fedora-selinux-list Digest, Vol 20, Issue 18
Jayendren Anand Maduray
jayendren at hivsa.com
Thu Oct 27 13:48:22 UTC 2005
Hi!
The relabeling was done by touching a /.autorelabel
Followed advice, and ran:
[root at shiva music]# restorecon -R -v /var/log
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context
/var/log/samba/#######.log->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context /var/log/samba/#######->system_u:object_r:var_log_t
restorecon reset context
/var/log/Xorg.0.log.old->system_u:object_r:var_log_t
restorecon reset context /var/log/Xorg.0.log->system_u:object_r:var_log_t
restorecon reset context
/var/log/squid/store.log->system_u:object_r:squid_log_t
restorecon reset context
/var/log/squid/access.log->system_u:object_r:squid_log_t
restorecon reset context
/var/log/squid/cache.log->system_u:object_r:squid_log_t
restorecon reset context
/var/log/squid/squid.out->system_u:object_r:squid_log_t
restorecon reset context /var/log/gdm/:0.log->system_u:object_r:var_log_t
restorecon reset context /var/log/gdm/:0.log.3->system_u:object_r:var_log_t
restorecon reset context /var/log/gdm/:0.log.1->system_u:object_r:var_log_t
restorecon reset context /var/log/gdm/:0.log.2->system_u:object_r:var_log_t
restorecon reset context /var/log/gdm/:0.log.4->system_u:object_r:var_log_t
[root at shiva music]# ls -lZ /var/log/squid/
-rw-r--r-- squid squid system_u:object_r:squid_log_t access.log
-rw-r--r-- squid squid system_u:object_r:squid_log_t cache.log
-rw-r--r-- squid squid system_u:object_r:squid_log_t squid.out
-rw-r--r-- squid squid system_u:object_r:squid_log_t store.log
[root at shiva music]# service squid restart
Stopping squid: /etc/init.d/squid: line 82: 8548
Aborted $SQUID -k check >>/var/log/squid/squid.out 2>&1
[FAILED]
Starting squid: /etc/init.d/squid: line 53: 8549
Aborted $SQUID $SQUID_OPTS >>/var/log/squid/squid.out 2>&1
[FAILED]
[root at shiva music]# dmesg | tail
audit(1130420511.344:0): avc: denied { getattr } for pid=8548
exe=/usr/sbin/squid path=/usr/local/squidclamav/bin/squidclamav dev=hda8
ino=185872 scontext=root:system_r:squid_t
tcontext=system_u:object_r:bin_t tclass=file
audit(1130420511.595:0): avc: denied { getattr } for pid=8549
exe=/usr/sbin/squid path=/usr/local/squidclamav/bin/squidclamav dev=hda8
ino=185872 scontext=root:system_r:squid_t
tcontext=system_u:object_r:bin_t tclass=file
Some values were hashed out for obvious reasons.
Thanks again for your input. It is appreciated.
God bless.
Daniel J Walsh wrote:
> Jayendren Anand Maduray wrote:
>
>> Hi!
>>
>> Just noticed more errors!
>>
>> Here is the output:
>>
>> audit(1130392269.590:0): avc: denied { append } for pid=3218
>> exe=/usr/sbin/squid path=/var/log/squid/squid.out dev=hda8 ino=755115
>> scontext=user_u:system_r:squid_t tcontext=system_u:object_r:bin_t
>> tclass=file
>> audit(1130392269.590:0): avc: denied { append } for pid=3218
>> exe=/usr/sbin/squid path=/var/log/squid/squid.out dev=hda8 ino=755115
>> scontext=user_u:system_r:squid_t tcontext=system_u:object_r:bin_t
>> tclass=file
>> audit(1130392270.019:0): avc: denied { getattr } for pid=3218
>> exe=/usr/sbin/squid path=/usr/local/squidclamav/bin/squidclamav
>> dev=hda8 ino=185872 scontext=user_u:system_r:squid_t
>> tcontext=system_u:object_r:bin_t tclass=file
>
> Looks like you labeled /var/log/squid incorrectly. restorecon -R -v
> /var/log
>
>>
>>
>> Also:
>>
>> [root at shiva jay]# ls -lZ /var/log/squid/
>> -rw-r--r-- squid squid system_u:object_r:bin_t
>> access.log
>> -rw-r--r-- squid squid system_u:object_r:bin_t cache.log
>> -rw-r--r-- squid squid system_u:object_r:bin_t squid.out
>> -rw-r--r-- squid squid system_u:object_r:bin_t store.log
>>
>> [root at shiva jay]# service squid restart
>>
>> Stopping squid: /etc/init.d/squid: line 82: 5108
>> Aborted $SQUID -k check >>/var/log/squid/squid.out 2>&1
>> [FAILED]
>> Starting squid: /etc/init.d/squid: line 53: 5109
>> Aborted $SQUID $SQUID_OPTS >>/var/log/squid/squid.out
>> 2>&1
>> [FAILED]
>>
>> Please note that i re-enabled SElinux for squid via
>> system-config-security in FC3.
>>
>> Any help will be appreciated.
>>
>> God bless.
>>
>>
>> Daniel J Walsh wrote:
>>
>>> Jayendren Anand Maduray wrote:
>>>
>>>> Thanks for you help, again!
>>>>
>>>> Here is the output:
>>>>
>>>> [root at shiva jay]# chcon -t bin_t /usr/local/squidclamav/bin/*
>>>> You have mail in /var/spool/mail/jay
>>>> [root at shiva jay]#
>>>> [root at shiva jay]# ls -lZ /usr/local/squidclamav/bin
>>>> -rwxr-xr-x root root system_u:object_r:bin_t
>>>> squidclamav
>>>>
>>>>
>>>> I will reboot, and check the system as it starts up.
>>>>
>>>> Currently, i use system-config-securitylevel to re-enable squid.
>>>>
>>>> Which file can i edit to do this from the command line?
>>>
>>>
>>> setsebool and getsebool are command line tools for manipulating
>>> booleans
>>>
>>> setsebool -P squid_disable_trans=1
>>>
>>> Enables SELinux enforcement and writes this to the defaults file
>>>
>>> /etc/selinux/SELINUXTYPE/booleans.local
>>>
>>>
>>
>
>
--
Jayendren Anand Maduray
Microsoft Certified Professional
Network Plus
IT Administrator
Perinatal HIV Research Unit
Old Potch Road
Chris Hani Baragwanath Hospital
Soweto
South Africa
Tel: +27 11 989 9776
Tel: +27 11 989 9999
Fax: +27 11 938 3973
Cel: 082 22 774 94
Alternate email address: jayendren at mweb.co.za
More information about the fedora-selinux-list
mailing list