selinux, squid

Richard Pannell RichardP at multipro.com.au
Thu Aug 11 07:25:33 UTC 2005 

>On Thu, 2005-08-11 at 13:47 +0800, Richard Pannell wrote:
>> 
>> I am having problems running squid authentication (ntlm_auth) in FC4
>> with selinux turned on. When I use setenforce 0 I have no problems.
>> But with setenforce set to 1 it fails. So using "audit2allow -l
>> -i /var/log/message" I got the following result
>> 
>> allow auditd_t initrc_t:unix_dgram_socket sendto;
>> allow klogd_t device_t:sock_file write;
>> allow klogd_t initrc_t:unix_dgram_socket sendto;
>> allow rpcd_t etc_runtime_t:file read;
>> allow rpcd_t proc_t:file read;
>> allow rpcd_t samba_etc_t:dir search;
>> allow rpcd_t samba_var_t:dir { getattr search };
>> allow syslogd_t etc_runtime_t:file read;
>> allow syslogd_t proc_t:file read; 
>> 
>> which I added
>> to /etc/selinux/targeted/src/policy/domains/misc/local.te and ran 
>> 
>> make -C /etc/selinux/targeted/src/policy clean
>> make -C /etc/selinux/targeted/src/policy load 
>
>Do you get the same output from audit2allow after doing this?
Yes I am.
>
>Are you running auditd? If so, you should be looking
>in /var/log/audit/audit.log rather than /var/log/messages for AVC
>errors.
Yes I am. So it was showing.

allow apmd_t device_t:sock_file write;
allow apmd_t devpts_t:chr_file { getattr ioctl };
allow apmd_t devpts_t:dir search;
allow apmd_t initrc_t:unix_dgram_socket sendto;
allow apmd_t selinux_config_t:file read;
allow auditd_t device_t:sock_file write;
allow bluetooth_t device_t:sock_file write;
allow httpd_t winbind_var_run_t:dir getattr;
allow ntpd_t device_t:sock_file write;
allow ntpd_t initrc_t:unix_dgram_socket sendto;
allow system_dbusd_t device_t:sock_file write;
allow system_dbusd_t initrc_t:unix_dgram_socket sendto;
allow system_dbusd_t winbind_var_run_t:dir getattr;
allow updfstab_t device_t:sock_file write;
allow winbind_helper_t initrc_t:unix_stream_socket connectto;
allow winbind_helper_t samba_var_t:dir search;

Added this to the local.te file which worked thanks very much.
>
>Paul.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050811/4df1cc23/attachment-0001.htm>

More information about the fedora-list mailing list