Re: [squid-users] SELINUX issue(confined>unconfined)

okay,

I have also worked on a similar project (squid/kerberos/selinux).
I installed squid in /usr/local/squid but I had to modify
/etc/selinux/targeted/contexts/files/file_contexts and adapt it to my
squid directory.

/usr/local/squid/etc(/.*)? system_u:object_r:squid_conf_t:s0
/usr/local/squid/var/logs(/.*)? system_u:object_r:squid_log_t:s0
/usr/local/squid/share(/.*)? system_u:object_r:squid_conf_t:s0
/usr/local/squid/var/cache(/.*)? system_u:object_r:squid_cache_t:s0
/usr/local/squid/sbin/squid -- system_u:object_r:squid_exec_t:s0
/usr/local/squid/var/logs/squid\.pid -- system_u:object_r:squid_var_run_t:s0
/usr/local/squid/libexec(/.*)? system_u:object_r:lib_t:s0
/usr/local/squid -d system_u:object_r:bin_t:s0
/usr/local/squid/var -d system_u:object_r:var_t:s0

Then restore context (with restorecon or .autorelabel and reboot).

But i am not sure modifing this file is the best way.
It you update your selinux policy, changement will not be persistent.

I think it is better to build a selinux module for our squid.

Tiery

On Tue, May 18, 2010 at 2:34 PM, GIGO . <gigoz_at_msn.com> wrote:
>
> Yes i am using a compiled version. I have used this command chcon -t unconfined_exec_t /usr/sbin/squid and its working now. Is this a security issue?
>
> regards,
>
> Bilal
>
>
>
>
>
>
>
> ----------------------------------------
>> Date: Tue, 18 May 2010 14:26:06 +0200
>> From: tiery.denys_at_gmail.com
>> To: squid-users_at_squid-cache.org
>> Subject: Re: [squid-users] SELINUX issue(confined>unconfined)
>>
>> Hi,
>>
>> ps -Z => squid_t and getenforce => enforcing
>> squid is started with selinux
>>
>> Redhat/centos platform:
>> If squid is installed with yum, squid will be started with a squid_t
>> selinux context.
>>
>> If you compile your squid and installed it, you will have to change
>> squid files contexts manually.
>>
>> As i see you have squid_kerb_plugin, you should have compile you squid
>> to support kerberos, no?
>>
>> ---
>>
>> For your problem:
>>
>> try to check selinux log:
>> audit2allow -al
>> or cat /var/log/audit/audit.log | audit2allow
>>
>> You can also try to restore selinux context for all squid files:
>> restorecon -R /etc/squid
>> restorecon -R /var/log/squid
>>
>> etc...
>>
>> or touch /.autorelabel and reboot
>>
>>
>> Tiery
>>
>> On Tue, May 18, 2010 at 9:47 AM, GIGO . wrote:
>>>
>>> Dear All,
>>>
>>> Your guidance is required. Please help.
>>>
>>> It looks that squid process run by default as a confined process whether its a compiled version or a version that come with the linux distro. It means that the squid software is SELINUX aware.Am i right?
>>>
>>> [root_at_squidLhr ~]# ps -eZ | grep squid
>>> system_u:system_r:squid_t 3173 ? 00:00:00 squid
>>> system_u:system_r:squid_t 3175 ? 00:00:00 squid
>>> system_u:system_r:squid_t 3177 ? 00:00:00 squid
>>> system_u:system_r:squid_t 3179 ? 00:00:00 squid
>>> system_u:system_r:squid_t 3222 ? 00:00:00 unlinkd
>>> system_u:system_r:squid_t 3223 ? 00:00:00 unlinkd
>>>
>>>
>>> it was successful before i changed the selinux to enforcing.Now i even cannot start squid process that access the parent at localhost(3128) manually even. The other process starts normally if i do manually.
>>>
>>> When running as an unconfined process by the following command the problem had resolved
>>>
>>> chcon -t unconfined_exec_t /usr/sbin/squid
>>>
>>> However it doesnot feel appropriate to me. Please guide me on this.
>>>
>>>
>>>
>>> I am starting squid with the following init script if it has something to do with the problem:
>>>
>>> #!/bin/sh
>>> #
>>> #my script
>>> case "$1" in
>>> start)
>>> /usr/sbin/squid -D -sYC -f /etc/squid/squidcache.conf
>>> /usr/sbin/squid -D -sYC -f /etc/squid/squid.conf
>>> #The below line is to automatically start apache with system startup
>>> /usr/sbin/httpd -k start
>>> #KRB5_KTNAME=/etc/squid/HTTP.keytab
>>> #export KRB5_KTNAME
>>> #KRB5RCACHETYPE=none
>>> #export KRB5RCACHETYPE
>>> ;;
>>> stop)
>>>
>>> /usr/sbin/squid -k shutdown -f /etc/squid3/squidcache.conf
>>> echo "Shutting down squid secondary process"
>>> /usr/sbin/squid -k shutdown -f /etc/squid3/squid.conf
>>> echo "Shutting down squid main process"
>>> # The below line is to automatically stop apache at system shutdown
>>> /usr/sbin/httpd -k stop
>>> ;;
>>> esac
>>>
>>>
>>> Thanking you & regards,
>>>
>>> Bilal
>>>
>>>
>>> ----------------------------------------
>>>> From: gigoz_at_msn.com
>>>> To: squid-users_at_squid-cache.org
>>>> Date: Tue, 18 May 2010 06:02:35 +0000
>>>> Subject: [squid-users] SELINUX issue
>>>>
>>>>
>>>> Hi all,
>>>>
>>>> When i change SELINUX from permissive mode to Enforcing mode. My multiple instance setup fail to start. Please guide how to overcome this.
>>>>
>>>> -----------------------Excerpts from cache.log-----------------
>>>>
>>>> 2010/05/18 10:31:51| TCP connection to 127.0.0.1/3128 failed
>>>> 2010/05/18 10:31:51| Store rebuilding is 7.91% complete
>>>> 2010/05/18 10:31:52| Done reading /var/spool/squid swaplog (51794 entries)
>>>> 2010/05/18 10:31:52| Finished rebuilding storage from disk.
>>>> 2010/05/18 10:31:52| 51794 Entries scanned
>>>> 2010/05/18 10:31:52| 0 Invalid entries.
>>>> 2010/05/18 10:31:52| 0 With invalid flags.
>>>> 2010/05/18 10:31:52| 51794 Objects loaded.
>>>> 2010/05/18 10:31:52| 0 Objects expired.
>>>> 2010/05/18 10:31:52| 0 Objects cancelled.
>>>> 2010/05/18 10:31:52| 0 Duplicate URLs purged.
>>>> 2010/05/18 10:31:52| 0 Swapfile clashes avoided.
>>>> 2010/05/18 10:31:52| Took 1.13 seconds (45641.00 objects/sec).
>>>> 2010/05/18 10:31:52| Beginning Validation Procedure
>>>> 2010/05/18 10:31:52| Completed Validation Procedure
>>>> 2010/05/18 10:31:52| Validated 103614 Entries
>>>> 2010/05/18 10:31:52| store_swap_size = 913364
>>>> 2010/05/18 10:31:52| storeLateRelease: released 0 objects
>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>> 2010/05/18 10:31:52| Detected DEAD Parent: 127.0.0.1
>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>> 2010/05/18 10:31:52| Failed to select source for 'http://1.channel19.facebook.com/p'
>>>> 2010/05/18 10:31:52| always_direct = 0
>>>> 2010/05/18 10:31:52| never_direct = 1
>>>> 2010/05/18 10:31:52| timedout = 0
>>>> 2010/05/18 10:31:57| Failed to select source for 'http://0.channel19.facebook.cm
>>>>
>>>> --------------------------------------------------------------------------------------------
>>>>
>>>>
>>>> regards,
>>>>
>>>> Bilal
>>>> _________________________________________________________________
>>>> Hotmail: Trusted email with powerful SPAM protection.
>>>> https://signup.live.com/signup.aspx?id=60969
>>> _________________________________________________________________
>>> Hotmail: Powerful Free email with security by Microsoft.
>>> https://signup.live.com/signup.aspx?id=60969
> _________________________________________________________________
> Hotmail: Powerful Free email with security by Microsoft.
> https://signup.live.com/signup.aspx?id=60969
Received on Tue May 18 2010 - 13:00:15 MDT