seLinux, Squid and adzap

Daniel J Walsh dwalsh at redhat.com
Mon Jul 11 13:09:08 UTC 2005 

David Niemi wrote:

>I am trying to get squid to run as an accelerator and also do ad zapping
>with Cameron Simpson's AdZap routine. I am getting lots of SELinux
>errors for the zapping script to be run by squid and also that squid do
>something with swap.state and swap log
>
>setting the SELinux protection off for squid still results in the error
>about the swap.state and swap log.
>
>so it seems that I need to change something with the SELinux context for
>squid and the adzap scripts but have no real idea how to go about.  I
>tried relabeling but that didn't do it.
>
>What can I do to remedy this?
>
>from messages
>Jul 10 11:33:08 rhonda ntpd[2467]: frequency initialized -12.030 PPM
>from /var/lib/ntp/drift
>Jul 10 11:33:08 rhonda squid[2519]: Squid Parent: child process 2522
>started
>Jul 10 11:33:09 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
>swap log.
>Jul 10 11:33:09 rhonda squid[2519]: Squid Parent: child process 2522
>exited due to signal 6
>Jul 10 11:33:12 rhonda squid[2519]: Squid Parent: child process 2533
>started
>Jul 10 11:33:12 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
>swap log.
>Jul 10 11:33:12 rhonda squid[2519]: Squid Parent: child process 2533
>exited due to signal 6
>Jul 10 11:33:15 rhonda squid[2519]: Squid Parent: child process 2544
>started
>Jul 10 11:33:15 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
>swap log.
>Jul 10 11:33:15 rhonda squid[2519]: Squid Parent: child process 2544
>exited due to signal 6
>Jul 10 11:33:18 rhonda squid[2519]: Squid Parent: child process 2555
>started
>Jul 10 11:33:18 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
>swap log.
>Jul 10 11:33:18 rhonda squid[2519]: Squid Parent: child process 2555
>exited due to signal 6
>Jul 10 11:33:21 rhonda squid[2519]: Squid Parent: child process 2569
>started
>Jul 10 11:33:22 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
>swap log.
>Jul 10 11:33:22 rhonda squid[2519]: Squid Parent: child process 2569
>exited due to signal 6
>Jul 10 11:33:22 rhonda squid[2519]: Exiting due to repeated, frequent
>failures
>
>from audit
>type=SYSCALL msg=audit(1121009601.928:43072): arch=40000003 syscall=102
>success=no exit=-13 a0=3 a1=bfcc0670 a2=2318d0 a3=b7fb36a0 items=0
>pid=2569 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23
>sgid=23 fsgid=23 comm="squid" exe="/usr/sbin/squid"
>type=AVC msg=audit(1121009601.928:43072): avc:  denied  { name_connect }
>for  pid=2569 comm="squid" dest=32811 scontext=system_u:system_r:squid_t
>tcontext=system_u:object_r:port_t tclass=tcp_socket
>type=SOCKETCALL msg=audit(1121009601.929:43096): nargs=3 a0=7
>a1=bfcc06ec a2=10
>type=SOCKADDR msg=audit(1121009601.929:43096):
>saddr=0200802D7F0000010000000000000000
>type=SYSCALL msg=audit(1121009601.929:43096): arch=40000003 syscall=102
>success=no exit=-13 a0=3 a1=bfcc0670 a2=2318d0 a3=b7fb36a0 items=0
>pid=2569 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23
>sgid=23 fsgid=23 comm="squid" exe="/usr/sbin/squid"
>type=AVC msg=audit(1121009601.929:43096): avc:  denied  { name_connect }
>for  pid=2569 comm="squid" dest=32813 scontext=system_u:system_r:squid_t
>tcontext=system_u:object_r:port_t tclass=tcp_socket
>type=SOCKETCALL msg=audit(1121009601.930:43120): nargs=3 a0=7
>a1=bfcc06ec a2=10
>type=SOCKADDR msg=audit(1121009601.930:43120):
>saddr=0200802F7F0000010000000000000000
>type=SYSCALL msg=audit(1121009601.930:43120): arch=40000003 syscall=102
>success=no exit=-13 a0=3 a1=bfcc0670 a2=2318d0 a3=b7fb36a0 items=0
>pid=2569 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23
>sgid=23 fsgid=23 comm="squid" exe="/usr/sbin/squid"
>type=AVC msg=audit(1121009601.930:43120): avc:  denied  { name_connect }
>for  pid=2569 comm="squid" dest=32815 scontext=system_u:system_r:squid_t
>tcontext=system_u:object_r:port_t tclass=tcp_socket
>type=SOCKETCALL msg=audit(1121009601.930:43144): nargs=3 a0=7
>a1=bfcc06ec a2=10
>type=SOCKADDR msg=audit(1121009601.930:43144):
>saddr=020080317F0000010000000000000000
>type=SYSCALL msg=audit(1121009601.930:43144): arch=40000003 syscall=102
>success=no exit=-13 a0=3 a1=bfcc0670 a2=2318d0 a3=b7fb36a0 items=0
>pid=2569 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23
>sgid=23 fsgid=23 comm="squid" exe="/usr/sbin/squid"
>type=AVC msg=audit(1121009601.930:43144): avc:  denied  { name_connect }
>for  pid=2569 comm="squid" dest=32817 scontext=system_u:system_r:squid_t
>tcontext=system_u:object_r:port_t tclass=tcp_socket
>
>from cache.log
>2005/07/10 11:33:21| Starting Squid Cache version 2.5.STABLE9 for
>i386-redhat-linux-gnu...
>2005/07/10 11:33:21| Process ID 2569
>2005/07/10 11:33:21| With 1024 file descriptors available
>2005/07/10 11:33:21| DNS Socket created at 0.0.0.0, port 32775, FD 5
>2005/07/10 11:33:21| Adding nameserver 24.153.22.67
>from /etc/resolv.conf
>2005/07/10 11:33:21| Adding nameserver 24.153.23.66
>from /etc/resolv.conf
>2005/07/10 11:33:21| helperOpenServers: Starting 5 'squid_redirect'
>processes
>2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
>process.
>2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
>process.
>2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
>process.
>2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
>process.
>2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
>process.
>2005/07/10 11:33:21| User-Agent logging is disabled.
>2005/07/10 11:33:21| Referer logging is disabled.
>2005/07/10 11:33:21| Unlinkd pipe opened on FD 10
>2005/07/10 11:33:21| Swap maxSize 102400 KB, estimated 7876 objects
>2005/07/10 11:33:21| Target number of buckets: 393
>2005/07/10 11:33:21| Using 8192 Store buckets
>2005/07/10 11:33:21| Max Mem  size: 8192 KB
>2005/07/10 11:33:21| Max Swap size: 102400 KB
>2005/07/10 11:33:21| /var/spool/squid/swap.state: (13) Permission denied
>FATAL: storeUfsDirOpenSwapLog: Failed to open swap log.
>Squid Cache (Version 2.5.STABLE9): Terminated abnormally.
>CPU Usage: 0.019 seconds = 0.006 user + 0.013 sys
>Maximum Resident Size: 0 KB
>Page faults with physical i/o: 0
>
>from squid.out
>squid: ERROR: Could not send signal 0 to process 31876: (3) No such
>process
>
>/var/spool/
>drwxr-x---  squid    squid    system_u:object_r:squid_cache_t  squid
>
>/usr/local/bin/
>[root at rhonda bin]# ls -alZ
>drwxr-xr-x  root     root     system_u:object_r:bin_t          .
>drwxr-xr-x  root     root     system_u:object_r:usr_t          ..
>-rwxr-xr-x  root     root     system_u:object_r:bin_t
>squid_redirect
>-rwxr-xr-x  root     root     system_u:object_r:bin_t          wrapzap
>
>
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>
Turn on boolean squid_connect_any

setsebool -P squid_connect_any=1

--

More information about the fedora-selinux-list mailing list