squid reverse proxy - AVC
Daniel J Walsh
dwalsh at redhat.com
Sun Jan 4 19:38:04 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mail Lists wrote:
> I use squid on the border firewall to act as a reverse proxy for
> non-https web server.
>
> This is fedora 10 fully updated with selinux set to permissive until
> its clean, I see this logged - any suggestions how to deal with it ?
>
>
> Thanks for any help
>
> gene
>
>
>
> Summary:
>
> SELinux is preventing squid (squid_t) "search" to ./etc (named_conf_t).
>
> ...
>
> Source Context unconfined_u:system_r:squid_t:s0
> Target Context system_u:object_r:named_conf_t:s0
> Target Objects ./etc [ dir ]
> Source squid
> Source Path /usr/sbin/squid
> Port <Unknown>
>
> ...
>
> Raw Audit Messages
> type=AVC msg=audit(1230675079.826:69): avc: denied { search }
> for pid=4026 comm="squid" name="etc" dev=sda1 ino=207365
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:named_conf_t:s0 tclass=dir
>
> type=SYSCALL msg=audit(1230675079.826:69): arch=40000003
> syscall=11 success=no exit=-2 a0=bfcda538 a1=bfcd94fc a2=bfcda7e8
> a3=1 items=0 ppid=4025 pid=4026 auid=500 uid=23 gid=23 euid=0 suid=0
> fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) ses=2
> comm="squid" exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0
> key=(null)
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This looks like squid_t is searching a directory named etc which is
labeled named_conf_t?
what does ls -ldZ /etc
say?
Did you relabel /etc directory named_conf_t?
Do you have squid running within some kind of named chroot?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklhEBwACgkQrlYvE4MpobM4EwCeOf07V7PoyWVG5sSiRyYkTcWI
zuQAoKpjUT1DBQafp+R1E1NXsKzZm3hD
=lBIF
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list