Squid cachemgr.cgi AVC denied
Lamont Peterson
lamont at gurulabs.com
Fri Apr 20 22:57:15 UTC 2007
On Thursday 19 April 2007 12:06pm, Daniel J Walsh wrote:
> Lamont Peterson wrote:
> > On RHEL5 and FC6, I'm seeing an AVC denied message when trying to use
> > cachemgr.cgi:
> >
> > type=AVC msg=audit(1177002702.300:787): avc: denied { search } for
> > pid=18199 comm="cachemgr.cgi" name="squid" dev=hda5 ino=346594
> > scontext=root:system_r:httpd_t:s0
> > tcontext=system_u:object_r:squid_conf_t:s0 tclass=dir
> >
> > If I'm reading this correctly, the problem is that the policy doesn't
> > allow cachmgr.cgi to get it's /etc/squid/cachemgr.conf file because the
> > /etc/squid/ directory (and the cachemgr.conf) file are labeled:
> >
> > # ll -Zd /etc/squid/
> > drwxr-xr-x root root system_u:object_r:squid_conf_t /etc/squid/
> > # ll -Z /etc/squid/cachemgr.conf
> > -rw-r--r-- root squid
> > system_u:object_r:squid_conf_t /etc/squid/cachemgr.conf
> >
> > Shall I file a bug for this or is it already known, fixed,
> > work-around-is-available?
>
> Please update to the latest selinux-policy. This should work there.
>
> yum -y update selinux-policy
That might be well and good for FC6, but I don't see a single SELinux update
for RHEL5 on RHN. Is there one coming soon for RHEL5 or should we try
installing the FC6 SELinux targeted policy on RHEL5?
--
Lamont Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
NOTE: All messages from this email address should be digitally signed with my
0xDC0DD409 GPG key. It is available on the pgp.mit.edu keyserver as
well as other keyservers that sync with MIT's.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070420/d672b1af/attachment.sig>
More information about the fedora-selinux-list
mailing list