Re: [squid-users] SELinux prevents running squid 3.3.11 on CentOS 6.5 from Eliezer Croitoru on 2013-12-08 (squid-users)

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Mon, 09 Dec 2013 07:30:14 +0200

Hey Walter,

I do not know yet of a way to get SELinux work with squid nicely.
I do know it can be done with enough knowledge and couple additions.

If anyone is a SELinux expert or just can find the appropriate way of
handling squid conflicts with SELinux I would be happy to try to push
these into the RPMs.

For now the suggestion is to use selinux policy to permissive while on
most squid systems(dedicated) you wont force selinux but I am still not
sure why.

Fedora has some docs about it:
http://docs.fedoraproject.org/en-US/Fedora/13/html/Managing_Confined_Services/chap-Managing_Confined_Services-Squid_Caching_Proxy.html

This setting direction policy will might help something:
setsebool -P squid_connect_any 1

And at redhat couple notes:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/chap-Managing_Confined_Services-Squid_Caching_Proxy.html

Can you share the errors you see in logs? either squid logs or messages log?

Are you using a cache_dir ?

There is also a demonstration on how to create a selinux module\policy
fro qlproxy:
http://sichent.wordpress.com/2011/05/10/build-selinux-policy-for-your-next-daemon-part-1/

I hope it helps.

Eliezer

On 08/12/13 22:34, Walter H. wrote:
> Hello,
>
> I have the ident problem as here:
> http://comments.gmane.org/gmane.comp.web.squid.general/99601
>
> SELinux=enforcing prevents running squid ...
>
> my system: a CentOS 6.5, squid-3.3.11
>
> ./configure --enable-ssl
> --enable-ssl-crtd
> --disable-htcp
> --disable-eui
> --disable-snmp
> --enable-useragent-log
> --enable-referer-log
> --enable-cachemgr-hostname=localhost
> --prefix=/usr
> --includedir=/usr/include
> --datadir=/usr/share
> --bindir=/usr/sbin
> --libexecdir=/usr/lib/squid
> --localstatedir=/var
> --sysconfdir=/etc/squid
> --with-dl
> --with-openssl
> --with-pthreads
> --with-logdir=/var/log/squid
> --with-default-user=squid
>
> can someone give me a hint, what to do?
>
> by the way, the binary packages from here:
> http://wiki.squid-cache.org/SquidFaq/BinaryPackages#CentOS
> have the same problem ...
>
> Thanks,
> Walter
>
>
Received on Mon Dec 09 2013 - 05:35:47 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 12 2013 - 12:00:04 MST