Hello Eliezer Croitoru,

this is also to the OpenSSL mailing list, because can someone verify that
the CA certificate and the SSL certificate fit together - the last section of this mail. (of course I can do this by myself, but here I want to opinion of a 3rd party)

I have the solution that worked at my system, to run SELinux with enforcing
first you need to install a special package

yum install policycoreutils-python

then do this to filter the audit log:
(at my system only squid entries are questionable,
in case there are more programmes that can run only
with SELinux turned off or setting to permissive,
you must sort out these entries of course)

cat /var/log/audit/audit.log | grep -v "success" > avc

the next step to generate the policy file

audit2allow -M avc < avc

this generates avc.pp. with this do:

semodule -i avc.pp

that was it;

(I'm not an expert I got just hints from my workmate)
--
I found out something strange ...

when using the .repo files here ...
http://wiki.squid-cache.org/SquidFaq/BinaryPackages#CentOS

the package http://software.opensuse.org/download.html?project=home%3Aairties%3Aserver&package=squid3
gives this error, when installing with   'yum install squid3'
Error: Package: squid3-3.3.8-6.1.x86_64 (home_airties_server)
           Requires: perl(Authen::Smb)

the other packages require the epel repo to be installed before ...
but how can I install squid 3.3?
there is only the question if its ok to install 7:squid-3.4.0-3-1...
I tried this
yum install http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-3.3.11-1.el6.x86_64.rpm and it worked ..., with SELinux=permissive and also with the above with SELinux=enforcing

the only question: how to use a parent proxy with both of the following ...

cache_peer #ip# 3128 0 proxy-only
never_direct allow all

and

ssl_bump server-first all
always_direct allow all

..., conflicting a little bit ...?

with other words, how to use a parent proxy while doing ssl-bump?
(the firewall blocks direkt access of this proxy, only the parent proxy has access to the internet)
--
my squid.conf has the default entries plus (here without parent proxy)

<squid.conf>
ssl_bump server-first all
# these will be adapted to my needs, here for testing only
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5

always_direct allow all

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/cert/squid.pem options=NO_SSLv2
</squid.conf>

I'm using no caching directory, this should be the work of the parent proxy ..., the squid.pem is shown below:

the purpose of this server is just doing smart filtering on HTTPS;
--
can please someone tell me why I get in FF (in an old 3.6 and in an relatively actual one 24.2esr)

This Connection is Untrusted

www.google.nl uses an invalid security certificate.
The certificate is not trusted because it was issued by an invalid CA certificate.
(Error code: sec_error_inadequate_key_usage)

only for urls that are shown in the Subject alternative name of the attached SSL certificate
and result in this certificate ...?

and this is only with FF, not with IE and not with Google Chrome itself ...
all other SSL sites work well ...
--
when I talk about I server, it is of course just a virtual machine on my computer, of these I have a few:
- mail server
- dns server
- proxy server (with caching and smart filtering for non-https)
- ...

Thanks,
Walter

--[ audit.log extract ]--

type=AVC msg=audit(1386721165.548:990): avc: denied { write } for pid=6689 co mm="ssl_crtd" name="size" dev=sda3 ino=395149 scontext=unconfined_u:system_r:squ
id_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1386721165.548:991): avc: denied { write } for pid=6689 co mm="ssl_crtd" name="certs" dev=sda3 ino=395148 scontext=unconfined_u:system_r:sq
uid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1386721165.548:991): avc: denied { remove_name } for pid=6 689 comm="ssl_crtd" name="79B5336452F44EE14155FEF0042BCA6C6A1AFC12.pem" dev=sda3 ino=395199 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:obje
ct_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1386721165.548:991): avc: denied { unlink } for pid=6689 c omm="ssl_crtd" name="79B5336452F44EE14155FEF0042BCA6C6A1AFC12.pem" dev=sda3 ino= 395199 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:
var_lib_t:s0 tclass=file
type=AVC msg=audit(1386721165.550:992): avc: denied { add_name } for pid=6689 comm="ssl_crtd" name="58481355CE5F10BBF9DF4CD4B99692BC308E4D42.pem" scontext=un confined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclas
s=dir
type=AVC msg=audit(1386721165.550:992): avc: denied { create } for pid=6689 c omm="ssl_crtd" name="58481355CE5F10BBF9DF4CD4B99692BC308E4D42.pem" scontext=unco nfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=
file

--[ squid.pem ]--

the private key here is no problem, because its only testing purpose;
the final working squid server gets other certificates ...

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQD1Gf2qk287rvKpwEhyZtyiycvl6C9ZsvLHMKygimTqzoiGrIO4
tbw1bqAZcCju1P0HAXXjFmdVW8WPs6rg2uXtsBEiO9/1gQ6ji6/Kl8yEhyRVXRcH
VMuzx9dSAE4IJzaXNgSqqmHNoacxHZICV7GPaxBqVvflGyJqcc0KDD8MQwIDAQAB
AoGAGExQUnW1RERuuBdg1z6NRvIcbZlcAFd2K/sOUggGQyTgcgFuOYSCuQVTh9IP
rMWeo/AoILAa5GJprnpQSWRKANmUw43Vqj3EzZJMglRhUFUZnNYaC1jWGa3C9os5
n8TAqqnYZtcHdiD/wykI33aK7kOfccxMmlUXyJVqbkEsucECQQD+MrytFio3CfZ9
wZ9Oli3wWujPa8PfSZDnA4EYV0HiWAcYzkaYhX0GtGcjrpB/fHHF/jzQpF+p3dcr
uYHNTAejAkEA9ta/SzQtvVk4k2JsB3aJZv5OGzVkXXR7ijvyE2srrU8ez5Yc2hgA
/lOYale9/mmluGPNyTdm9Oh220E2ij+y4QJBAJ/mOItEew+eI8CdcGGV1JXyCaqY
ZmDpvM2khatTEC2aI/S1pPDCX5A9IPfwEhMvq73ZHFY+X7LRyk1F5uHGJrMCQGSg
hRmGawMfBUZoQDwGodsf3v2OlZzXqKlg6L3r2cFsWNYtjxOF55nGwILRxD2cGhgC
b9kQweMjhZi6jB5t+2ECQQCDzLY91w+JgOS2HasRm2DUHo67shRfwmWfFdl1vAs5
Q0ysK1EsBuIQxRLVyBCBqEWZDGTFJMlq8ShfRskD28jz
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICZzCCAdCgAwIBAgIBETANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwItLTEQ
MA4GA1UEChMHU29tZU9yZzEUMBIGA1UECxMLU29tZU9yZ1VuaXQxEDAOBgNVBAMT
B1Jvb3QgQ0EwHhcNNzAwMTAxMDAwMDAwWhcNMzQxMjMxMjM1OTU5WjBHMQswCQYD
VQQGEwItLTEQMA4GA1UEChMHU29tZU9yZzEUMBIGA1UECxMLU29tZU9yZ1VuaXQx
EDAOBgNVBAMTB1Jvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPUZ
/aqTbzuu8qnASHJm3KLJy+XoL1my8scwrKCKZOrOiIasg7i1vDVuoBlwKO7U/QcB
deMWZ1VbxY+zquDa5e2wESI73/WBDqOLr8qXzISHJFVdFwdUy7PH11IATggnNpc2
BKqqYc2hpzEdkgJXsY9rEGpW9+UbImpxzQoMPwxDAgMBAAGjYzBhMA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTea3zoMP5FWNxG50df
7Hbnid5sBjAfBgNVHSMEGDAWgBTea3zoMP5FWNxG50df7Hbnid5sBjANBgkqhkiG
9w0BAQUFAAOBgQC2XuM7jij2ujgNDipMLcUE/Tlpg8IeKZThl2cLWUT0RtHW2CHK
hIKOlCMP2xMB3EMbTGSc7p5DMA5P4CcF6PsTfKxl7pAn6uDgWHk3e52imgHs7Q1G
9buVgx3NHrKrbtEGE9vt1QAh8TnLo6LEPAkHCECCeS5gMG4IZpATNReCxQ==
-----END CERTIFICATE-----

--[ SSL certificate ]--

Certificate:
...
        X509v3 extensions:
            X509v3 Subject Alternative Name:
DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.goog le.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google. com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.goo gle.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.goo gle.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS: *.google.pl, DNS:*.google.pt, DNS:*.googleapis.cn, DNS:*.googlecommerce.com, DNS :*.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.c om, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.ytimg.com, DNS:android. com, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlec ommerce.com, DNS:urchin.com, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation
.com
...

-----BEGIN CERTIFICATE-----
MIIFPTCCBKagAwIBAgIUPXX9MOspr8vFn1yK/75ufujyNyMwDQYJKoZIhvcNAQEF
BQAwRzELMAkGA1UEBhMCLS0xEDAOBgNVBAoTB1NvbWVPcmcxFDASBgNVBAsTC1Nv
bWVPcmdVbml0MRAwDgYDVQQDEwdSb290IENBMB4XDTEzMTEyMDE1MTMzNloXDTE0
MDMyMDAwMDAwMFowZjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
FjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoMCkdvb2dsZSBJbmMxFTAT
BgNVBAMMDCouZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
9Rn9qpNvO67yqcBIcmbcosnL5egvWbLyxzCsoIpk6s6IhqyDuLW8NW6gGXAo7tT9
BwF14xZnVVvFj7Oq4Nrl7bARIjvf9YEOo4uvypfMhIckVV0XB1TLs8fXUgBOCCc2
lzYEqqphzaGnMR2SAlexj2sQalb35RsianHNCgw/DEMCAwEAAaOCAwUwggMBMIIC
wwYDVR0RBIICujCCAraCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5h
cHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tghYqLmdvb2ds
ZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUuY2yCDiouZ29v
Z2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28udWuCDyouZ29v
Z2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5jb20uYnKCDyou
Z29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20udHKC
DyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xlLmVzggsqLmdv
b2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdvb2dsZS5ubIIL
Ki5nb29nbGUucGyCCyouZ29vZ2xlLnB0gg8qLmdvb2dsZWFwaXMuY26CFCouZ29v
Z2xlY29tbWVyY2UuY29tgg0qLmdzdGF0aWMuY29tggwqLnVyY2hpbi5jb22CECou
dXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5jb22CDSoueW91dHVi
ZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CCyoueXRpbWcuY29tggthbmRy
b2lkLmNvbYIEZy5jb4IGZ29vLmdsghRnb29nbGUtYW5hbHl0aWNzLmNvbYIKZ29v
Z2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tggp1cmNoaW4uY29tggh5b3V0dS5i
ZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tMAsGA1UdDwQEAwIH
gDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQUFAAOBgQA4xQFls1FpUScdCmifTkWCrjNrgUCbL56im1/9vSqM
P8IplBopOikz3VnxBsyUVaR/yt8zzm158zYdIpA/rOX0WukwO4pAUoi6aw6Q+FoD
ZG+3Qe0b7a22Mqgl45OlfljrAMfouvapjx8OA9COSM/2k2TtRnlEy7D929O2H6J6
CQ==
-----END CERTIFICATE-----




On 09.12.2013 06:30, Eliezer Croitoru wrote:
Hey Walter,

I do not know yet of a way to get SELinux work with squid nicely.
I do know it can be done with enough knowledge and couple additions.

If anyone is a SELinux expert or just can find the appropriate way of handling squid conflicts with SELinux I would be happy to try to push these into the RPMs.

For now the suggestion is to use selinux policy to permissive while on most squid systems(dedicated) you wont force selinux but I am still not sure why.

Fedora has some docs about it:
http://docs.fedoraproject.org/en-US/Fedora/13/html/Managing_Confined_Services/chap-Managing_Confined_Services-Squid_Caching_Proxy.html

This setting direction policy will might help something:
 setsebool -P squid_connect_any 1

And at redhat couple notes:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/chap-Managing_Confined_Services-Squid_Caching_Proxy.html


Can you share the errors you see in logs? either squid logs or messages log?

Are you using a cache_dir ?

There is also a demonstration on how to create a selinux module\policy fro qlproxy: http://sichent.wordpress.com/2011/05/10/build-selinux-policy-for-your-next-daemon-part-1/

I hope it helps.

Eliezer

On 08/12/13 22:34, Walter H. wrote:
Hello,

I have the ident problem as here:
http://comments.gmane.org/gmane.comp.web.squid.general/99601

SELinux=enforcing prevents running squid ...

my system: a CentOS 6.5, squid-3.3.11

./configure --enable-ssl
             --enable-ssl-crtd
             --disable-htcp
             --disable-eui
             --disable-snmp
             --enable-useragent-log
             --enable-referer-log
             --enable-cachemgr-hostname=localhost
               --prefix=/usr
               --includedir=/usr/include
               --datadir=/usr/share
               --bindir=/usr/sbin
               --libexecdir=/usr/lib/squid
               --localstatedir=/var
               --sysconfdir=/etc/squid
             --with-dl
             --with-openssl
             --with-pthreads
             --with-logdir=/var/log/squid
             --with-default-user=squid

can someone give me a hint, what to do?

by the way, the binary packages from here:
http://wiki.squid-cache.org/SquidFaq/BinaryPackages#CentOS
have the same problem ...

Thanks,
Walter




Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to