squid denial on F11 for var_run_t

Scott Radvan sradvan at redhat.com
Mon Jun 15 03:47:08 UTC 2009

Hi list,

As many of you know I am working on a Managing Confined Services guide
for Fedora. 

Having set up a simple squid environment on Fedora 11, with minimal
and default settings in squid.conf (http_port 3128 as allowed by
semanage, and a default cache_dir), I was able to create the cache
directory structure, but I got a denial when actually starting squid for
the first time (I assume this happens as it attempts to create its pid
in /var/run):

SELinux is preventing squid (squid_t) "read" var_run_t.

node=localhost.localdomain type=AVC msg=audit(1244690560.923:31): avc:
denied  { read } for  pid=2413 comm="squid" name="squid.pid" dev=dm-0
ino=364 scontext=unconfined_u:system_r:squid_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1244690560.923:31):
arch=40000003 syscall=5 success=no exit=-13 a0=b7ec8340 a1=8000 a2=1b6
a3=0 items=0 ppid=2404 pid=2413 auid=500 uid=23 gid=23 euid=0 suid=0
fsuid=0 egid=23 sgid=23 fsgid=23 tty=pts0 ses=1 comm="squid"
exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)

I followed the FAQ as was linked in the denial text:


Using audit2allow, which gave me a type enforcement file, the contents
of which are:

module local 1.0;

require {
        type var_run_t;
        type squid_t;
        class file read;

#============= squid_t ==============
allow squid_t var_run_t:file read;

and after creating and injecting a module from this as described in
that FAQ entry, I am now able to start squid and get it working fine.

Should this be filed as a bug? Is there a better way to fix it? I
figured it was worth mentioning as this happened out-of-the-box on F11
with default settings.

I am happy to provide any further details or output should you require

selinux 3.6.12-39.fc11
squid 3.0.STABLE13-1.fc11


Scott Radvan
Content Author, Platform (Installation and Deployment)
Red Hat Asia Pacific (Brisbane) http://www.apac.redhat.com

More information about the fedora-selinux-list mailing list