SELinux security alert/Squid -

Bob Goodwin bobgoodwin at wildblue.net
Tue Feb 9 09:43:45 UTC 2010 

On 09/02/10 02:17, Tim wrote:
> On Mon, 2010-02-08 at 13:23 -0500, Daniel J Walsh wrote:
>    
>> squid_connect_any -->  off
>>      
> Probably not a good idea, the settings there as an aid to protect you
> against maliciousness.  If you want to add exceptions, that's a better
> idea than just letting anything through.
>
> I'd make an educated guess that the original poster hadn't tried to
> connect to an alternative port, while going through their proxy, before.
>
>    
Well then should it not be possible to tell SELinux that this particular 
connection is acceptable? To me it is vital, I need to control system 
usage and that's where I get my usage data! The problem is minor and 
doesn't warrant disabling SELinux in any way, I only see it upon 
rebooting, usually around 04:00 which is my habit. But the "star" is 
there again this morning.

As a result I have once more done [as su/root]: setsebool -P 
squid_connect_any=1 as it suggests. Whatever that does takes perhaps 30 
seconds and shows a lot of cpu activity while doing it so I know 
something is happening.

The security alert, generated at this morning's boot:

    Summary:

    SELinux is preventing the squid daemon from connecting to network
    port 8180

    Detailed Description:

    [squid has a permissive type (squid_t). This access was not denied.]

    SELinux has denied the squid daemon from connecting to 8180. By
    default squid
    policy is setup to deny squid connections. If you did not setup
    squid to network
    connections, this could signal a intrusion attempt.

    Allowing Access:

    If you want squid to connect to network ports you need to turn on the
    squid_connect_any boolean: "setsebool -P squid_connect_any=1"

    Fix Command:

    setsebool -P squid_connect_any=1

    Additional Information:

    Source Context                system_u:system_r:squid_t:s0
    Target Context                system_u:object_r:port_t:s0
    Target Objects                None [ tcp_socket ]
    Source                        squid
    Source Path                   /usr/sbin/squid
    Port                          8180
    Host                          box6
    Source RPM Packages           squid-3.1.0.15-2.fc12
    Target RPM Packages
    Policy RPM                    selinux-policy-3.6.32-78.fc12
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Plugin Name                   squid_connect_any
    Host Name                     box6
    Platform                      Linux box6
    2.6.31.12-174.2.3.fc12.x86_64 #1 SMP
                                   Mon Jan 18 19:52:07 UTC 2010 x86_64
    x86_64
    Alert Count                   33
    First Seen                    Sun 07 Feb 2010 04:50:46 PM EST
    Last Seen                     Sun 07 Feb 2010 05:08:58 PM EST
    Local ID                      87daf7bf-ecdf-4025-9780-520ef4d433f5
    Line Numbers

    Raw Audit Messages

    node=box6 type=AVC msg=audit(1265580538.758:20027): avc:  denied  {
    name_connect } for  pid=1504 comm="squid" dest=8180
    scontext=system_u:system_r:squid_t:s0
    tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

    node=box6 type=SYSCALL msg=audit(1265580538.758:20027):
    arch=c000003e syscall=42 success=yes exit=4294967424 a0=e
    a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504
    auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23
    fsgid=23 tty=(none) ses=4294967295 comm="squid"
    exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null)

More information about the users mailing list