 12 Daniel Walsh 2008-11-17 17:02:37 EST

Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.