Hey Fernandno,
First thanks!
It indeed helps a lot since there were issues I didn't knew how to look at.
I am hoping to release the RPM next week but I will include the selinux
rules only on the next release due to the overhead of packing it.
I might be able to package it in another external package not related
directly to squid package and which seems reasonable for me.
About the ulimit related issue:
It's an option to use sysconfig for this option and I will consider it
in the next releases.
Eliezer
On 05/08/2014 09:15 PM, fernando_at_lozano.eti.br wrote:
> Hi there,
>
> First of all, thanks Elizer for providing the packages!
>
> The package installed and run fine with the default, single process
> config. I'm trying to follow best-practices like keeping SELinux enabled
> (enfocing) and I was happy to see the packages follow the standard
> targete policies included on CentOS 6.5.
>
> But, when I tried a SMP setup, I got some SELinux AVCs.
>
> Those were related to the socket files used for IPC betweeb workers and
> coordinator, and shm files for shared cache_mem and (i guess) rock store.
>
> Here are the revelant settings from my squid.conf (this is my test
> machine, the production one has more RAM, cores and disk):
>
> --- SNIP ---
> workers 2
> cache_mem 1024 MB
> cache_dir rock /cache/shared 2000 min-size=1 max-size=31000
> max-swap-rate=250 swap-timeout=350
> cache_dir aufs /cache/worker${process_number} 2000 16 256 min-size=31001
> max-size=346030080
> --- SNIP ---
>
> I followed standard advice and run audit2allow to build aditional SELinux
> policy modules. After everything was working fine, I took the time to
> build and test a consolidated policy module. Here it is:
>
> --- squid-snmp.te ---
> module squid-smp 1.0;
>
> # for ipc channels between kids/workers
> require {
> type var_run_t;
> type squid_t;
> class sock_file { create write };
> }
> allow squid_t var_run_t:sock_file { create write };
> allow squid_t var_run_t:sock_file create;
>
> # for shm used by cache_mem and rock store(?)
> require {
> type squid_t;
> type tmpfs_t;
> class dir { remove_name add_name write };
> class file { unlink create };
> }
> allow squid_t tmpfs_t:dir { remove_name write add_name };
> allow squid_t tmpfs_t:file { unlink create };
> --- squid-snmp.te ---
>
> To compile and install this policy module, please run:
>
> # checkmodule -M -m -o squid-smp.mod squid-smp.te
> # semodule_package -o squid-smp.pp -m squid-smp.mod
> # semodule -i squid-smp.pp
>
> I hope Eliezer can add this to the next update to his packages, so
> others can try SMP without fighting with SELinux.
>
> But, as I'm not so experienced with SELinux, I'd be glad to receive
> advice on how to make this policy more strict, more "secure".
>
> For example, I guess I could use squid_var_run_t instead of using
> var_run_t, to have a more specific fcontext for squid IPC files. I know
> how to do this manually:
>
> # semanage fcontext -a -t squid_var_run_t "/var/run/squid(/.*)?"
> # restorecon -Fv /var/run/squid/
>
> But I don't know hot to add this to the policy file.
>
> I also guess I could be more strict about the shm files (tmpfs_t) but I
> don't know how to do this.
>
> Another hurdle I had with the RPM packages was about setting ulimit
> nofile. I'm used to add them to /etc/security/limits.conf and this work
> fo r CentOS init.d scripts, but not for the squid script.
>
> My solution was to a line to /etc/sysconfig/squid:
> ulimit -n 32768
>
> But maybe I should edit the init.d/squid script to use function daemon()
> from /etc/init.d/functions or runuser like other CentOS init.d scripts do.
>
> Well, I hope my findins and ideas can be useful to ther CentOS/RHEL
> admins, and someone there can help me making the squid RPM more "Red
> Hat-ish".
>
>
> []s, Fernando Lozano
>
Received on Thu May 15 2014 - 01:25:50 MDT
This archive was generated by hypermail 2.2.0 : Thu May 15 2014 - 12:00:09 MDT