Description of problem: When we use squid with pam authentication, we get the following AVC denials: type=AVC msg=audit(1313494716.857:195): avc: denied { create } for pid=1413 comm="pam_auth" scontext=root:system_r:squid_t:s0 tcontext=root:system_r:squid_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1313494716.858:196): avc: denied { write } for pid=1413 comm="pam_auth" scontext=root:system_r:squid_t:s0 tcontext=root:system_r:squid_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1313494716.858:196): avc: denied { nlmsg_relay } for pid=1413 comm="pam_auth" scontext=root:system_r:squid_t:s0 tcontext=root:system_r:squid_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1313494716.858:196): avc: denied { audit_write } for pid=1413 comm="pam_auth" capability=29 scontext=root:system_r:squid_t:s0 tcontext=root:system_r:squid_t:s0 tclass=capability type=AVC msg=audit(1313494716.858:198): avc: denied { read } for pid=1413 comm="pam_auth" scontext=root:system_r:squid_t:s0 tcontext=root:system_r:squid_t:s0 tclass=netlink_audit_socket This was gathered in permissive. Version-Release number of selected component (if applicable): # rpm -q redhat-release selinux-policy squid redhat-release-5Server-5.7.0.3 selinux-policy-2.4.6-316.el5 squid-2.6.STABLE21-6.el5 How reproducible: Deterministic. Steps to Reproduce: 1. Comment out http_access in /etc/squid/squid.conf and add lines like auth_param basic program /usr/lib64/squid/pam_auth acl pam proxy_auth REQUIRED acl all src 0.0.0.0/0.0.0.0 http_access allow pam http_access allow localhost http_access deny all to it, then try to use the squid. Actual results: AVC denials line above, in the case of enforcing the operation fails. Expected results: No AVC denials. Additional info:
We have in RHEL6 auth_domtrans_chk_passwd(squid_t) which allow this.
Fixed in selinux-policy-2.4.6-317.el5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html