SELinux security alert/Squid -
Bob Goodwin
bobgoodwin at wildblue.net
Tue Feb 9 09:43:45 UTC 2010
On 09/02/10 02:17, Tim wrote:
> On Mon, 2010-02-08 at 13:23 -0500, Daniel J Walsh wrote:
>
>> squid_connect_any --> off
>>
> Probably not a good idea, the settings there as an aid to protect you
> against maliciousness. If you want to add exceptions, that's a better
> idea than just letting anything through.
>
> I'd make an educated guess that the original poster hadn't tried to
> connect to an alternative port, while going through their proxy, before.
>
>
Well then should it not be possible to tell SELinux that this particular
connection is acceptable? To me it is vital, I need to control system
usage and that's where I get my usage data! The problem is minor and
doesn't warrant disabling SELinux in any way, I only see it upon
rebooting, usually around 04:00 which is my habit. But the "star" is
there again this morning.
As a result I have once more done [as su/root]: setsebool -P
squid_connect_any=1 as it suggests. Whatever that does takes perhaps 30
seconds and shows a lot of cpu activity while doing it so I know
something is happening.
The security alert, generated at this morning's boot:
Summary:
SELinux is preventing the squid daemon from connecting to network
port 8180
Detailed Description:
[squid has a permissive type (squid_t). This access was not denied.]
SELinux has denied the squid daemon from connecting to 8180. By
default squid
policy is setup to deny squid connections. If you did not setup
squid to network
connections, this could signal a intrusion attempt.
Allowing Access:
If you want squid to connect to network ports you need to turn on the
squid_connect_any boolean: "setsebool -P squid_connect_any=1"
Fix Command:
setsebool -P squid_connect_any=1
Additional Information:
Source Context system_u:system_r:squid_t:s0
Target Context system_u:object_r:port_t:s0
Target Objects None [ tcp_socket ]
Source squid
Source Path /usr/sbin/squid
Port 8180
Host box6
Source RPM Packages squid-3.1.0.15-2.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-78.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name squid_connect_any
Host Name box6
Platform Linux box6
2.6.31.12-174.2.3.fc12.x86_64 #1 SMP
Mon Jan 18 19:52:07 UTC 2010 x86_64
x86_64
Alert Count 33
First Seen Sun 07 Feb 2010 04:50:46 PM EST
Last Seen Sun 07 Feb 2010 05:08:58 PM EST
Local ID 87daf7bf-ecdf-4025-9780-520ef4d433f5
Line Numbers
Raw Audit Messages
node=box6 type=AVC msg=audit(1265580538.758:20027): avc: denied {
name_connect } for pid=1504 comm="squid" dest=8180
scontext=system_u:system_r:squid_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
node=box6 type=SYSCALL msg=audit(1265580538.758:20027):
arch=c000003e syscall=42 success=yes exit=4294967424 a0=e
a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504
auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23
fsgid=23 tty=(none) ses=4294967295 comm="squid"
exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null)
More information about the users
mailing list