Problems adding to targeted policy for a new cache directory for Squid
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 15 14:37:57 UTC 2005
Joe Cooper wrote:
> Hi all,
>
> I'm running into some issues adding policy to cover some extra
> directories that we use on our systems. I'm using FC3 and the latest
> errata targeted policy and kernel. For our Squid process, we devote
> one or more partitions for cache storage, named /cache0, /cache1, and
> so on.
>
> I've added the following line to file_contexts/program/squid.fc:
>
> /cache.*(/.*)? system_u:object_r:squid_cache_t
>
The newer versions of restorecon allow you to specify
file_contexts.local for things like this so you don't have to deal with
sources.
> Which matches the lines for /var/spool/squid(/.*)? and
> /var/cache/squid(/.*)?. After running "restorecon -Rv /cache0", I
> have the right label on /cache0:
>
> [root at localhost /]# ls -ldZ /cache0
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t /cache0
> [root at localhost /]# ls -ldZ /var/spool/squid
> drwxr-x--- squid squid system_u:object_r:squid_cache_t
> /var/spool/squid
>
> However, when I start Squid I get a lot of avc: denied errors (I'm in
> permissive mode for testing). Some of which don't even make any sense
> to me, like this one:
>
> audit(1108452395.149:0): avc: denied { read } for pid=3778
> exe=/usr/sbin/squid name=00 dev=hdc2 ino=5
> scontext=root:system_r:squid_t tcontext=root:object_r:nfs_t tclass=dir
>
> This seems to indicate Squid needs to have nfs_t privileges, though I
> don't see why this should be so in the targeted policy.
>
Yes it should not need this.
> If I run restorecon again (after creating the directories), I get a
> segfault and it stops before reaching the file(s) in the top level of
> the directory (there are subdirectories which all get relabeled). i.e.:
>
> [root at localhost /]# restorecon -Rv /cache0
> ...
> restorecon reset context /cache0/0F/FF:->system_u:object_r:squid_cache_t
> Segmentation fault
> [root at localhost /]# ls -lZ /cache0
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 00
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 01
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 02
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 03
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 04
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 05
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 06
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 07
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 08
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 09
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0A
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0B
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0C
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0D
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0E
> drwxr-xr-x squid squid system_u:object_r:squid_cache_t 0F
> -rw-r--r-- squid squid swap.state
>
> So swap.state is still unlabeled, and starting Squid leads to more
> avc: denied errores. If I restorecon on just swap.state, Squid starts
> without errors, but after a reboot, the label is lost and Squid
> generates errors again. I'll file an issue on the restorecon
> segfault, but that still probably doesn't solve all of my problems.
>
> So, I'm quite stumped...I thought I had done what I needed to make
> this work, but clearly there's at least three things I don't understand:
>
> 1. Why does it lose the swap.state label on reboot? Does restorecon
> run on every boot?
>
Does /cache0 get deleted on reboot? Is this on an ext3 file system?
> 2. Why doesn't /var/spool/squid exhibit this same problem? restorecon
> works without segfault, and doesn't lose the label on swap.state after
> a reboot.
>
restorecon fixed in update.
The only way you should loose the context is if you are using something
other than ext2/3 for a file system or if the directory is being replaced
on every reboot.
> 3. Where is nfs_t coming from on /cache0? It seems like some kind of
> default that it falls back to when a file is unlabeled, but I don't
> see anywhere that nfs_t is a generic label.
>
I don't know, Are you starting the squid service while sitting on an NFS
partition? Any directories having anything to do with Squid on an NFS
partition?
> Thanks!
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the selinux
mailing list