SELinux protect my squid using havp as parent proxy

Daniel J Walsh dwalsh at redhat.com
Thu Jul 13 14:09:38 UTC 2006 

Paul Howarth wrote:
> Joshua Brindle wrote:
>> Paul Howarth wrote:
>>> On Wed, 2006-07-12 at 09:33 +0700, Lutfi wrote:
>>>  
>>>> After upgrade to FC5, my squid cannot using havp (localhost:8080) as
>>>> parent proxy anymore. The audit log msg is here:
>>>>
>>>> ===> /var/log/audit/audit.log
>>>> type=AVC msg=audit(1152671338.823:21775): avc:  denied
>>>> { name_connect } for  pid=2371 comm="squid" dest=8080
>>>> scontext=system_u:system_r:squid_t:s0
>>>> tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
>>>> type=SYSCALL msg=audit(1152671338.823:21775): arch=40000003
>>>> syscall=102 success=no exit=-13 a0=3 a1=bf9eb1a0 a2=52e1c4 a3=b7f1ca2c
>>>> items=0 pid=2371 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23
>>>> egid=23 sgid=23 fsgid=23 tty=(none) comm="squid" exe="/usr/sbin/squid"
>>>> subj=system_u:system_r:squid_t:s0
>>>> type=SOCKADDR msg=audit(1152671338.823:21775):
>>>> saddr=02001F907F0000010000000000000000
>>>> type=SOCKETCALL msg=audit(1152671338.823:21775): nargs=3 a0=12
>>>> a1=bbdd8f8 a2=10
>>>>
>>>> How to fix this? Thx
>>>>     
>>>
>>> This is off-topic for fedora-extras-list. Please address any followups
>>> to fedora-selinux-list, where the right people will see it to get the
>>> problem fixed in the next selinux-policy update.
>>>
>>> I have fixed this problem here using a local policy module:
>>>
>>> policy_module(localmisc, 0.1.0)
>>>
>>> require {
>>>         type squid_t;
>>> };
>>>
>>> # Squid doing what comes naturally? WTF?
>>> corenet_tcp_connect_http_cache_port(squid_t)
>>> corenet_tcp_sendrecv_http_cache_port(squid_t)
>>>
>>>   
>> Ah, the real disadvantage of modules comes out.. hopefully policy 
>> issues like these will be referred to refpolicy upstream as well, so 
>> that the mainline policy can be fixed and not just this persons local 
>> setup...
>
> This is why I CC'ed the reply to fedora-selinux-list where I know Dan 
> will see it and it'll get pushed upstream if I haven't suggested 
> something silly.
>
Already updated upstream policy.  Thanks Paul
> Paul.
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list