Re: [squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)

2016-10-18 Thread Garri Djavadyan 
On Tue, 2016-10-18 at 14:56 +0200, Walter H. wrote:
> with the 3.1.x there is no problem with
> 
> url_rewrite_program /etc/squid/url-rewrite-program.pl
> url_rewrite_children 8
> url_rewrite_host_header on
> url_rewrite_access allow all
> 
> but with the 3.5.x there is access denied (shown in
> /var/log/audit/audit.log)
> and squid doesn't start;
> 
> specific to the 3.5.x release, I added a certificate validator
> helper,
> which has also problems ...
> 
> 
> Greetings,
> Walter

Hi Walter,

Have you tried to move helpers to '/usr/lib64/squid/' and ensure that
the label for them is 'lib_t'?

Garri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)

2016-10-18 Thread Walter H. 
On Tue, October 18, 2016 13:31, Garri Djavadyan wrote:
> On Tue, 2016-10-18 at 13:02 +0200, Walter H. wrote:
>> Hello,
>>
>> just in case anybody wants to run Squid 3.5.x on CentOS
>> with SELinux enforcing,
>>
>> here is the semodule
>>
>> 
>> module squid_update 1.0;
>>
>> require {
>> type squid_conf_t;
>> type squid_t;
>> type var_t;
>> class file { append open read write getattr lock
>> execute_no_trans };
>> }
>>
>> #= squid_t ==
>> allow squid_t squid_conf_t:file execute_no_trans;
>> allow squid_t var_t:file { append open read write getattr lock };
>> 
>>
>> and do the following:
>>
>> checkmodule -M -m -o squid_update.mod squid_update.tt
>> semodule_package -o squid_update.pp -m squid_update.mod
>> semodule -i squid_update.pp
>
> Hi,
>
> Have you tried to use default policy and relabel target dirs/files
> using types dedicated for squid? For example:
>
> # semanage fcontext -l | grep squid
> ...

my output differs a little bit; and yes the target files/dirs are labeled
as dedicated;

don't ask me why, but I have two CentOS 6.x VMs (each latest) one with the
official package (release 3.1.23) and one with this 3.5.20 RPM package;

with the 3.1.x there is no problem with

url_rewrite_program /etc/squid/url-rewrite-program.pl
url_rewrite_children 8
url_rewrite_host_header on
url_rewrite_access allow all

but with the 3.5.x there is access denied (shown in /var/log/audit/audit.log)
and squid doesn't start;

specific to the 3.5.x release, I added a certificate validator helper,
which has also problems ...

with this semodule package everything works fine ...

so there must be something different, between these two releases;

with SELinux disabled or permissive there is no need of this semodule
package;

Greetings,
Walter


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)

2016-10-18 Thread Garri Djavadyan 
On Tue, 2016-10-18 at 13:02 +0200, Walter H. wrote:
> Hello,
> 
> just in case anybody wants to run Squid 3.5.x on CentOS
> with SELinux enforcing,
> 
> here is the semodule
> 
> 
> module squid_update 1.0;
> 
> require {
> type squid_conf_t;
> type squid_t;
> type var_t;
> class file { append open read write getattr lock
> execute_no_trans };
> }
> 
> #= squid_t ==
> allow squid_t squid_conf_t:file execute_no_trans;
> allow squid_t var_t:file { append open read write getattr lock };
> 
> 
> and do the following:
> 
> checkmodule -M -m -o squid_update.mod squid_update.tt
> semodule_package -o squid_update.pp -m squid_update.mod
> semodule -i squid_update.pp

Hi,

Have you tried to use default policy and relabel target dirs/files
using types dedicated for squid? For example:

# semanage fcontext -l | grep squid
/etc/squid(/.*)?   all
files  system_u:object_r:squid_conf_t:s0 
/var/run/squid.*   all
files  system_u:object_r:squid_var_run_t:s0 
/var/log/squid(/.*)?   all
files  system_u:object_r:squid_log_t:s0 
/usr/share/squid(/.*)? all
files  system_u:object_r:squid_conf_t:s0 
/var/cache/squid(/.*)? all
files  system_u:object_r:squid_cache_t:s0 
/var/spool/squid(/.*)? all
files  system_u:object_r:squid_cache_t:s0 
/usr/sbin/squidregular
file   system_u:object_r:squid_exec_t:s0 
/etc/rc\.d/init\.d/squid   regular
file   system_u:object_r:squid_initrc_exec_t:s0 
/usr/lib/squid/cachemgr\.cgi   regular
file   system_u:object_r:httpd_squid_script_exec_t:s0 
/usr/lib64/squid/cachemgr\.cgi regular
file   system_u:object_r:httpd_squid_script_exec_t:s0 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)

2016-10-18 Thread Walter H. 
Hello,

just in case anybody wants to run Squid 3.5.x on CentOS
with SELinux enforcing,

here is the semodule


module squid_update 1.0;

require {
type squid_conf_t;
type squid_t;
type var_t;
class file { append open read write getattr lock execute_no_trans };
}

#= squid_t ==
allow squid_t squid_conf_t:file execute_no_trans;
allow squid_t var_t:file { append open read write getattr lock };


and do the following:

checkmodule -M -m -o squid_update.mod squid_update.tt
semodule_package -o squid_update.pp -m squid_update.mod
semodule -i squid_update.pp

in case someone wants to throw away the cache, whatever reason;

use this script:


#!/bin/sh

DIR=/var/spool/squid

service squid stop
mv $DIR $DIR.temp
mkdir $DIR
chcon -t squid_cache_t $DIR
chown squid:squid $DIR
chmod 750 $DIR
squid -N -z
service squid start
rm -fr $DIR.temp
date +"%Y/%m/%d %T| Old Swap Directories removed"


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users