Bug 518605 - SELinux is preventing squidGuard (squid_t) "read" squid_log_t.
Summary: SELinux is preventing squidGuard (squid_t) "read" squid_log_t.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 13
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-21 08:51 UTC by Eddie Lania
Modified: 2010-08-02 19:42 UTC (History)
1 user (show)

Fixed In Version: 3.6.12-80.fc11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-08-02 19:42:43 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Eddie Lania 2009-08-21 08:51:46 UTC 
Description of problem:SELinux is preventing squidGuard (squid_t) "read" squid_log_t.

Aug 21 10:39:08 ls2ka setroubleshoot: SELinux is preventing squidGuard (squid_t) "read" squid_log_t. For complete SELinux messages. run sealert -l 8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7
Aug 21 10:43:35 ls2ka squid[4778]: Squid Parent: child process 4781 exited with status 0
Aug 21 10:44:54 ls2ka clamd.scan[2280]: SelfCheck: Database status OK.
Aug 21 10:45:05 ls2ka squid[8198]: Squid Parent: child process 8201 started
Aug 21 10:45:07 ls2ka setroubleshoot: SELinux is preventing squidGuard (squid_t) "read" squid_log_t. For complete SELinux messages. run sealert -l 8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7
Aug 21 10:45:07 ls2ka setroubleshoot: SELinux is preventing squidGuard (squid_t) "read" squid_log_t. For complete SELinux messages. run sealert -l 8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7
^C
[root@ls2ka ~]# sealert -l 8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7

Summary:

SELinux is preventing squidGuard (squid_t) "read" squid_log_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by squidGuard. It is not expected that this
access is required by squidGuard and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:squid_t:s0
Target Context                unconfined_u:object_r:squid_log_t:s0
Target Objects                /var/log/squid/squidGuard.log [ lnk_file ]
Source                        squidGuard
Source Path                   /usr/bin/squidGuard
Port                          <Unknown>
Host                          ls2ka.elton-intra.net
Source RPM Packages           squidGuard-1.4-4.fc11
Target RPM Packages
Policy RPM                    selinux-policy-3.6.12-72.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     ls2ka.elton-intra.net
Platform                      Linux ls2ka.elton-intra.net
                              2.6.29.6-217.2.7.fc11.i686.PAE #1 SMP Fri Aug 14
                              20:52:46 EDT 2009 i686 i686
Alert Count                   3
First Seen                    Fri Aug 21 10:39:07 2009
Last Seen                     Fri Aug 21 10:45:05 2009
Local ID                      8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7
Line Numbers

Raw Audit Messages

node=ls2ka.elton-intra.net type=AVC msg=audit(1250844305.747:50066): avc:  denied  { read } for  pid=8210 comm="squidGuard" name="squidGuard.log" dev=sda2 ino=1318707 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:squid_log_t:s0 tclass=lnk_file

node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1250844305.747:50066): arch=40000003 syscall=5 success=yes exit=3 a0=bf85c83c a1=441 a2=1b6 a3=80f4008 items=0 ppid=8201 pid=8210 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1236 comm="squidGuard" exe="/usr/bin/squidGuard" subj=unconfined_u:system_r:squid_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-08-21 22:33:29 UTC 
Miroslav could you add the following to squid.te

manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
Comment 2 Miroslav Grepl 2009-08-24 15:40:04 UTC 
Fixed in selinux-policy-3.6.12-80.fc11
Comment 3 Fedora Update System 2009-08-24 15:44:48 UTC 
selinux-policy-3.6.12-80.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-80.fc11
Comment 4 Fedora Update System 2009-08-25 04:26:31 UTC 
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8895
Comment 5 Eddie Lania 2009-08-28 16:49:09 UTC 
It seems to be working, thank you.
Comment 6 Fedora Update System 2009-08-28 21:56:30 UTC 
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Eddie Lania 2010-07-05 08:42:12 UTC 
scontext=unconfined_u:system_r:squid_t is back in FC13:

Jul  5 10:31:55 ls2ka squid[9829]: Squid Parent: child process 9831 started
Jul  5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32224): avc:  denied  { write } for  pid=9834 comm="squidGuard" name="tmp" dev=sda2 ino=1267316 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Jul  5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32225): avc:  denied  { add_name } for  pid=9834 comm="squidGuard" name="BDB09834" scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Jul  5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32226): avc:  denied  { create } for  pid=9834 comm="squidGuard" name="BDB09834" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
Jul  5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32227): avc:  denied  { read write open } for  pid=9834 comm="squidGuard" name="BDB09834" dev=sda2 ino=1267393 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
Jul  5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32228): avc:  denied  { remove_name } for  pid=9834 comm="squidGuard" name="BDB09834" dev=sda2 ino=1267393 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Jul  5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32229): avc:  denied  { unlink } for  pid=9834 comm="squidGuard" name="BDB09834" dev=sda2 ino=1267393 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
Comment 8 Jeff Raber 2010-07-14 15:44:20 UTC 
Changed version to 13.
Comment 9 Eddie Lania 2010-08-02 19:42:13 UTC 
Not seeing this SELinux message anymore in /var/log/messages. I suppose it has been solved already in one of the policy updates.

Regards.

Eddie.
Note You need to log in before you can comment on or make changes to this bug.