Help with squid / squidGuard
Arthur Dent
selinux.list at troodos.demon.co.uk
Thu Feb 5 21:25:57 UTC 2009
On Thu, Feb 05, 2009 at 08:50:39PM +0100, Dominick Grift wrote:
> Op donderdag 05-02-2009 om 18:42 uur [tijdzone +0000], schreef Arthur
> Dent:
>
> > The proposed remedy of:
> > restorecon -v '/var/squidGuard/blacklists/blacklists/porn/domains.db'
> > made no difference.
> >
> > When I do a ls -laZ on these directories I get a mizture of:
> > squid squid system_u:object_r:var_t:s0 and
> > squid squid unconfined_u:object_r:var_t:s0
>
> It looks like squidGuard owns /var/squidGuard but does not manage it's
> content with a private type.
>
> Then later squid tries to interact with squidGuards content there.
>
> But the content is created with a generic type for var (var_t)
>
> You can solve this issue by writing policy for squidGuard. You should
> enforce squidGuard to manage it's files using private types instead of
> just using the generic var_t.
>
> Then later, you can give squid access to that type.
>
> Can you share your policy for squidGuard?
Well, the only policy I have is the one created with audit2allow that I
posted in my original mail.
> In which domain is the squidGuard process running? ps auxZ | grep
> squidguard.
[root at tmydomain selinux]# ps auxZ | grep squid
unconfined_u:system_r:squid_t:s0 root 5554 0.0 0.0 10700 308 ?
Ss 01:13 0:00 squid -D -f /etc/squid/squid.conf
unconfined_u:system_r:squid_t:s0 squid 5557 0.5 1.9 25624 7624 ?
S 01:13 6:38 (squid) -D -f /etc/squid/squid.conf
unconfined_u:system_r:squid_t:s0 squid 5558 0.0 1.0 15212 4080 ?
Ss 01:13 0:05 (squidGuard) -c /etc/squid/squidGuard.conf
unconfined_u:system_r:squid_t:s0 squid 5559 0.0 0.7 14284 3020 ?
Ss 01:13 0:00 (squidGuard) -c /etc/squid/squidGuard.conf
unconfined_u:system_r:squid_t:s0 squid 5560 0.0 0.6 13360 2332 ?
Ss 01:13 0:00 (squidGuard) -c /etc/squid/squidGuard.conf
unconfined_u:system_r:squid_t:s0 squid 5561 0.0 0.5 12964 2092 ?
Ss 01:13 0:00 (squidGuard) -c /etc/squid/squidGuard.conf
unconfined_u:system_r:squid_t:s0 squid 5562 0.0 0.2 12300 1084 ?
Ss 01:13 0:00 (squidGuard) -c /etc/squid/squidGuard.conf
unconfined_u:system_r:squid_t:s0 squid 5563 0.0 0.1 3228 396 ?
Ss 01:13 0:00 (unlinkd)
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 19810 0.0
0.1 5040 708 pts/1 S+ 19:55 0:00 grep squid
Apologies for the line wrap!
>
> The point is that squid_t is not allowed to read and write generic
> content in /var.
>
> hth
Thanks - I am still a little unclear as to how best to proceed. My local
policy allows it all to work - should I just stick with that or work at
fixing the underlying problem?
Mark
p.s.
This is all I have in my policy module:
# cat mysquid.te
policy_module(mysquid, 9.1.0)
require {
type squid_t;
}
#============= squid_t ==============
files_rw_var_files(squid_t)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090205/df00be36/attachment.sig>
More information about the fedora-selinux-list
mailing list