seLinux, Squid and adzap
by David Niemi
I am trying to get squid to run as an accelerator and also do ad zapping
with Cameron Simpson's AdZap routine. I am getting lots of SELinux
errors for the zapping script to be run by squid and also that squid do
something with swap.state and swap log
setting the SELinux protection off for squid still results in the error
about the swap.state and swap log.
so it seems that I need to change something with the SELinux context for
squid and the adzap scripts but have no real idea how to go about. I
tried relabeling but that didn't do it.
What can I do to remedy this?
from messages
Jul 10 11:33:08 rhonda ntpd[2467]: frequency initialized -12.030 PPM
from /var/lib/ntp/drift
Jul 10 11:33:08 rhonda squid[2519]: Squid Parent: child process 2522
started
Jul 10 11:33:09 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
swap log.
Jul 10 11:33:09 rhonda squid[2519]: Squid Parent: child process 2522
exited due to signal 6
Jul 10 11:33:12 rhonda squid[2519]: Squid Parent: child process 2533
started
Jul 10 11:33:12 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
swap log.
Jul 10 11:33:12 rhonda squid[2519]: Squid Parent: child process 2533
exited due to signal 6
Jul 10 11:33:15 rhonda squid[2519]: Squid Parent: child process 2544
started
Jul 10 11:33:15 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
swap log.
Jul 10 11:33:15 rhonda squid[2519]: Squid Parent: child process 2544
exited due to signal 6
Jul 10 11:33:18 rhonda squid[2519]: Squid Parent: child process 2555
started
Jul 10 11:33:18 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
swap log.
Jul 10 11:33:18 rhonda squid[2519]: Squid Parent: child process 2555
exited due to signal 6
Jul 10 11:33:21 rhonda squid[2519]: Squid Parent: child process 2569
started
Jul 10 11:33:22 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
swap log.
Jul 10 11:33:22 rhonda squid[2519]: Squid Parent: child process 2569
exited due to signal 6
Jul 10 11:33:22 rhonda squid[2519]: Exiting due to repeated, frequent
failures
from audit
type=SYSCALL msg=audit(1121009601.928:43072): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bfcc0670 a2=2318d0 a3=b7fb36a0 items=0
pid=2569 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23
sgid=23 fsgid=23 comm="squid" exe="/usr/sbin/squid"
type=AVC msg=audit(1121009601.928:43072): avc: denied { name_connect }
for pid=2569 comm="squid" dest=32811 scontext=system_u:system_r:squid_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
type=SOCKETCALL msg=audit(1121009601.929:43096): nargs=3 a0=7
a1=bfcc06ec a2=10
type=SOCKADDR msg=audit(1121009601.929:43096):
saddr=0200802D7F0000010000000000000000
type=SYSCALL msg=audit(1121009601.929:43096): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bfcc0670 a2=2318d0 a3=b7fb36a0 items=0
pid=2569 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23
sgid=23 fsgid=23 comm="squid" exe="/usr/sbin/squid"
type=AVC msg=audit(1121009601.929:43096): avc: denied { name_connect }
for pid=2569 comm="squid" dest=32813 scontext=system_u:system_r:squid_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
type=SOCKETCALL msg=audit(1121009601.930:43120): nargs=3 a0=7
a1=bfcc06ec a2=10
type=SOCKADDR msg=audit(1121009601.930:43120):
saddr=0200802F7F0000010000000000000000
type=SYSCALL msg=audit(1121009601.930:43120): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bfcc0670 a2=2318d0 a3=b7fb36a0 items=0
pid=2569 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23
sgid=23 fsgid=23 comm="squid" exe="/usr/sbin/squid"
type=AVC msg=audit(1121009601.930:43120): avc: denied { name_connect }
for pid=2569 comm="squid" dest=32815 scontext=system_u:system_r:squid_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
type=SOCKETCALL msg=audit(1121009601.930:43144): nargs=3 a0=7
a1=bfcc06ec a2=10
type=SOCKADDR msg=audit(1121009601.930:43144):
saddr=020080317F0000010000000000000000
type=SYSCALL msg=audit(1121009601.930:43144): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bfcc0670 a2=2318d0 a3=b7fb36a0 items=0
pid=2569 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23
sgid=23 fsgid=23 comm="squid" exe="/usr/sbin/squid"
type=AVC msg=audit(1121009601.930:43144): avc: denied { name_connect }
for pid=2569 comm="squid" dest=32817 scontext=system_u:system_r:squid_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
from cache.log
2005/07/10 11:33:21| Starting Squid Cache version 2.5.STABLE9 for
i386-redhat-linux-gnu...
2005/07/10 11:33:21| Process ID 2569
2005/07/10 11:33:21| With 1024 file descriptors available
2005/07/10 11:33:21| DNS Socket created at 0.0.0.0, port 32775, FD 5
2005/07/10 11:33:21| Adding nameserver 24.153.22.67
from /etc/resolv.conf
2005/07/10 11:33:21| Adding nameserver 24.153.23.66
from /etc/resolv.conf
2005/07/10 11:33:21| helperOpenServers: Starting 5 'squid_redirect'
processes
2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
process.
2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
process.
2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
process.
2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
process.
2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
process.
2005/07/10 11:33:21| User-Agent logging is disabled.
2005/07/10 11:33:21| Referer logging is disabled.
2005/07/10 11:33:21| Unlinkd pipe opened on FD 10
2005/07/10 11:33:21| Swap maxSize 102400 KB, estimated 7876 objects
2005/07/10 11:33:21| Target number of buckets: 393
2005/07/10 11:33:21| Using 8192 Store buckets
2005/07/10 11:33:21| Max Mem size: 8192 KB
2005/07/10 11:33:21| Max Swap size: 102400 KB
2005/07/10 11:33:21| /var/spool/squid/swap.state: (13) Permission denied
FATAL: storeUfsDirOpenSwapLog: Failed to open swap log.
Squid Cache (Version 2.5.STABLE9): Terminated abnormally.
CPU Usage: 0.019 seconds = 0.006 user + 0.013 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0
from squid.out
squid: ERROR: Could not send signal 0 to process 31876: (3) No such
process
/var/spool/
drwxr-x--- squid squid system_u:object_r:squid_cache_t squid
/usr/local/bin/
[root@rhonda bin]# ls -alZ
drwxr-xr-x root root system_u:object_r:bin_t .
drwxr-xr-x root root system_u:object_r:usr_t ..
-rwxr-xr-x root root system_u:object_r:bin_t
squid_redirect
-rwxr-xr-x root root system_u:object_r:bin_t wrapzap
18 years, 10 months
problems switching from targeted to strict policy...
by Tim Kossack
hi,
i just installed fc3 (with selinux=permissive and configuration=minimal)
in order to get familiar with selinux.
after updating the system and installing the strict-policy as well as
the strict and targeted sources via yum, i edited /etc/selinux/config to
"strict" and rebooted.
since then, during boot, i'm getting flodded with "avc denied" for
nearly every service (didn't happen while i had "targeted" enabled),
even when i login.
i tried to fix it with executing "make load/reload/relabel" in the
strict-src-directory, but that doesn't work.
after second glance at the selinux-faq i discovered that i forgot to do
"touch/.autorelabel" before first reboot.
did this cause my problems, or is it a problem with the strict policy
itself?
how do i fix it (if still possible)?
thx!
18 years, 10 months
fedora 2 and SELinux
by Preeti Malakar
Sir,
When I installed fedora2 without selinux support, it installed
properly, but with linux selinux at the boot prompt , the graphical
display is not coming, a modal window displays that
"gnome-daemon-settings quitted unexpectedly" and is in hung state
.... however I can log into text mode, and i saw in /var/log/mesages
many audit denial mesages for gnome session by SELinux such as
avc : denied { write } for pid=3129 exe=/usr/bin/gnome-session
name=linc-a6c-0-c66f92clble9 dev=sda8 ino=4080019
scontext=root:staff_r:staff_t tcontext=system_u:object_r:tmp_t
tclass=sock_file
what should i do?
thanking you
Preeti Malakar
MTech CSE
18 years, 10 months
Re: Fedora 3 and SELinux
by Matthew Miller
On Sat, Jul 09, 2005 at 08:43:22AM +0100, Preeti Malakar wrote:
> the SE Linux commans such as show_bools is missing and also there are no .te files and .fc files , Can you please help
show_bools is getsebool in newer SE linux, and the policy sources are in
selinux-policy-targeted-sources.
--
Matthew Miller mattdm(a)mattdm.org <http://www.mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
Current office temperature: 73 degrees Fahrenheit.
18 years, 10 months
FC4 Samba AD authentication fails...
by Tom Lisjac
Setting up samba-3.0.14a-2 under FC4 for AD authentication produces
the following errors with selinux-policy-targeted-1.24-3.
Should these reports be posted in bugzilla rather then here?
-Tom
------------------------------------------
type=AVC msg=audit(1120802622.535:235021): avc: denied { getattr }
for pid=3163 comm="smbd" name="winbindd" dev=hda2 ino=1045907
scontext=root:system_r:smbd_t
tcontext=system_u:object_r:winbind_var_run_t tclass=dir
type=AVC msg=audit(1120802623.036:236399): avc: denied {
name_connect } for pid=3164 comm="smbd" dest=389
scontext=root:system_r:smbd_t
type=AVC msg=audit(1120802682.605:241497): avc: denied { search }
for pid=3175 comm="winbindd" name="tmp" dev=hda2 ino=3463233
scontext=root:system_r:winbind_t tcontext=system_u:object_r:tmp_t
tclass=dir
type=AVC msg=audit(1120802682.637:241645): avc: denied {
name_connect } for pid=3175 comm="winbindd" dest=389
scontext=root:system_r:winbind_t
tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
18 years, 10 months
RE: the labeling procedure
by Steve Brueckner
> restorecon doesn't rely on having policy sources
> (selinux-policy-targeted-sources) installed. It uses the installed
> file_contexts configuration created by the policy
> (selinux-policy-targeted) package. That lives
> under /etc/selinux/targeted/contexts/files.
Aha, I think the O'Reilly book is just out of date. Not surprising
considering the moving target that is SELinux.
> SELinux utilities don't rely on having the policy sources available,
> as you likely don't want them on production systems. make relabel is
> really only for developers, and hardly used at all anymore (it
> predates having fixfiles and restorecon).
Actually I am developing here. My problem is that I have a huge chroot
directory (basically a full duplicate of the whole system) and I want to get
everything in there labeled as if it was outside chroot. To do this I
duplicated file_contexts/types.fc and used sed to prepend the chroot
directory to every line. It seems to work pretty well, but I'm still having
trouble getting the user home directories inside chroot labeled properly.
The homedirs macros and files are apparently throwing me.
I'd appreciate any suggestions on a better way to label the chroot
filesystem. And any ideas on how to get those chrooted homedirs labeled
correctly.
Stephen Brueckner, ATC-NY
18 years, 10 months
policy updated, then selinux error?
by Hongwei Li
Hi,
I just updated selinux target policy (including the source) from 1.17.30-2.96
to 1.17.30-3.16 on my fc3 linux system (kernel 2.6.11-1.35_FC3), and also
updated checkpolicy-1.17.5-1.2. The updating process did not show any error.
Then, I reboot the system that showed a lot of error message like:
invalid ... in /etc/selinux/targeted/src/policy/file_contexts/... (it went
though so fast that I could not catch all the words). The system is running,
then I go to /etc/selinux/targeted/src/policy and run make load and got:
# make load
mkdir -p /etc/selinux/targeted/policy
/usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.18 policy.conf
/usr/bin/checkpolicy: loading policy configuration from policy.conf
domains/unconfined.te:19:ERROR 'syntax error' at token '{' on line 3897:
typealias unconfined_t alias { kernel_t init_t initrc_t logrotate_t sendmail_t
sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
typeattribute tty_device_t { tty_device_t devpts_t };
/usr/bin/checkpolicy: error(s) encountered while parsing configuration
make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
I tried touch /.autorelable and reboot, the same error.
Can somebody tell what's wrong? how to fix it?
Thanks!
Hongwei Li
18 years, 10 months
Re: seaudit crashes with segmentation fault
by Kevin Carr
> -----Original Message-----
> From: fedora-selinux-list-bounces(a)redhat.com [mailto:fedora-selinux-list-
> bounces(a)redhat.com] On Behalf Of John Bray
> i'm posting this per stephen's request:
>
> On Mon, 2005-06-27 at 14:32 -0400, Stephen Smalley wrote:
> > On Mon, 2005-06-27 at 13:15 -0500, John Bray wrote:
> > > every time i try to run seaudit, it immediately crashes with a
> > > segmentation fault. the following errors appear, with or without any
> > > arguments on the commandline:
> > >
> > > [root@junior setools-2.1.0]# seaudit -l /var/log/messages
> > > -p /etc/selinux/targeted/src/policy/policy.conf
> > <snip>
> > >
> > > wonder if anyone has any ideas or suggestions?
> >
> > - Post to fedora-selinux-list for SELinux questions.
> > - What is your base system, FC3 or FC4?
> > - In FC4, unless you disable auditd, audit messages are sent by the
> > kernel to auditd and are written by auditd to /var/log/audit/audit.log.
> > - Not sure that seaudit has been updated for the associated changes.
> >
>
> thanks stephen. i didn't even know that there was such a list. :-)
>
> its FC4. clean install. auditd is running.
>
> i guess i'd misunderstood. i'd thought that with it running, the
> audit.log as well as to messages.
>
> however, if i point at audit.log instead, it does NOT segfault, but
> finds no messages either. :-)
>
> thanks for your help. i will see about getting to the selinux list.
>
> hope your day is going well.
>
> john
FYI - The latest release of setools has addressed this problem. Version
2.1.1 of setools is available at www.tresys.com.
Kevin Carr
Tresys Technology
18 years, 10 months
Question regarding /etc/rc.d/rc.sysinit
by Paul Moore
Is there any reason for keeping lines 75 - 85 of /etc/rc.d/rc.sysinit
(from initscripts-8.11.1-1)? The reason I ask is that these ten lines
are causing AVC denial messages when using Dan Walsh's MLS policy and as
far as I can tell these lines don't do anything useful. In my limited
testing removing these lines from rc.sysinit has not caused any problems
- am I missing something?
--- rc.sysinit.orig-06082005 2005-07-08 14:42:39.000000000 -0400
+++ rc.sysinit 2005-07-08 15:09:02.000000000 -0400
@@ -70,20 +70,6 @@ relabel_selinux() {
fi
}
-
-
-if [ "$HOSTTYPE" != "s390" -a "$HOSTTYPE" != "s390x" ]; then
- last=0
- for i in `LC_ALL=C grep '^[0-9].*respawn:/sbin/mingetty' /etc/inittab
| sed 's/^.* tty\([0-9][0-9]*\).*/\1/g'`; do
- > /dev/tty$i
- last=$i
- done
- if [ $last -gt 0 ]; then
- > /dev/tty$((last+1))
- > /dev/tty$((last+2))
- fi
-fi
-
if [ "$CONSOLETYPE" = "vt" -a -x /sbin/setsysfont ]; then
echo -n "Setting default font ($SYSFONT): "
/sbin/setsysfont
--
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore(a)hp.com hewlett packard
. (603) 884-5056 linux security
18 years, 10 months
mysql error
by Hongwei Li
Hi,
I have a fc3 system: kernel 2.6.11-1.35_FC3, selinux enforced with target
policy 1.17.30-2.96, mysql 3.23.58-16.FC3.1, php 4.3.10-3.2.
After I updated mysql from 3.23.4x to the above version, I cannot connect
mysql database from web by using localhost although I can do it from ssh
command. The error message is:
Could not connect: Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (13)
If I run setenforce 0, then everything works. The mysql.sock shows:
# ls -lZ /var/lib/mysql/mysql.sock
srwxrwxrwx mysql mysql root:object_r:mysqld_db_t
/var/lib/mysql/mysql.sock
How to fix the problem?
Thanks!
Hongwei Li
18 years, 10 months