SELinux protect my squid using havp as parent proxy
Joshua Brindle
method at gentoo.org
Wed Jul 12 12:37:17 UTC 2006
Paul Howarth wrote:
> On Wed, 2006-07-12 at 09:33 +0700, Lutfi wrote:
>
>> After upgrade to FC5, my squid cannot using havp (localhost:8080) as
>> parent proxy anymore. The audit log msg is here:
>>
>> ===> /var/log/audit/audit.log
>> type=AVC msg=audit(1152671338.823:21775): avc: denied
>> { name_connect } for pid=2371 comm="squid" dest=8080
>> scontext=system_u:system_r:squid_t:s0
>> tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
>> type=SYSCALL msg=audit(1152671338.823:21775): arch=40000003
>> syscall=102 success=no exit=-13 a0=3 a1=bf9eb1a0 a2=52e1c4 a3=b7f1ca2c
>> items=0 pid=2371 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23
>> egid=23 sgid=23 fsgid=23 tty=(none) comm="squid" exe="/usr/sbin/squid"
>> subj=system_u:system_r:squid_t:s0
>> type=SOCKADDR msg=audit(1152671338.823:21775):
>> saddr=02001F907F0000010000000000000000
>> type=SOCKETCALL msg=audit(1152671338.823:21775): nargs=3 a0=12
>> a1=bbdd8f8 a2=10
>>
>> How to fix this? Thx
>>
>
> This is off-topic for fedora-extras-list. Please address any followups
> to fedora-selinux-list, where the right people will see it to get the
> problem fixed in the next selinux-policy update.
>
> I have fixed this problem here using a local policy module:
>
> policy_module(localmisc, 0.1.0)
>
> require {
> type squid_t;
> };
>
> # Squid doing what comes naturally? WTF?
> corenet_tcp_connect_http_cache_port(squid_t)
> corenet_tcp_sendrecv_http_cache_port(squid_t)
>
>
Ah, the real disadvantage of modules comes out.. hopefully policy issues
like these will be referred to refpolicy upstream as well, so that the
mainline policy can be fixed and not just this persons local setup...
More information about the fedora-selinux-list
mailing list