Re: [squid-users] SELINUX issue(confined>unconfined) from Tiery DENYS on 2010-05-18 (squid-users)

From: Tiery DENYS <tiery.denys_at_gmail.com>
Date: Tue, 18 May 2010 14:26:06 +0200

Hi,

ps -Z => squid_t and getenforce => enforcing
squid is started with selinux

Redhat/centos platform:
If squid is installed with yum, squid will be started with a squid_t
selinux context.

If you compile your squid and installed it, you will have to change
squid files contexts manually.

As i see you have squid_kerb_plugin, you should have compile you squid
to support kerberos, no?

---
For your problem:
try to check selinux log:
audit2allow -al
or cat /var/log/audit/audit.log | audit2allow
You can also try to restore selinux context for all squid files:
restorecon -R /etc/squid
restorecon -R /var/log/squid
etc...
or touch /.autorelabel and reboot
Tiery
On Tue, May 18, 2010 at 9:47 AM, GIGO . <gigoz_at_msn.com> wrote:
>
> Dear All,
>
> Your guidance is required. Please help.
>
> It looks that squid process run by default as a confined process whether its a compiled version or a version that come with the linux distro. It means that the squid software is SELINUX aware.Am i right?
>
> [root_at_squidLhr ~]# ps -eZ | grep squid
> system_u:system_r:squid_t        3173 ?        00:00:00 squid
> system_u:system_r:squid_t        3175 ?        00:00:00 squid
> system_u:system_r:squid_t        3177 ?        00:00:00 squid
> system_u:system_r:squid_t        3179 ?        00:00:00 squid
> system_u:system_r:squid_t        3222 ?        00:00:00 unlinkd
> system_u:system_r:squid_t        3223 ?        00:00:00 unlinkd
>
>
> it was successful before i changed the selinux to enforcing.Now i even cannot start squid process that access the parent at localhost(3128) manually even. The other process starts normally if i do manually.
>
> When running as an unconfined process by the following command the problem had resolved
>
> chcon -t unconfined_exec_t /usr/sbin/squid
>
> However it doesnot feel appropriate to me. Please guide me on this.
>
>
>
> I am starting squid with the following init script if it has something to do with the problem:
>
> #!/bin/sh
> #
> #my script
> case "$1" in
> start)
> /usr/sbin/squid -D -sYC -f /etc/squid/squidcache.conf
> /usr/sbin/squid -D -sYC -f /etc/squid/squid.conf
> #The below line is to automatically start apache  with system startup
> /usr/sbin/httpd -k start
> #KRB5_KTNAME=/etc/squid/HTTP.keytab
> #export KRB5_KTNAME
> #KRB5RCACHETYPE=none
> #export KRB5RCACHETYPE
> ;;
> stop)
>
> /usr/sbin/squid -k shutdown -f /etc/squid3/squidcache.conf
> echo "Shutting down squid secondary process"
> /usr/sbin/squid -k shutdown -f /etc/squid3/squid.conf
> echo "Shutting down squid main process"
> # The below line is to automatically stop apache at system shutdown
> /usr/sbin/httpd -k stop
> ;;
> esac
>
>
> Thanking you & regards,
>
> Bilal
>
>
> ----------------------------------------
>> From: gigoz_at_msn.com
>> To: squid-users_at_squid-cache.org
>> Date: Tue, 18 May 2010 06:02:35 +0000
>> Subject: [squid-users] SELINUX issue
>>
>>
>> Hi all,
>>
>> When i change SELINUX from permissive mode to Enforcing mode. My multiple instance setup fail to start. Please guide how to overcome this.
>>
>> -----------------------Excerpts from cache.log-----------------
>>
>> 2010/05/18 10:31:51| TCP connection to 127.0.0.1/3128 failed
>> 2010/05/18 10:31:51| Store rebuilding is 7.91% complete
>> 2010/05/18 10:31:52| Done reading /var/spool/squid swaplog (51794 entries)
>> 2010/05/18 10:31:52| Finished rebuilding storage from disk.
>> 2010/05/18 10:31:52| 51794 Entries scanned
>> 2010/05/18 10:31:52| 0 Invalid entries.
>> 2010/05/18 10:31:52| 0 With invalid flags.
>> 2010/05/18 10:31:52| 51794 Objects loaded.
>> 2010/05/18 10:31:52| 0 Objects expired.
>> 2010/05/18 10:31:52| 0 Objects cancelled.
>> 2010/05/18 10:31:52| 0 Duplicate URLs purged.
>> 2010/05/18 10:31:52| 0 Swapfile clashes avoided.
>> 2010/05/18 10:31:52| Took 1.13 seconds (45641.00 objects/sec).
>> 2010/05/18 10:31:52| Beginning Validation Procedure
>> 2010/05/18 10:31:52| Completed Validation Procedure
>> 2010/05/18 10:31:52| Validated 103614 Entries
>> 2010/05/18 10:31:52| store_swap_size = 913364
>> 2010/05/18 10:31:52| storeLateRelease: released 0 objects
>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>> 2010/05/18 10:31:52| Detected DEAD Parent: 127.0.0.1
>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>> 2010/05/18 10:31:52| Failed to select source for 'http://1.channel19.facebook.com/p'
>> 2010/05/18 10:31:52| always_direct = 0
>> 2010/05/18 10:31:52| never_direct = 1
>> 2010/05/18 10:31:52| timedout = 0
>> 2010/05/18 10:31:57| Failed to select source for 'http://0.channel19.facebook.cm
>>
>> --------------------------------------------------------------------------------------------
>>
>>
>> regards,
>>
>> Bilal
>> _________________________________________________________________
>> Hotmail: Trusted email with powerful SPAM protection.
>> https://signup.live.com/signup.aspx?id=60969
> _________________________________________________________________
> Hotmail: Powerful Free email with security by Microsoft.
> https://signup.live.com/signup.aspx?id=60969

Received on Tue May 18 2010 - 12:26:14 MDT

This archive was generated by hypermail 2.2.0 : Tue May 18 2010 - 12:00:05 MDT