Description of problem:SELinux is preventing squidGuard (squid_t) "read" squid_log_t. Aug 21 10:39:08 ls2ka setroubleshoot: SELinux is preventing squidGuard (squid_t) "read" squid_log_t. For complete SELinux messages. run sealert -l 8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7 Aug 21 10:43:35 ls2ka squid[4778]: Squid Parent: child process 4781 exited with status 0 Aug 21 10:44:54 ls2ka clamd.scan[2280]: SelfCheck: Database status OK. Aug 21 10:45:05 ls2ka squid[8198]: Squid Parent: child process 8201 started Aug 21 10:45:07 ls2ka setroubleshoot: SELinux is preventing squidGuard (squid_t) "read" squid_log_t. For complete SELinux messages. run sealert -l 8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7 Aug 21 10:45:07 ls2ka setroubleshoot: SELinux is preventing squidGuard (squid_t) "read" squid_log_t. For complete SELinux messages. run sealert -l 8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7 ^C [root@ls2ka ~]# sealert -l 8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7 Summary: SELinux is preventing squidGuard (squid_t) "read" squid_log_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by squidGuard. It is not expected that this access is required by squidGuard and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:squid_t:s0 Target Context unconfined_u:object_r:squid_log_t:s0 Target Objects /var/log/squid/squidGuard.log [ lnk_file ] Source squidGuard Source Path /usr/bin/squidGuard Port <Unknown> Host ls2ka.elton-intra.net Source RPM Packages squidGuard-1.4-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-72.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name ls2ka.elton-intra.net Platform Linux ls2ka.elton-intra.net 2.6.29.6-217.2.7.fc11.i686.PAE #1 SMP Fri Aug 14 20:52:46 EDT 2009 i686 i686 Alert Count 3 First Seen Fri Aug 21 10:39:07 2009 Last Seen Fri Aug 21 10:45:05 2009 Local ID 8e502b61-7ec5-4ceb-be4e-e6ffde72d2c7 Line Numbers Raw Audit Messages node=ls2ka.elton-intra.net type=AVC msg=audit(1250844305.747:50066): avc: denied { read } for pid=8210 comm="squidGuard" name="squidGuard.log" dev=sda2 ino=1318707 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:squid_log_t:s0 tclass=lnk_file node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1250844305.747:50066): arch=40000003 syscall=5 success=yes exit=3 a0=bf85c83c a1=441 a2=1b6 a3=80f4008 items=0 ppid=8201 pid=8210 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1236 comm="squidGuard" exe="/usr/bin/squidGuard" subj=unconfined_u:system_r:squid_t:s0 key=(null)
Miroslav could you add the following to squid.te manage_dirs_pattern(squid_t, squid_log_t, squid_log_t) manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
Fixed in selinux-policy-3.6.12-80.fc11
selinux-policy-3.6.12-80.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-80.fc11
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-8895
It seems to be working, thank you.
selinux-policy-3.6.12-80.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
scontext=unconfined_u:system_r:squid_t is back in FC13: Jul 5 10:31:55 ls2ka squid[9829]: Squid Parent: child process 9831 started Jul 5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32224): avc: denied { write } for pid=9834 comm="squidGuard" name="tmp" dev=sda2 ino=1267316 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Jul 5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32225): avc: denied { add_name } for pid=9834 comm="squidGuard" name="BDB09834" scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Jul 5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32226): avc: denied { create } for pid=9834 comm="squidGuard" name="BDB09834" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file Jul 5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32227): avc: denied { read write open } for pid=9834 comm="squidGuard" name="BDB09834" dev=sda2 ino=1267393 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file Jul 5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32228): avc: denied { remove_name } for pid=9834 comm="squidGuard" name="BDB09834" dev=sda2 ino=1267393 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Jul 5 10:31:56 ls2ka kernel: type=1400 audit(1278318716.088:32229): avc: denied { unlink } for pid=9834 comm="squidGuard" name="BDB09834" dev=sda2 ino=1267393 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
Changed version to 13.
Not seeing this SELinux message anymore in /var/log/messages. I suppose it has been solved already in one of the policy updates. Regards. Eddie.