Help with squid / squidGuard

Arthur Dent selinux.list at troodos.demon.co.uk
Thu Feb 5 21:25:57 UTC 2009 

On Thu, Feb 05, 2009 at 08:50:39PM +0100, Dominick Grift wrote:
> Op donderdag 05-02-2009 om 18:42 uur [tijdzone +0000], schreef Arthur
> Dent:
> 
> > The proposed remedy of:
> > restorecon -v '/var/squidGuard/blacklists/blacklists/porn/domains.db'
> > made no difference.
> > 
> > When I do a ls -laZ on these directories I get a mizture of:
> > squid squid system_u:object_r:var_t:s0 and
> > squid squid unconfined_u:object_r:var_t:s0
> 
> It looks like squidGuard owns /var/squidGuard but does not manage it's
> content with a private type.
> 
> Then later squid tries to interact with squidGuards content there.
> 
> But the content is created with a generic type for var (var_t)
> 
> You can solve this issue by writing policy for squidGuard. You should
> enforce squidGuard to manage it's files using private types instead of
> just using the generic var_t.
> 
> Then later, you can give squid access to that type.
> 
> Can you share your policy for squidGuard?

Well, the only policy I have is the one created with audit2allow that I
posted in my original mail.

> In which domain is the squidGuard process running? ps auxZ | grep
> squidguard.
[root at tmydomain selinux]# ps auxZ | grep squid
unconfined_u:system_r:squid_t:s0 root     5554  0.0  0.0  10700   308 ?
Ss   01:13   0:00 squid -D -f /etc/squid/squid.conf
unconfined_u:system_r:squid_t:s0 squid    5557  0.5  1.9  25624  7624 ?
S    01:13   6:38 (squid) -D -f /etc/squid/squid.conf
unconfined_u:system_r:squid_t:s0 squid    5558  0.0  1.0  15212  4080 ?
Ss   01:13   0:05 (squidGuard) -c /etc/squid/squidGuard.conf
unconfined_u:system_r:squid_t:s0 squid    5559  0.0  0.7  14284  3020 ?
Ss   01:13   0:00 (squidGuard) -c /etc/squid/squidGuard.conf
unconfined_u:system_r:squid_t:s0 squid    5560  0.0  0.6  13360  2332 ?
Ss   01:13   0:00 (squidGuard) -c /etc/squid/squidGuard.conf
unconfined_u:system_r:squid_t:s0 squid    5561  0.0  0.5  12964  2092 ?
Ss   01:13   0:00 (squidGuard) -c /etc/squid/squidGuard.conf
unconfined_u:system_r:squid_t:s0 squid    5562  0.0  0.2  12300  1084 ?
Ss   01:13   0:00 (squidGuard) -c /etc/squid/squidGuard.conf
unconfined_u:system_r:squid_t:s0 squid    5563  0.0  0.1   3228   396 ?
Ss   01:13   0:00 (unlinkd)
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 19810 0.0
0.1 5040 708 pts/1 S+ 19:55   0:00 grep squid

Apologies for the line wrap!


> 
> The point is that squid_t is not allowed to read and write generic
> content in /var.
> 
> hth

Thanks - I am still a little unclear as to how best to proceed. My local
policy allows it all to work - should I just stick with that or work at
fixing the underlying problem?

Mark

p.s.

This is all I have in my policy module:

# cat mysquid.te
policy_module(mysquid, 9.1.0)
require {
        type squid_t;
}

#============= squid_t ==============
files_rw_var_files(squid_t)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090205/df00be36/attachment.sig>

More information about the fedora-selinux-list mailing list