SELinux security alert/Squid -
Daniel J Walsh
dwalsh at redhat.com
Tue Feb 9 14:48:42 UTC 2010
On 02/09/2010 04:43 AM, Bob Goodwin wrote:
> On 09/02/10 02:17, Tim wrote:
>> On Mon, 2010-02-08 at 13:23 -0500, Daniel J Walsh wrote:
>>
>>> squid_connect_any --> off
>>>
>> Probably not a good idea, the settings there as an aid to protect you
>> against maliciousness. If you want to add exceptions, that's a better
>> idea than just letting anything through.
>>
>> I'd make an educated guess that the original poster hadn't tried to
>> connect to an alternative port, while going through their proxy, before.
>>
>>
> Well then should it not be possible to tell SELinux that this particular
> connection is acceptable? To me it is vital, I need to control system
> usage and that's where I get my usage data! The problem is minor and
> doesn't warrant disabling SELinux in any way, I only see it upon
> rebooting, usually around 04:00 which is my habit. But the "star" is
> there again this morning.
>
> As a result I have once more done [as su/root]: setsebool -P
> squid_connect_any=1 as it suggests. Whatever that does takes perhaps 30
> seconds and shows a lot of cpu activity while doing it so I know
> something is happening.
>
> The security alert, generated at this morning's boot:
>
> Summary:
>
> SELinux is preventing the squid daemon from connecting to network
> port 8180
>
> Detailed Description:
>
> [squid has a permissive type (squid_t). This access was not denied.]
>
> SELinux has denied the squid daemon from connecting to 8180. By
> default squid
> policy is setup to deny squid connections. If you did not setup
> squid to network
> connections, this could signal a intrusion attempt.
>
> Allowing Access:
>
> If you want squid to connect to network ports you need to turn on the
> squid_connect_any boolean: "setsebool -P squid_connect_any=1"
>
> Fix Command:
>
> setsebool -P squid_connect_any=1
>
> Additional Information:
>
> Source Context system_u:system_r:squid_t:s0
> Target Context system_u:object_r:port_t:s0
> Target Objects None [ tcp_socket ]
> Source squid
> Source Path /usr/sbin/squid
> Port 8180
> Host box6
> Source RPM Packages squid-3.1.0.15-2.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.32-78.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name squid_connect_any
> Host Name box6
> Platform Linux box6
> 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP
> Mon Jan 18 19:52:07 UTC 2010 x86_64
> x86_64
> Alert Count 33
> First Seen Sun 07 Feb 2010 04:50:46 PM EST
> Last Seen Sun 07 Feb 2010 05:08:58 PM EST
> Local ID 87daf7bf-ecdf-4025-9780-520ef4d433f5
> Line Numbers
>
> Raw Audit Messages
>
> node=box6 type=AVC msg=audit(1265580538.758:20027): avc: denied {
> name_connect } for pid=1504 comm="squid" dest=8180
> scontext=system_u:system_r:squid_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>
> node=box6 type=SYSCALL msg=audit(1265580538.758:20027):
> arch=c000003e syscall=42 success=yes exit=4294967424 a0=e
> a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504
> auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23
> fsgid=23 tty=(none) ses=4294967295 comm="squid"
> exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null)
>
>
Another option would be to identify port 8180 as an http port.
semanage port -a -t http_port_t -p tcp 8180
Would label this port http_port_t and squid would be allowed to connect to this port without setting the boolean.
More information about the users
mailing list