Squid question in FC3
Paul Howarth
paul at city-fan.org
Thu Feb 24 15:39:58 UTC 2005
Chris wrote:
> Thanks, and it's exactly because of that. I didn't realize that I installed SELinux...
>
> I got following error messages when I do 'squid -z':
>
> Feb 25 00:30:26 eden kernel: audit(1109259026.091:0): avc: denied { search } for
> pid=4836 exe=/usr/sbin/squid name=tmp dev=hda12 ino=480001 scontext=root:system_r:squid_t
> tcontext=system_u:object_r:tmp_t tclass=dir
> Feb 25 00:30:26 eden squid: Failed to make swap directory /tmp/squid: (13) Permission
> denied
>
> I just don't get it since the dir is writable for squid:
>
> drwxr-xr-x 2 squid squid 4096 Feb 25 00:06 squid/
>
> Is this a known issue of SELinux? Is there any way to work around it?
This is a feature, not a bug ;-)
SELinux imposes additional restrictions on what the squid server can do,
so that if it is compromised, it is difficult for the attacker to do
anything useful with it, like write a rootkit to /tmp. This is all on
top of the existing unix permissions.
Try approaching the problem a different way. What is the underlying
reason why you want the squid cache to be in /tmp instead of
/var/spool/squid?
Paul.
More information about the fedora-list
mailing list