[FC3] squid ftp blocked by selinux
Alexander Dalloz
ad+lists at uni-x.org
Sat Jul 30 13:44:44 UTC 2005
Am Sa, den 30.07.2005 schrieb Jurgen Kramer um 14:14:
> On Sat, 2005-07-30 at 12:57 +0100, Paul Howarth wrote:
> > On Sat, 2005-07-30 at 11:48 +0200, Jurgen Kramer wrote:
> > > After the last selinux policy update I can no longer use squid to proxy
> > > FTP transfers. dmesg shows lots of:
> > >
> > > audit(1122716171.029:8): avc: denied { name_connect } for pid=2553
> > > comm="squid" dest=21 scontext=user_u:system_r:squid_t
> > > tcontext=system_u:object_r:ftp_port_t tclass=tcp_socket
> > > audit(1122716171.129:9): avc: denied { name_connect } for pid=2553
> > > comm="squid" dest=21 scontext=user_u:system_r:squid_t
> > > tcontext=system_u:object_r:ftp_port_t tclass=tcp_socket
> > > audit(1122716171.229:10): avc: denied { name_connect } for pid=2553
> > > comm="squid" dest=21 scontext=user_u:system_r:squid_t
> > > tcontext=system_u:object_r:ftp_port_t tclass=tcp_socket
> > >
> > > HTTP transfers still function fine. How can I fix this?
> >
> > Does this help?
> >
> > # setsebool -P squid_connect_any 1
>
> Yep, that worked. Is this a workaround? Does it survive reboots?
> Jurgen
Not a workaround, but a valid SELinux setting / adjustment. "man
setsebool" would answer you the last question, telling you what
parameter "-P" is for.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 15:43:23 up 14 days, 20:15, load average: 0.02, 0.08, 0.08
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050730/c492635a/attachment-0001.sig>
More information about the fedora-list
mailing list