how do I get squid 2.7 to run?

Daniel J Walsh dwalsh at redhat.com
Wed Nov 7 11:43:54 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/06/2012 04:00 PM, lee wrote:
> Daniel J Walsh <dwalsh at redhat.com> writes:
> 
>> On 11/05/2012 07:55 PM, lee wrote:
>>> Hi,
>>> 
>>> selinux prevents squid 2.7 from running.  What do I need to do to get
>>> it to work?  This selinux is really a PITA ... does it do any good at
>>> all?
>>> 
>> What avcs are you getting?
> 
> Not any recent ones, see below.  The ones I have seem to be from my 
> attempts to change permissions.
> 
>> man squid_selinux
> 
> ,---- | [root at yun ~]# ls -laZ /var/spool/ | [...] | drwxr-xr-x. root   root
> unconfined_u:object_r:squid_cache_t:s0 squid | [...] | [root at yun ~]# `----
> 
> So the directory should be set fine, according to the manpage.
> 
> ,---- | [root at yun ~]# ls -laZ /etc/squid/squid.conf | -rw-r--r--. root root
> unconfined_u:object_r:squid_conf_t:s0 /etc/squid/squid.conf | [root at yun ~]#
>  `----
> 
> The configuration file seems ok, too.
> 
> From the manpage:
> 
> 
> squid_exec_t
> 
> -  Set files with the squid_exec_t type, if you want to transition an
> executable to the squid_t domain.
> 
> 
> What is that supposed to mean?  What is a squid_t domain?
> 
> ,---- | [root at yun ~]# ls -laZ /usr/local/squid/sbin/squid | -rwxr-xr-x.
> root root system_u:object_r:bin_t:s0       /usr/local/squid/sbin/squid |
> [root at yun ~]#  chcon -v -t squid_t /usr/local/squid/sbin/squid
>  | changing security context of `/usr/local/squid/sbin/squid' | chcon:
> failed to change context of `/usr/local/squid/sbin/squid' to
> `system_u:object_r:squid_t:s0': Permission denied | [root at yun ~]# `----
> 
> Huh?  I guess I could force it by disableing selinux or switching to 
> permissive mode, but I'm probably not supposed to do that.
> 
> 
>> Or do either of these booleans help.
>> 
>> semanage boolean -l | grep squid squid_use_tproxy               (off  ,
>> off)  Allow squid to run as a transparent proxy (TPROXY) 
>> squid_connect_any              (on   ,   on)  Allow squid to connect to
>> all ports, not just HTTP, FTP, and Gopher ports.
> 
> ,---- | [root at yun ~]# semanage boolean -l | grep squid | squid_use_tproxy
> (off  ,  off)  squid_use_tproxy | squid_connect_any              (on   ,
> on)  squid_connect_any `----
> 
> So this seems to be the same as you have.  I will need to adjust that once
> squid is able to run because I have specified one other port I need squid
> to work with.  Is it possible to allow just one additional port rather than
> allowing all ports?
> 
> 
> ,---- | [root at yun ~]# /usr/local/squid/sbin/squid -f /etc/squid/squid.conf
> -z | 2012/11/06 21:14:25| Creating Swap Directories | FATAL: Failed to make
> swap directory /var/spool/squid/00: (13) Permission denied | Squid Cache
> (Version 2.7.STABLE9-20110824): Terminated abnormally. | CPU Usage: 0.000
> seconds = 0.000 user + 0.000 sys | Maximum Resident Size: 2064 KB | Page
> faults with physical i/o: 0 | [root at yun ~]# ausearch -m avc -ts recent |
> <no matches> | [root at yun ~]# ausearch -m avc |grep squid | type=SELINUX_ERR
> msg=audit(1352162852.285:131): op=setxattr
> invalid_context="system_u:unconfined_u:squid_t:system_r" | type=AVC
> msg=audit(1352162879.956:132): avc:  denied  { relabelto } for  pid=27686
> comm="chcon" name="squid" dev="cciss!c0d0p3" ino=655368
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:system_r:squid_t:s0 tclass=file | type=AVC
> msg=audit(1352164028.526:142): avc:  denied  { relabelto } for  pid=27849
> comm="chcon" name="squid" dev="cciss!c0d0p3" ino=655368
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:squid_t:s0 tclass=file `----
> 
> 
> There isn't any log output from squid about trying to create the cache 
> directory.  Something --- probably selinux --- denies access to the cache
> directory.
> 
> If I get it to run, as which user is squid supposed to run?  Is squid 
> automatically changing to another user when I start it which then doesn't
> have access to the cache directory because of "normal" file permissions?
> 
> 
> BTW, if current squid could rewrite URLs, I could just use a current 
> version.  Perhaps the latest development version can finally do that?
> 
squid_t is a processor label type, not  a file type.

But why are you not using the default squid that Fedora ships?

Not sure if this is an SELinux issue since you are running the non standard
squid.  The non standard squid is probably running as initrc_t, which is
unconfined.

ps -eZ | grep squid
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCaSXoACgkQrlYvE4MpobPWBwCggKIgMJf36oidDkxnHDj3Pr/I
maYAn2XBEr/Y6Ff0eX0BueW/Ng1ET6Ng
=9LNT
-----END PGP SIGNATURE-----

More information about the users mailing list