SELinux protect my squid using havp as parent proxy

Wed Jul 12 13:23:32 UTC 2006

Joshua Brindle wrote:
> Paul Howarth wrote:
>> On Wed, 2006-07-12 at 09:33 +0700, Lutfi wrote:
>>  
>>> After upgrade to FC5, my squid cannot using havp (localhost:8080) as
>>> parent proxy anymore. The audit log msg is here:
>>>
>>> ===> /var/log/audit/audit.log
>>> type=AVC msg=audit(1152671338.823:21775): avc:  denied
>>> { name_connect } for  pid=2371 comm="squid" dest=8080
>>> scontext=system_u:system_r:squid_t:s0
>>> tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
>>> type=SYSCALL msg=audit(1152671338.823:21775): arch=40000003
>>> syscall=102 success=no exit=-13 a0=3 a1=bf9eb1a0 a2=52e1c4 a3=b7f1ca2c
>>> items=0 pid=2371 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23
>>> egid=23 sgid=23 fsgid=23 tty=(none) comm="squid" exe="/usr/sbin/squid"
>>> subj=system_u:system_r:squid_t:s0
>>> type=SOCKADDR msg=audit(1152671338.823:21775):
>>> saddr=02001F907F0000010000000000000000
>>> type=SOCKETCALL msg=audit(1152671338.823:21775): nargs=3 a0=12
>>> a1=bbdd8f8 a2=10
>>>
>>> How to fix this? Thx
>>>     
>>
>> This is off-topic for fedora-extras-list. Please address any followups
>> to fedora-selinux-list, where the right people will see it to get the
>> problem fixed in the next selinux-policy update.
>>
>> I have fixed this problem here using a local policy module:
>>
>> policy_module(localmisc, 0.1.0)
>>
>> require {
>>         type squid_t;
>> };
>>
>> # Squid doing what comes naturally? WTF?
>> corenet_tcp_connect_http_cache_port(squid_t)
>> corenet_tcp_sendrecv_http_cache_port(squid_t)
>>
>>   
> Ah, the real disadvantage of modules comes out.. hopefully policy issues 
> like these will be referred to refpolicy upstream as well, so that the 
> mainline policy can be fixed and not just this persons local setup...

This is why I CC'ed the reply to fedora-selinux-list where I know Dan 
will see it and it'll get pushed upstream if I haven't suggested 
something silly.

Paul.