Description of problem: see below. Not sure why squid is wanting to look at /mnt, and the recommended fix doesn't work. There seem to be no updates for updates-testing so I haven't got the fix for squidguard yet and chcon yet. Maybe this is fixed by that fix. Just thought I'd put it out here. Squid seems to be working fine even though this occurred. Version-Release number of selected component (if applicable): see below How reproducible: Seems to happen every time Steps to Reproduce: 1. /sbin/service squid start or /sbin/service squid restart 2. 3. Actual results: selinux denial Expected results: squid performs the actions it is entitled to without complaint from selinux Additional info: Summary: SELinux is preventing squid (squid_t) "search" to ./mnt (mnt_t). Detailed Description: SELinux denied access requested by squid. It is not expected that this access is required by squid and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./mnt, restorecon -v './mnt' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:squid_t:s0 Target Context system_u:object_r:mnt_t:s0 Target Objects ./mnt [ dir ] Source squid Source Path /usr/sbin/squid Port <Unknown> Host fedora10.sata1 Source RPM Packages squid-3.0.STABLE13-1.fc10 Target RPM Packages filesystem-2.4.19-1.fc10 Policy RPM selinux-policy-3.5.13-45.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name fedora10.sata1 Platform Linux fedora10.sata1 2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11 23:14:31 EST 2009 x86_64 x86_64 Alert Count 153 First Seen Sun 22 Feb 2009 03:37:48 PM MST Last Seen Sun 22 Feb 2009 08:16:53 PM MST Local ID 1650f44b-d63c-4c70-8649-51da75c15b21 Line Numbers Raw Audit Messages node=fedora10.sata1 type=AVC msg=audit(1235359013.551:159152): avc: denied { search } for pid=24514 comm="squid" name="mnt" dev=sda6 ino=1375 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:mnt_t:s0 tclass=dir node=fedora10.sata1 type=SYSCALL msg=audit(1235359013.551:159152): arch=c000003e syscall=4 success=yes exit=0 a0=7fffb506050a a1=7fffb5060900 a2=7fffb5060900 a3=7fffb505feb0 items=0 ppid=24511 pid=24514 auid=500 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
Is there anything relevant in cache.log?
Here is the last restart cyle from the cache.log. I don't see anything. 2009/02/22 20:16:20| Preparing for shutdown after 76 requests 2009/02/22 20:16:20| Waiting 30 seconds for active connections to finish 2009/02/22 20:16:20| FD 14 Closing HTTP connection 2009/02/22 20:16:51| Shutting down... 2009/02/22 20:16:51| Closing unlinkd pipe on FD 12 2009/02/22 20:16:51| storeDirWriteCleanLogs: Starting... 2009/02/22 20:16:51| Finished. Wrote 15 entries. 2009/02/22 20:16:51| Took 0.00 seconds (14395.39 entries/sec). CPU Usage: 0.295 seconds = 0.155 user + 0.140 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 0 Memory usage for squid via mallinfo(): total space in arena: 6144 KB Ordinary blocks: 5994 KB 21 blks Small blocks: 0 KB 7 blks Holding blocks: 936 KB 4 blks Free Small blocks: 0 KB Free Ordinary blocks: 149 KB Total in use: 6930 KB 113% Total free: 149 KB 2% 2009/02/22 20:16:51| Squid Cache (Version 3.0.STABLE13): Exiting normally. 2009/02/22 20:16:53| Starting Squid Cache version 3.0.STABLE13 for x86_64-redhat-linux-gnu... 2009/02/22 20:16:53| Process ID 24514 2009/02/22 20:16:53| With 1024 file descriptors available 2009/02/22 20:16:53| DNS Socket created at 0.0.0.0, port 37343, FD 7 2009/02/22 20:16:53| Adding domain ph.cox.net from /etc/resolv.conf 2009/02/22 20:16:53| Adding domain ph.cox.net from /etc/resolv.conf 2009/02/22 20:16:53| Adding nameserver 68.2.16.30 from /etc/resolv.conf 2009/02/22 20:16:53| Adding nameserver 68.2.16.25 from /etc/resolv.conf 2009/02/22 20:16:53| User-Agent logging is disabled. 2009/02/22 20:16:53| Referer logging is disabled. 2009/02/22 20:16:53| Unlinkd pipe opened on FD 12 2009/02/22 20:16:53| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2009/02/22 20:16:53| Swap maxSize 102400 KB, estimated 7876 objects 2009/02/22 20:16:53| Target number of buckets: 393 2009/02/22 20:16:53| Using 8192 Store buckets 2009/02/22 20:16:53| Max Mem size: 8192 KB 2009/02/22 20:16:53| Max Swap size: 102400 KB 2009/02/22 20:16:53| Version 1 of swap file without LFS support detected... 2009/02/22 20:16:53| Rebuilding storage in /var/spool/squid (CLEAN) 2009/02/22 20:16:53| Using Least Load store dir selection 2009/02/22 20:16:53| Set Current Directory to /var/spool/squid 2009/02/22 20:16:53| Loaded Icons. 2009/02/22 20:16:53| Accepting HTTP connections at 0.0.0.0, port 3128, FD 14. 2009/02/22 20:16:53| HTCP Disabled. 2009/02/22 20:16:53| Configuring Parent 127.0.0.1/8118/7 2009/02/22 20:16:53| Ready to serve requests. 2009/02/22 20:16:53| Done reading /var/spool/squid swaplog (15 entries) 2009/02/22 20:16:53| Finished rebuilding storage from disk. 2009/02/22 20:16:53| 15 Entries scanned 2009/02/22 20:16:53| 0 Invalid entries. 2009/02/22 20:16:53| 0 With invalid flags. 2009/02/22 20:16:53| 15 Objects loaded. 2009/02/22 20:16:53| 0 Objects expired. 2009/02/22 20:16:53| 0 Objects cancelled. 2009/02/22 20:16:53| 0 Duplicate URLs purged. 2009/02/22 20:16:53| 0 Swapfile clashes avoided. 2009/02/22 20:16:53| Took 0.04 seconds (395.92 objects/sec). 2009/02/22 20:16:53| Beginning Validation Procedure 2009/02/22 20:16:53| Completed Validation Procedure 2009/02/22 20:16:53| Validated 55 Entries 2009/02/22 20:16:53| store_swap_size = 200 2009/02/22 20:16:54| storeLateRelease: released 0 objects 2009/02/22 20:28:25| tunnelReadServer: FD 20: read failure: (0) Success
Did you happen to be in the /mnt directory when you executed this command?
I can get this avc to happen if I cd /mnt And execute /etc/init.d/squid restart But not service. Confined programs have a bad habbit of searching the Current Working Directory when they start which can generate an AVC like this. service script cd / when it is executed, so I am surprised you got this.
Actually I was in the /etc/squid directory while I was doing this. I ran it a few times while tweaking the squid.conf file to see if I could get it to go away. I was logged in as root. This system had been running for a long time without a reboot when I was doing this. Is it possible that could cause problems like this?
I am pretty sure you can ignore it. Anything mounted on /mnt? On a subdir of /mnt?
Yeah, other instances of fedora, so I can get to their file systems. Mounted as non check (0 0) from fstab. Updates-testing had the latest selinux packages and a new kernel, so I rebooted to get the new kernel and did an /.autorelabel so that everything would be consistent with the latest policy. Then cleared out setroubleshooter log. Will see what happens.
Reopen if it happens again.