[FC3] squid ftp blocked by selinux
Paul Howarth
paul at city-fan.org
Sat Jul 30 13:46:34 UTC 2005
On Sat, 2005-07-30 at 14:14 +0200, Jurgen Kramer wrote:
> On Sat, 2005-07-30 at 12:57 +0100, Paul Howarth wrote:
> > On Sat, 2005-07-30 at 11:48 +0200, Jurgen Kramer wrote:
> > > After the last selinux policy update I can no longer use squid to proxy
> > > FTP transfers. dmesg shows lots of:
> > >
> > > audit(1122716171.029:8): avc: denied { name_connect } for pid=2553
> > > comm="squid" dest=21 scontext=user_u:system_r:squid_t
> > > tcontext=system_u:object_r:ftp_port_t tclass=tcp_socket
> > > audit(1122716171.129:9): avc: denied { name_connect } for pid=2553
> > > comm="squid" dest=21 scontext=user_u:system_r:squid_t
> > > tcontext=system_u:object_r:ftp_port_t tclass=tcp_socket
> > > audit(1122716171.229:10): avc: denied { name_connect } for pid=2553
> > > comm="squid" dest=21 scontext=user_u:system_r:squid_t
> > > tcontext=system_u:object_r:ftp_port_t tclass=tcp_socket
> > >
> > > HTTP transfers still function fine. How can I fix this?
> >
> > Does this help?
> >
> > # setsebool -P squid_connect_any 1
>
> Yep, that worked. Is this a workaround? Does it survive reboots?
No, it's not a workaround; it's the "official" method of getting SELinux
to allow squid to connect to non-standard ports.
The "-P" option means that the setting will survive a reboot.
Paul.
--
Paul Howarth <paul at city-fan.org>
More information about the fedora-list
mailing list