Hello all,
Still on my mission to clean up any unnecessary local policies I might have mistakenly created I have now turned my attention to my squid web proxy.
I have a nightly script which downloads updated blacklists to be fed to squidGuard. They are held in a variety of directories under /var/squidGuard/blacklists/ and without my local policy I get avcs when something tries to access one of these blacklist databases.
The proposed remedy of: restorecon -v '/var/squidGuard/blacklists/blacklists/porn/domains.db' made no difference.
When I do a ls -laZ on these directories I get a mizture of: squid squid system_u:object_r:var_t:s0 and squid squid unconfined_u:object_r:var_t:s0
Which should it be? Should I build a chcon statement into the download script?
Audit2why said that the denial was caused by a "Missing type enforcement (TE) allow rule."
and audit2allow produced this (which is the same as I had in my local policy):
require { type squid_t; }
#============= squid_t ============== files_rw_var_files(squid_t)
Should I just stick with my local policy, or fix something else?
Thanks
Mark
p.s. Happy to post the whole avc(s) if required...
Op donderdag 05-02-2009 om 18:42 uur [tijdzone +0000], schreef Arthur Dent:
The proposed remedy of: restorecon -v '/var/squidGuard/blacklists/blacklists/porn/domains.db' made no difference.
When I do a ls -laZ on these directories I get a mizture of: squid squid system_u:object_r:var_t:s0 and squid squid unconfined_u:object_r:var_t:s0
It looks like squidGuard owns /var/squidGuard but does not manage it's content with a private type.
Then later squid tries to interact with squidGuards content there.
But the content is created with a generic type for var (var_t)
You can solve this issue by writing policy for squidGuard. You should enforce squidGuard to manage it's files using private types instead of just using the generic var_t.
Then later, you can give squid access to that type.
Can you share your policy for squidGuard? In which domain is the squidGuard process running? ps auxZ | grep squidguard.
The point is that squid_t is not allowed to read and write generic content in /var.
hth
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Thu, Feb 05, 2009 at 08:50:39PM +0100, Dominick Grift wrote:
Op donderdag 05-02-2009 om 18:42 uur [tijdzone +0000], schreef Arthur Dent:
The proposed remedy of: restorecon -v '/var/squidGuard/blacklists/blacklists/porn/domains.db' made no difference.
When I do a ls -laZ on these directories I get a mizture of: squid squid system_u:object_r:var_t:s0 and squid squid unconfined_u:object_r:var_t:s0
It looks like squidGuard owns /var/squidGuard but does not manage it's content with a private type.
Then later squid tries to interact with squidGuards content there.
But the content is created with a generic type for var (var_t)
You can solve this issue by writing policy for squidGuard. You should enforce squidGuard to manage it's files using private types instead of just using the generic var_t.
Then later, you can give squid access to that type.
Can you share your policy for squidGuard?
Well, the only policy I have is the one created with audit2allow that I posted in my original mail.
In which domain is the squidGuard process running? ps auxZ | grep squidguard.
[root@tmydomain selinux]# ps auxZ | grep squid unconfined_u:system_r:squid_t:s0 root 5554 0.0 0.0 10700 308 ? Ss 01:13 0:00 squid -D -f /etc/squid/squid.conf unconfined_u:system_r:squid_t:s0 squid 5557 0.5 1.9 25624 7624 ? S 01:13 6:38 (squid) -D -f /etc/squid/squid.conf unconfined_u:system_r:squid_t:s0 squid 5558 0.0 1.0 15212 4080 ? Ss 01:13 0:05 (squidGuard) -c /etc/squid/squidGuard.conf unconfined_u:system_r:squid_t:s0 squid 5559 0.0 0.7 14284 3020 ? Ss 01:13 0:00 (squidGuard) -c /etc/squid/squidGuard.conf unconfined_u:system_r:squid_t:s0 squid 5560 0.0 0.6 13360 2332 ? Ss 01:13 0:00 (squidGuard) -c /etc/squid/squidGuard.conf unconfined_u:system_r:squid_t:s0 squid 5561 0.0 0.5 12964 2092 ? Ss 01:13 0:00 (squidGuard) -c /etc/squid/squidGuard.conf unconfined_u:system_r:squid_t:s0 squid 5562 0.0 0.2 12300 1084 ? Ss 01:13 0:00 (squidGuard) -c /etc/squid/squidGuard.conf unconfined_u:system_r:squid_t:s0 squid 5563 0.0 0.1 3228 396 ? Ss 01:13 0:00 (unlinkd) unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 19810 0.0 0.1 5040 708 pts/1 S+ 19:55 0:00 grep squid
Apologies for the line wrap!
The point is that squid_t is not allowed to read and write generic content in /var.
hth
Thanks - I am still a little unclear as to how best to proceed. My local policy allows it all to work - should I just stick with that or work at fixing the underlying problem?
Mark
p.s.
This is all I have in my policy module:
# cat mysquid.te policy_module(mysquid, 9.1.0) require { type squid_t; }
#============= squid_t ============== files_rw_var_files(squid_t)
Op donderdag 05-02-2009 om 21:25 uur [tijdzone +0000], schreef Arthur Dent:
Thanks - I am still a little unclear as to how best to proceed. My local policy allows it all to work - should I just stick with that or work at fixing the underlying problem?
Mark
Well your solution works but it allows squid to escalate to generic var objects. This means that squid can write to all objects with type var_t. This may not be what you want. RedHat certainly decided not to give squid this access.
The following may be a better solution:
mkdir ~/mysquid; cd ~/mysquid; echo "policy_module(mysquid, 0.0.1)" > mysquid.te; echo "require { type squid_t; }" >> mysquid.te; echo "type squid_var_t;" >> mysquid.te; echo "files_type(squid_var_t)" >> mysquid.te; echo "manage_files_pattern(squid_t, squid_var_t, squid_var_t)" >> mysquid.te; echo "files_var_lib_filetrans(squid_t, squid_var_t, file)" >> mysquid.te;
echo "/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_var_t, s0)" > mysquid.te;
make -f /usr/share/selinux/devel/Makefile sudo semodule -i mysquid.pp
This solution will not allow squid_t to write to objects with var_t, but instead allow squid_t to manage its objects in /var/squidGuard with a type that it owns.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Op donderdag 05-02-2009 om 22:58 uur [tijdzone +0100], schreef Dominick Grift:
echo "/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_var_t, s0)" > mysquid.te;
Whoops the above should be:
echo "/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_var_t, s0)" > mysquid.fc;
file contexts go into the .fc file instead of the .te file
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Op donderdag 05-02-2009 om 23:02 uur [tijdzone +0100], schreef Dominick Grift:
Whoops the above should be:
echo "/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_var_t, s0)" > mysquid.fc;
file contexts go into the .fc file instead of the .te file
Also you would need to restore the context of that location:
sudo restorecon -R -v /var/squidGuard
my solution may not work and this is because of the strange location. I would have expected /var/lib/squidGuard instead and so my var_lib_filetrans() may not work.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Thu, Feb 05, 2009 at 11:13:39PM +0100, Dominick Grift wrote:
Op donderdag 05-02-2009 om 23:02 uur [tijdzone +0100], schreef Dominick Grift:
Whoops the above should be:
echo "/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_var_t, s0)" > mysquid.fc;
file contexts go into the .fc file instead of the .te file
Also you would need to restore the context of that location:
sudo restorecon -R -v /var/squidGuard
my solution may not work and this is because of the strange location. I would have expected /var/lib/squidGuard instead and so my var_lib_filetrans() may not work.
Thanks for your help Dominick - It's much appreciated...
I am trying your solution now, and so far no denials (it's only been 3 minutes though!).
Am I right in thinking that all this would be unnecessary if the files were in /var/lib/squidGuard ?
I cannot remember now why they ended up in /var/squidGuard (I think I was copying a sample download script - It's been several years since I first set it up). With a bit of effort I could move them all to /var/lib/squidGuard. Would that be the *right* thing to do?
Once again, thanks for your help...
Mark
Op donderdag 05-02-2009 om 22:33 uur [tijdzone +0000], schreef Arthur Dent:
Am I right in thinking that all this would be unnecessary if the files were in /var/lib/squidGuard ?
No, there is policy missing in the squid module i think. We appended that policy by installing our module.
Nonetheless, the proper location is still /var/lib/squidGuard i think.
I just was not sure if some part of the policy i wrote is working as expected since the location you use is /var/squidGuard instead.
Seems that it is working though so that is fine.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Op donderdag 05-02-2009 om 23:40 uur [tijdzone +0100], schreef Dominick Grift:
Op donderdag 05-02-2009 om 22:33 uur [tijdzone +0000], schreef Arthur Dent:
Am I right in thinking that all this would be unnecessary if the files were in /var/lib/squidGuard ?
if you can, instruct squidGuard to use /var/lib/squidGuard instead and edit the path in mysquid.fc to reflect that path.
Then rebuild and reinstall the module and restore the context of that location.
make -f /usr/share/selinux/devel/Makefile sudo semodule -i mysquid.pp sudo restorecon -R -v /var/lib/squidGuard
Thwn see if if squid_t creates the files there with the proper type of squid_var_t instead of var_t.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Thu, Feb 05, 2009 at 11:47:02PM +0100, Dominick Grift wrote:
Op donderdag 05-02-2009 om 23:40 uur [tijdzone +0100], schreef Dominick Grift:
Op donderdag 05-02-2009 om 22:33 uur [tijdzone +0000], schreef Arthur Dent:
Am I right in thinking that all this would be unnecessary if the files were in /var/lib/squidGuard ?
if you can, instruct squidGuard to use /var/lib/squidGuard instead and edit the path in mysquid.fc to reflect that path.
Then rebuild and reinstall the module and restore the context of that location.
make -f /usr/share/selinux/devel/Makefile sudo semodule -i mysquid.pp sudo restorecon -R -v /var/lib/squidGuard
Thwn see if if squid_t creates the files there with the proper type of squid_var_t instead of var_t.
Ooops - Our messages crossed.
I will have to try this tomorrow now. Thanks!
Mark
On Thu, Feb 05, 2009 at 11:40:10PM +0100, Dominick Grift wrote:
Op donderdag 05-02-2009 om 22:33 uur [tijdzone +0000], schreef Arthur Dent:
Am I right in thinking that all this would be unnecessary if the files were in /var/lib/squidGuard ?
No, there is policy missing in the squid module i think. We appended that policy by installing our module.
Nonetheless, the proper location is still /var/lib/squidGuard i think.
I just was not sure if some part of the policy i wrote is working as expected since the location you use is /var/squidGuard instead.
Seems that it is working though so that is fine.
Thanks again.
I will see what happens overnight.
Just a final thought however. Both squid and squidGuard are installed via yum from the standard repositories. I still have a copy of the original squidGuard.conf file and here are the first 8 lines:
# # CONFIG FILE FOR SQUIDGUARD # # See http://www.squidguard.org/config/ for more examples #
dbhome /var/squidGuard/blacklists logdir /var/log/squidGuard
So it seems that is where I got my file layout from!
At least I know I not completely crazy...
Thanks once again
Mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Arthur Dent wrote:
On Thu, Feb 05, 2009 at 11:40:10PM +0100, Dominick Grift wrote:
Op donderdag 05-02-2009 om 22:33 uur [tijdzone +0000], schreef Arthur Dent:
Am I right in thinking that all this would be unnecessary if the files were in /var/lib/squidGuard ?
No, there is policy missing in the squid module i think. We appended that policy by installing our module.
Nonetheless, the proper location is still /var/lib/squidGuard i think.
I just was not sure if some part of the policy i wrote is working as expected since the location you use is /var/squidGuard instead.
Seems that it is working though so that is fine.
Thanks again.
I will see what happens overnight.
Just a final thought however. Both squid and squidGuard are installed via yum from the standard repositories. I still have a copy of the original squidGuard.conf file and here are the first 8 lines:
# # CONFIG FILE FOR SQUIDGUARD # # See http://www.squidguard.org/config/ for more examples #
dbhome /var/squidGuard/blacklists logdir /var/log/squidGuard
So it seems that is where I got my file layout from!
At least I know I not completely crazy...
Thanks once again
Mark
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
A simpler solution would have been to add a context that squid can write.
# semanage fcontext -a -t squid_cache_t '/var/squidGuard(/.*)?' # restorecon -R -v /var/squidGuard
Does squid try to write to /var/log/squidGuard?
What does /var/www/cgi-bin/squidGuard.cgi and /var/www/cgi-bin/squidGuard-simple.cgi do?
Do they need to read the /var/squidGuard?
On Tue, Feb 10, 2009 at 09:34:35AM -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Arthur Dent wrote:
On Thu, Feb 05, 2009 at 11:40:10PM +0100, Dominick Grift wrote:
Op donderdag 05-02-2009 om 22:33 uur [tijdzone +0000], schreef Arthur Dent:
Am I right in thinking that all this would be unnecessary if the files were in /var/lib/squidGuard ?
No, there is policy missing in the squid module i think. We appended that policy by installing our module.
Nonetheless, the proper location is still /var/lib/squidGuard i think.
I just was not sure if some part of the policy i wrote is working as expected since the location you use is /var/squidGuard instead.
Seems that it is working though so that is fine.
Thanks again.
I will see what happens overnight.
Just a final thought however. Both squid and squidGuard are installed via yum from the standard repositories. I still have a copy of the original squidGuard.conf file and here are the first 8 lines:
# # CONFIG FILE FOR SQUIDGUARD # # See http://www.squidguard.org/config/ for more examples #
dbhome /var/squidGuard/blacklists logdir /var/log/squidGuard
So it seems that is where I got my file layout from!
At least I know I not completely crazy...
Thanks once again
Mark
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
A simpler solution would have been to add a context that squid can write.
# semanage fcontext -a -t squid_cache_t '/var/squidGuard(/.*)?' # restorecon -R -v /var/squidGuard
Does squid try to write to /var/log/squidGuard?
Yes. Well, squid itself has a variety of logs in /var/log/squid/ and squidGuard keeps its log (/var/log/squid/squidGuard.log) there too.
What does /var/www/cgi-bin/squidGuard.cgi and /var/www/cgi-bin/squidGuard-simple.cgi do?
squidGuard maintains lists of blacklisted URLs. My users (my family) access the web via the squid proxy. If they stumble upon one of the blacklisted sites squidGuard redirects the browser to the /var/www/cgi-bin/squidGuard.cgi page which displays an intelligent (i.e. says which blacklist has triggered) warning and blocks the site.
Do they need to read the /var/squidGuard?
Yes. The blacklists are stored in /var/squidGuard/blacklists/ (and updated from a variety of sources using a nightly script).
Is all that as it should be, or would there be a better configuration? (Both squid and squidGuard are installed using yum from standard F9 repositories).
Thanks for your suggestion. I will try it later when time permits.
Best regards
Mark
selinux@lists.fedoraproject.org
-
Arthur Dent -
Daniel J Walsh -
Dominick Grift