how do I get squid 2.7 to run?
Daniel J Walsh
dwalsh at redhat.com
Wed Nov 7 14:57:02 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/07/2012 08:54 AM, lee wrote:
> Daniel J Walsh <dwalsh at redhat.com> writes:
>
>> On 11/06/2012 04:00 PM, lee wrote:
>>> Daniel J Walsh <dwalsh at redhat.com> writes:
>>>
>>>> On 11/05/2012 07:55 PM, lee wrote:
>>>>> Hi,
>>>>>
>>>>> selinux prevents squid 2.7 from running. What do I need to do to
>>>>> get it to work? This selinux is really a PITA ... does it do any
>>>>> good at all?
>>>>>
>>>> What avcs are you getting?
>>>
>>> Not any recent ones, see below. The ones I have seem to be from my
>>> attempts to change permissions.
>>>
>>>> man squid_selinux
>>>
>>> ,---- | [root at yun ~]# ls -laZ /var/spool/ | [...] | drwxr-xr-x. root
>>> root unconfined_u:object_r:squid_cache_t:s0 squid | [...] | [root at yun
>>> ~]# `----
>>>
>>> So the directory should be set fine, according to the manpage.
>>>
>>> ,---- | [root at yun ~]# ls -laZ /etc/squid/squid.conf | -rw-r--r--. root
>>> root unconfined_u:object_r:squid_conf_t:s0 /etc/squid/squid.conf |
>>> [root at yun ~]# `----
>>>
>>> The configuration file seems ok, too.
>>>
>>> From the manpage:
>>>
>>>
>>> squid_exec_t
>>>
>>> - Set files with the squid_exec_t type, if you want to transition an
>>> executable to the squid_t domain.
>>>
>>>
>>> What is that supposed to mean? What is a squid_t domain?
>>>
>>> ,---- | [root at yun ~]# ls -laZ /usr/local/squid/sbin/squid |
>>> -rwxr-xr-x. root root system_u:object_r:bin_t:s0
>>> /usr/local/squid/sbin/squid | [root at yun ~]# chcon -v -t squid_t
>>> /usr/local/squid/sbin/squid | changing security context of
>>> `/usr/local/squid/sbin/squid' | chcon: failed to change context of
>>> `/usr/local/squid/sbin/squid' to `system_u:object_r:squid_t:s0':
>>> Permission denied | [root at yun ~]# `----
>>>
>>> Huh? I guess I could force it by disableing selinux or switching to
>>> permissive mode, but I'm probably not supposed to do that.
>>>
>>>
>>>> Or do either of these booleans help.
>>>>
>>>> semanage boolean -l | grep squid squid_use_tproxy (off
>>>> , off) Allow squid to run as a transparent proxy (TPROXY)
>>>> squid_connect_any (on , on) Allow squid to connect
>>>> to all ports, not just HTTP, FTP, and Gopher ports.
>>>
>>> ,---- | [root at yun ~]# semanage boolean -l | grep squid |
>>> squid_use_tproxy (off , off) squid_use_tproxy | squid_connect_any
>>> (on , on) squid_connect_any `----
>>>
>>> So this seems to be the same as you have. I will need to adjust that
>>> once squid is able to run because I have specified one other port I
>>> need squid to work with. Is it possible to allow just one additional
>>> port rather than allowing all ports?
>>>
>>>
>>> ,---- | [root at yun ~]# /usr/local/squid/sbin/squid -f
>>> /etc/squid/squid.conf -z | 2012/11/06 21:14:25| Creating Swap
>>> Directories | FATAL: Failed to make swap directory /var/spool/squid/00:
>>> (13) Permission denied | Squid Cache (Version 2.7.STABLE9-20110824):
>>> Terminated abnormally. | CPU Usage: 0.000 seconds = 0.000 user + 0.000
>>> sys | Maximum Resident Size: 2064 KB | Page faults with physical i/o: 0
>>> | [root at yun ~]# ausearch -m avc -ts recent | <no matches> | [root at yun
>>> ~]# ausearch -m avc |grep squid | type=SELINUX_ERR
>>> msg=audit(1352162852.285:131): op=setxattr
>>> invalid_context="system_u:unconfined_u:squid_t:system_r" | type=AVC
>>> msg=audit(1352162879.956:132): avc: denied { relabelto } for
>>> pid=27686 comm="chcon" name="squid" dev="cciss!c0d0p3" ino=655368
>>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> tcontext=unconfined_u:system_r:squid_t:s0 tclass=file | type=AVC
>>> msg=audit(1352164028.526:142): avc: denied { relabelto } for
>>> pid=27849 comm="chcon" name="squid" dev="cciss!c0d0p3" ino=655368
>>> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> tcontext=system_u:object_r:squid_t:s0 tclass=file `----
>>>
>>>
>>> There isn't any log output from squid about trying to create the cache
>>> directory. Something --- probably selinux --- denies access to the
>>> cache directory.
>>>
>>> If I get it to run, as which user is squid supposed to run? Is squid
>>> automatically changing to another user when I start it which then
>>> doesn't have access to the cache directory because of "normal" file
>>> permissions?
>>>
>>>
>>> BTW, if current squid could rewrite URLs, I could just use a current
>>> version. Perhaps the latest development version can finally do that?
>>>
>> squid_t is a processor label type, not a file type.
>
> What does that mean?
>
>> But why are you not using the default squid that Fedora ships?
>
> It's because I require a storeurl_rewrite_program, and that is not
> available in squid 3.x. I tried the default one first and it complained
> about the option in the configuration, and it says on the squid website
> that it hasn't been ported yet.
>
> Without rewriting some URLs, it's not worthwhile to run squid because it
> wouldn't cache what I want it to cache in the first place and which is the
> very reason I want to run squid.
>
>> Not sure if this is an SELinux issue since you are running the non
>> standard squid. The non standard squid is probably running as initrc_t,
>> which is unconfined.
>>
>> ps -eZ | grep squid
>
> Well I can't run squid 2.7 to check what it is running at because it cannot
> create the cache.
>
> Hmmm ...
>
>
> ,---- | [root at yun ~]# chmod a+rwx /var/spool/squid/ | [root at yun ~]#
> /usr/local/squid/sbin/squid -f /etc/squid/squid.conf -z | 2012/11/07
> 13:22:28| Creating Swap Directories `----
>
>
> That actually worked, so it's perhaps not a selinux issue? But squid is
> running as root, so why doesn't it have access to its directories?
>
> Ok it's running now after I changed ownership of /var/spool/squid to
> squid:squid and make it rwx for user and group. I have:
>
>
> ,---- | cache_effective_user squid | cache_effective_group squid `----
>
>
> in the configuration. Is that sufficient to prevent squid from running as
> root? It still shows up as root in ps.
>
>
Well you would have to ask the squid guys that, sorry I just do SELinux. :^)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCadr4ACgkQrlYvE4MpobPM6ACfRB4KogBiB6yRncUtOezgeZeM
xj4AoLi3iB3pnnomne12S8wSnLZz/Ulv
=bOe8
-----END PGP SIGNATURE-----
More information about the users
mailing list