Bug 665717 - SELinux is preventing /usr/lib/squid/cachemgr.cgi from 'name_connect' accesses on the tcp_socket port 3128.
Summary: SELinux is preventing /usr/lib/squid/cachemgr.cgi from 'name_connect' accesse...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:a61e125583d...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-26 12:02 UTC by Michael Chapman
Modified: 2011-01-17 20:51 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.9.7-20.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-01-17 20:51:50 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Michael Chapman 2010-12-26 12:02:32 UTC
SELinux is preventing /usr/lib/squid/cachemgr.cgi from 'name_connect' accesses on the tcp_socket port 3128.

Additional Information:
Source Context                system_u:system_r:httpd_squid_script_t:SystemLow
Target Context                system_u:object_r:squid_port_t:SystemLow
Target Objects                port 3128 [ tcp_socket ]
Source                        cachemgr.cgi
Source Path                   /usr/lib/squid/cachemgr.cgi
Port                          3128
Host                          (removed)
Source RPM Packages           squid-3.1.9-3.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-18.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux beren.home 2.6.35.9-64.0mac1.fc14.i686 #1
                              SMP Tue Dec 7 06:36:17 EST 2010 i686 i686
Alert Count                   2
First Seen                    Sun 26 Dec 2010 22:42:28 EST
Last Seen                     Sun 26 Dec 2010 22:42:35 EST
Local ID                      009ee2eb-1551-4afb-8143-dc6404cd1c08

Raw Audit Messages
type=AVC msg=audit(1293363755.905:557): avc:  denied  { name_connect } for  pid=8558 comm="cachemgr.cgi" dest=3128 scontext=system_u:system_r:httpd_squid_script_t:s0 tcontext=system_u:object_r:squid_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1293363755.905:557): arch=i386 syscall=socketcall success=no exit=EACCES a0=3 a1=bf81abc0 a2=8dce48 a3=3 items=0 ppid=6149 pid=8558 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=cachemgr.cgi exe=/usr/lib/squid/cachemgr.cgi subj=system_u:system_r:httpd_squid_script_t:s0 key=(null)
cachemgr.cgi,httpd_squid_script_t,squid_port_t,tcp_socket,name_connect

#============= httpd_squid_script_t ==============
allow httpd_squid_script_t squid_port_t:tcp_socket name_connect;

Comment 1 Michael Chapman 2010-12-26 12:18:54 UTC
Squid's default port is 3128, squid_port_t. cachemgr.cgi needs to be able to connect to this, however the SELinux policy only allows it to connect to port 8080, httpd_cache_port_t:

    # policy/modules/services/squid.te, line 187
    corenet_tcp_connect_http_cache_port(httpd_squid_script_t)

Comment 2 Daniel Walsh 2010-12-28 12:18:27 UTC
Seems reasonable.

Comment 3 Miroslav Grepl 2011-01-03 08:57:07 UTC
Fixed in selinux-policy-3.9.7-20.fc14

Comment 4 Fedora Update System 2011-01-04 18:00:45 UTC
selinux-policy-3.9.7-20.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-20.fc14

Comment 5 Fedora Update System 2011-01-05 21:21:28 UTC
selinux-policy-3.9.7-20.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-20.fc14

Comment 6 Fedora Update System 2011-01-17 20:50:58 UTC
selinux-policy-3.9.7-20.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.