how do I get squid 2.7 to run?

Daniel J Walsh dwalsh at redhat.com
Wed Nov 7 14:57:02 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/07/2012 08:54 AM, lee wrote:
> Daniel J Walsh <dwalsh at redhat.com> writes:
> 
>> On 11/06/2012 04:00 PM, lee wrote:
>>> Daniel J Walsh <dwalsh at redhat.com> writes:
>>> 
>>>> On 11/05/2012 07:55 PM, lee wrote:
>>>>> Hi,
>>>>> 
>>>>> selinux prevents squid 2.7 from running.  What do I need to do to
>>>>> get it to work?  This selinux is really a PITA ... does it do any
>>>>> good at all?
>>>>> 
>>>> What avcs are you getting?
>>> 
>>> Not any recent ones, see below.  The ones I have seem to be from my 
>>> attempts to change permissions.
>>> 
>>>> man squid_selinux
>>> 
>>> ,---- | [root at yun ~]# ls -laZ /var/spool/ | [...] | drwxr-xr-x. root
>>> root unconfined_u:object_r:squid_cache_t:s0 squid | [...] | [root at yun
>>> ~]# `----
>>> 
>>> So the directory should be set fine, according to the manpage.
>>> 
>>> ,---- | [root at yun ~]# ls -laZ /etc/squid/squid.conf | -rw-r--r--. root
>>> root unconfined_u:object_r:squid_conf_t:s0 /etc/squid/squid.conf |
>>> [root at yun ~]# `----
>>> 
>>> The configuration file seems ok, too.
>>> 
>>> From the manpage:
>>> 
>>> 
>>> squid_exec_t
>>> 
>>> -  Set files with the squid_exec_t type, if you want to transition an 
>>> executable to the squid_t domain.
>>> 
>>> 
>>> What is that supposed to mean?  What is a squid_t domain?
>>> 
>>> ,---- | [root at yun ~]# ls -laZ /usr/local/squid/sbin/squid |
>>> -rwxr-xr-x. root root system_u:object_r:bin_t:s0
>>> /usr/local/squid/sbin/squid | [root at yun ~]#  chcon -v -t squid_t
>>> /usr/local/squid/sbin/squid | changing security context of
>>> `/usr/local/squid/sbin/squid' | chcon: failed to change context of
>>> `/usr/local/squid/sbin/squid' to `system_u:object_r:squid_t:s0':
>>> Permission denied | [root at yun ~]# `----
>>> 
>>> Huh?  I guess I could force it by disableing selinux or switching to 
>>> permissive mode, but I'm probably not supposed to do that.
>>> 
>>> 
>>>> Or do either of these booleans help.
>>>> 
>>>> semanage boolean -l | grep squid squid_use_tproxy               (off
>>>> , off)  Allow squid to run as a transparent proxy (TPROXY) 
>>>> squid_connect_any              (on   ,   on)  Allow squid to connect
>>>> to all ports, not just HTTP, FTP, and Gopher ports.
>>> 
>>> ,---- | [root at yun ~]# semanage boolean -l | grep squid |
>>> squid_use_tproxy (off  ,  off)  squid_use_tproxy | squid_connect_any
>>> (on   , on)  squid_connect_any `----
>>> 
>>> So this seems to be the same as you have.  I will need to adjust that
>>> once squid is able to run because I have specified one other port I
>>> need squid to work with.  Is it possible to allow just one additional
>>> port rather than allowing all ports?
>>> 
>>> 
>>> ,---- | [root at yun ~]# /usr/local/squid/sbin/squid -f
>>> /etc/squid/squid.conf -z | 2012/11/06 21:14:25| Creating Swap
>>> Directories | FATAL: Failed to make swap directory /var/spool/squid/00:
>>> (13) Permission denied | Squid Cache (Version 2.7.STABLE9-20110824):
>>> Terminated abnormally. | CPU Usage: 0.000 seconds = 0.000 user + 0.000
>>> sys | Maximum Resident Size: 2064 KB | Page faults with physical i/o: 0
>>> | [root at yun ~]# ausearch -m avc -ts recent | <no matches> | [root at yun
>>> ~]# ausearch -m avc |grep squid | type=SELINUX_ERR 
>>> msg=audit(1352162852.285:131): op=setxattr 
>>> invalid_context="system_u:unconfined_u:squid_t:system_r" | type=AVC 
>>> msg=audit(1352162879.956:132): avc:  denied  { relabelto } for
>>> pid=27686 comm="chcon" name="squid" dev="cciss!c0d0p3" ino=655368 
>>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
>>> tcontext=unconfined_u:system_r:squid_t:s0 tclass=file | type=AVC 
>>> msg=audit(1352164028.526:142): avc:  denied  { relabelto } for
>>> pid=27849 comm="chcon" name="squid" dev="cciss!c0d0p3" ino=655368 
>>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
>>> tcontext=system_u:object_r:squid_t:s0 tclass=file `----
>>> 
>>> 
>>> There isn't any log output from squid about trying to create the cache
>>>  directory.  Something --- probably selinux --- denies access to the
>>> cache directory.
>>> 
>>> If I get it to run, as which user is squid supposed to run?  Is squid 
>>> automatically changing to another user when I start it which then
>>> doesn't have access to the cache directory because of "normal" file
>>> permissions?
>>> 
>>> 
>>> BTW, if current squid could rewrite URLs, I could just use a current 
>>> version.  Perhaps the latest development version can finally do that?
>>> 
>> squid_t is a processor label type, not  a file type.
> 
> What does that mean?
> 
>> But why are you not using the default squid that Fedora ships?
> 
> It's because I require a storeurl_rewrite_program, and that is not 
> available in squid 3.x.  I tried the default one first and it complained 
> about the option in the configuration, and it says on the squid website 
> that it hasn't been ported yet.
> 
> Without rewriting some URLs, it's not worthwhile to run squid because it 
> wouldn't cache what I want it to cache in the first place and which is the
> very reason I want to run squid.
> 
>> Not sure if this is an SELinux issue since you are running the non
>> standard squid.  The non standard squid is probably running as initrc_t,
>> which is unconfined.
>> 
>> ps -eZ | grep squid
> 
> Well I can't run squid 2.7 to check what it is running at because it cannot
> create the cache.
> 
> Hmmm ...
> 
> 
> ,---- | [root at yun ~]# chmod a+rwx /var/spool/squid/ | [root at yun ~]#
> /usr/local/squid/sbin/squid -f /etc/squid/squid.conf -z | 2012/11/07
> 13:22:28| Creating Swap Directories `----
> 
> 
> That actually worked, so it's perhaps not a selinux issue?  But squid is 
> running as root, so why doesn't it have access to its directories?
> 
> Ok it's running now after I changed ownership of /var/spool/squid to 
> squid:squid and make it rwx for user and group.  I have:
> 
> 
> ,---- | cache_effective_user squid | cache_effective_group squid `----
> 
> 
> in the configuration.  Is that sufficient to prevent squid from running as
> root?  It still shows up as root in ps.
> 
> 
Well you would have to ask the squid guys that, sorry I just do SELinux.  :^)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCadr4ACgkQrlYvE4MpobPM6ACfRB4KogBiB6yRncUtOezgeZeM
xj4AoLi3iB3pnnomne12S8wSnLZz/Ulv
=bOe8
-----END PGP SIGNATURE-----

More information about the users mailing list