Bug 376621 - selinux prevents squid from accessing pam
Summary: selinux prevents squid from accessing pam
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 8
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Radek Vokal
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-11-11 22:41 UTC by Tobias Ottmar
Modified: 2008-11-17 22:02 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-17 22:02:37 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Alert from setroubleshoot. (2.45 KB, text/plain)
2007-11-14 14:18 UTC, Scott Bambrough
no flags Details
/etc/pam.d/squid, as requested. (67 bytes, text/plain)
2008-03-11 14:58 UTC, Tobias Ottmar
no flags Details
/etc/squid/squid.conf, as requested. (145.33 KB, text/plain)
2008-03-11 14:59 UTC, Tobias Ottmar
no flags Details
Selinux alerts (5.43 KB, text/plain)
2008-03-11 16:53 UTC, Martin Nagy
no flags Details
Audit log (4.97 KB, text/plain)
2008-03-12 15:07 UTC, Martin Nagy
no flags Details

Description Tobias Ottmar 2007-11-11 22:41:58 UTC
Description of problem:
Configured squid to use pam_auth (/usr/lib/squid/pam_auth) which authenticates
squid users against local users using pam. Selinux denies this, saying:

avc: denied { execute } for comm=pam_auth dev=md0 name=unix_chkpwd pid=10491
scontext=root:system_r:squid_t:s0 tclass=file

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:
selinux should allow squid to authenticate local users.

Additional info:
Please contact me if anything is missing. I'm happy to help! :)

Comment 1 Scott Bambrough 2007-11-14 14:17:27 UTC
This particular bug also occurs on RHEL 5.1.

Comment 2 Scott Bambrough 2007-11-14 14:18:08 UTC
Created attachment 258061 [details]
Alert from setroubleshoot.

Comment 3 Martin Nagy 2008-03-11 12:47:37 UTC
Please attach your /etc/squid/squid.conf and /etc/pam.d/squid

Comment 4 Tobias Ottmar 2008-03-11 14:58:20 UTC
Created attachment 297620 [details]
/etc/pam.d/squid, as requested.

Comment 5 Tobias Ottmar 2008-03-11 14:59:08 UTC
Created attachment 297622 [details]
/etc/squid/squid.conf, as requested.

Comment 6 Martin Nagy 2008-03-11 16:50:16 UTC
Reassigning to selinux-policy.

Comment 7 Martin Nagy 2008-03-11 16:53:08 UTC
Created attachment 297643 [details]
Selinux alerts

I saw these.

Comment 8 Martin Nagy 2008-03-12 15:07:49 UTC
Created attachment 297782 [details]
Audit log

Comment 9 Josef Kubin 2008-03-12 21:30:19 UTC
The new packages are available: http://people.redhat.com/jkubin/selinux/F8/
Test them please, thank you.

Comment 10 Martin Nagy 2008-03-13 08:04:38 UTC
These packages work for me

Comment 11 Tony Fu 2008-10-06 01:27:45 UTC
User jkubin@redhat.com's account has been closed

Comment 12 Daniel Walsh 2008-11-17 22:02:37 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.