Hide Forgot
Description of problem: When using squid with kerberos authentication I get these denials: ---- time->Wed Apr 13 04:57:18 2011 type=SYSCALL msg=audit(1302685038.742:66667): arch=c000003e syscall=2 success=yes exit=4 a0=7ff9db38af90 a1=c2 a2=180 a3=7fffda43ae60 items=0 ppid=26728 pid=26730 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2052 comm="squid_kerb_auth" exe="/usr/lib64/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null) type=AVC msg=audit(1302685038.742:66667): avc: denied { create } for pid=26730 comm="squid_kerb_auth" name="krb5_RCRB0OEi" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1302685038.742:66667): avc: denied { add_name } for pid=26730 comm="squid_kerb_auth" name="krb5_RCRB0OEi" scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1302685038.742:66667): avc: denied { write } for pid=26730 comm="squid_kerb_auth" name="tmp" dev=dm-0 ino=2752602 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir ---- time->Wed Apr 13 04:57:18 2011 type=SYSCALL msg=audit(1302685038.790:66668): arch=c000003e syscall=82 success=yes exit=0 a0=7ff9db38af90 a1=7ff9db386160 a2=7ff9db38b088 a3=7fffda43af90 items=0 ppid=26728 pid=26730 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=2052 comm="squid_kerb_auth" exe="/usr/lib64/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null) type=AVC msg=audit(1302685038.790:66668): avc: denied { unlink } for pid=26730 comm="squid_kerb_auth" name="HTTP_23" dev=dm-0 ino=2753259 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1302685038.790:66668): avc: denied { rename } for pid=26730 comm="squid_kerb_auth" name="krb5_RCRB0OEi" dev=dm-0 ino=2754353 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1302685038.790:66668): avc: denied { remove_name } for pid=26730 comm="squid_kerb_auth" name="krb5_RCRB0OEi" dev=dm-0 ino=2754353 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Version-Release number of selected component (if applicable): selinux-policy-3.7.19-82.el6 How reproducible: 100% Steps to Reproduce: 1. configure squid with kerberos 2. try to connect via curl Actual results: squid_kerb_auth denials blocking authentication Expected results: no denials Additional info:
Mirek, could you test it with the following local policy policy_module(mysquid, 1.0) require{ type squid_t; } userdom_manage_user_tmp_dirs(squid_t) userdom_manage_user_tmp_files(squid_t) userdom_tmp_filetrans_user_tmp(squid_t, { file dir })
Thanks Mirek, with this module there are no more denials :) # getenforce Enforcing # semodule -l | grep squid mysquid 1.0 squid 1.9.0 # ausearch -ts recent -m avc <no matches>
Why is squid touching user_tmp_t? Squid should get its own tmp files, and probably not be writing in /tmp in the first place? Is squid reading the krbcc name of users on the same system or is it requiring users to provide credentials before using squid.
From what I gather on the web, squid_kerb_auth accepts Negotiate authentication from clients attempting to use the proxy, so it would use a replay cache.
Miroslav V, can you change your mysquid policy to: policy_module(mysquid, 1.0) require{ type squid_t; } kerberos_manage_host_rcache(squid_t) And try that. Not sure if kernberos maange_host_rchage will be enough.
I think you might end up needing allow squid_t tmp_t:dir rw_dir_perms; Which should probably be in the kerberos_manage_host_rcache interface.
I added fixes for this to F15 policy.
Dan, using this module policy_module(mysquid, 1.2) require{ type squid_t; type tmp_t; } kerberos_manage_host_rcache(squid_t) allow squid_t tmp_t:dir rw_dir_perms; I still see AVC like this: ---- time->Wed Apr 13 17:12:46 2011 type=SYSCALL msg=audit(1302707566.512:1696): arch=40000003 syscall=10 success=no exit=-13 a0=1d9df98 a1=0 a2=1e416c a3=1da4084 items=0 ppid=11348 pid=11350 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=219 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null) type=AVC msg=audit(1302707566.512:1696): avc: denied { unlink } for pid=11350 comm="squid_kerb_auth" name="HTTP_23" dev=dm-0 ino=393454 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
Please remove HTTP_23 and then try. The problem is you probably ran squid by hand creating the bogusly labelled HTTP_23 file.
Dan I removed the HTTP_23 and have the module from comment 8 loaded, but it sill cannot create the file. I had to enable don't audit rules to see them: time->Thu Apr 14 10:20:08 2011 type=SYSCALL msg=audit(1302769208.789:130): arch=40000003 syscall=5 success=no exit=-13 a0=11559b0 a1=2c1 a2=180 a3=2c1 items=0 ppid=11053 pid=11055 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null) type=AVC msg=audit(1302769208.789:130): avc: denied { create } for pid=11055 comm="squid_kerb_auth" name="HTTP_23" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
After putting SELinux into permissive mode I see these AVCs: time->Thu Apr 14 10:32:23 2011 type=SYSCALL msg=audit(1302769943.042:142): arch=40000003 syscall=5 success=yes exit=3 a0=85e255 a1=8000 a2=1b6 a3=85d4d8 items=0 ppid=11603 pid=11604 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="kadmind" exe="/usr/sbin/kadmind" subj=unconfined_u:system_r:kadmind_t:s0 key=(null) type=AVC msg=audit(1302769943.042:142): avc: denied { open } for pid=11604 comm="kadmind" name="config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1302769943.042:142): avc: denied { read } for pid=11604 comm="kadmind" name="config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file ---- time->Thu Apr 14 10:32:23 2011 type=SYSCALL msg=audit(1302769943.042:143): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfaebc0c a2=ee6ff4 a3=2870438 items=0 ppid=11603 pid=11604 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="kadmind" exe="/usr/sbin/kadmind" subj=unconfined_u:system_r:kadmind_t:s0 key=(null) type=AVC msg=audit(1302769943.042:143): avc: denied { getattr } for pid=11604 comm="kadmind" path="/etc/selinux/config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file ---- time->Thu Apr 14 10:32:23 2011 type=SYSCALL msg=audit(1302769943.612:144): arch=40000003 syscall=102 success=no exit=-22 a0=2 a1=bfaec150 a2=4152cc a3=0 items=0 ppid=11603 pid=11604 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="kadmind" exe="/usr/sbin/kadmind" subj=unconfined_u:system_r:kadmind_t:s0 key=(null) type=AVC msg=audit(1302769943.612:144): avc: denied { name_bind } for pid=11604 comm="kadmind" src=756 scontext=unconfined_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket ----
I'm sorry for the previous post of (looks like) unrelated AVCs. The related AVCs seem to be: time->Thu Apr 14 10:32:59 2011 type=SYSCALL msg=audit(1302769979.125:149): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bf841c1c a2=3ffff4 a3=2ae35f0 items=0 ppid=11730 pid=11732 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null) type=AVC msg=audit(1302769979.125:149): avc: denied { getattr } for pid=11732 comm="squid_kerb_auth" path="/etc/selinux/config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file ---- time->Thu Apr 14 10:32:59 2011 type=SYSCALL msg=audit(1302769979.518:150): arch=40000003 syscall=5 success=yes exit=3 a0=2ae34f0 a1=2c1 a2=180 a3=2c1 items=0 ppid=11730 pid=11732 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null) type=AVC msg=audit(1302769979.518:150): avc: denied { create } for pid=11732 comm="squid_kerb_auth" name="HTTP_23" scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file ---- time->Thu Apr 14 10:32:59 2011 type=SYSCALL msg=audit(1302769979.124:148): arch=40000003 syscall=5 success=yes exit=3 a0=183255 a1=8000 a2=1b6 a3=1824d8 items=0 ppid=11730 pid=11732 auid=0 uid=23 gid=23 euid=23 suid=23 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=1 comm="squid_kerb_auth" exe="/usr/lib/squid/squid_kerb_auth" subj=unconfined_u:system_r:squid_t:s0 key=(null) type=AVC msg=audit(1302769979.124:148): avc: denied { open } for pid=11732 comm="squid_kerb_auth" name="config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=AVC msg=audit(1302769979.124:148): avc: denied { read } for pid=11732 comm="squid_kerb_auth" name="config" dev=dm-0 ino=914485 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
# getsebool allow_kerberos
allow_kerberos boolean is enabled on my testing machine: # getsebool allow_kerberos allow_kerberos --> on Strange but I cannot reproduce the problems I had in comments 10 and 12 anymore. My test is now passing without denials. # getenforce Enforcing # semodule -l | grep mysquid mysquid 1.2 # cat ~/selinux/mysquid.te policy_module(mysquid, 1.2) require{ type squid_t; type tmp_t; } kerberos_manage_host_rcache(squid_t) allow squid_t tmp_t:dir rw_dir_perms; I think this bug is now resolved, thanks everyone!
Miroslav I think we also need. /var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
Fixed in selinux-policy-3.7.19-86.el6
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html