Re: [squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)
On Tue, 2016-10-18 at 14:56 +0200, Walter H. wrote: > with the 3.1.x there is no problem with > > url_rewrite_program /etc/squid/url-rewrite-program.pl > url_rewrite_children 8 > url_rewrite_host_header on > url_rewrite_access allow all > > but with the 3.5.x there is access denied (shown in > /var/log/audit/audit.log) > and squid doesn't start; > > specific to the 3.5.x release, I added a certificate validator > helper, > which has also problems ... > > > Greetings, > Walter Hi Walter, Have you tried to move helpers to '/usr/lib64/squid/' and ensure that the label for them is 'lib_t'? Garri ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)
On Tue, October 18, 2016 13:31, Garri Djavadyan wrote: > On Tue, 2016-10-18 at 13:02 +0200, Walter H. wrote: >> Hello, >> >> just in case anybody wants to run Squid 3.5.x on CentOS >> with SELinux enforcing, >> >> here is the semodule >> >> >> module squid_update 1.0; >> >> require { >> type squid_conf_t; >> type squid_t; >> type var_t; >> class file { append open read write getattr lock >> execute_no_trans }; >> } >> >> #= squid_t == >> allow squid_t squid_conf_t:file execute_no_trans; >> allow squid_t var_t:file { append open read write getattr lock }; >> >> >> and do the following: >> >> checkmodule -M -m -o squid_update.mod squid_update.tt >> semodule_package -o squid_update.pp -m squid_update.mod >> semodule -i squid_update.pp > > Hi, > > Have you tried to use default policy and relabel target dirs/files > using types dedicated for squid? For example: > > # semanage fcontext -l | grep squid > ... my output differs a little bit; and yes the target files/dirs are labeled as dedicated; don't ask me why, but I have two CentOS 6.x VMs (each latest) one with the official package (release 3.1.23) and one with this 3.5.20 RPM package; with the 3.1.x there is no problem with url_rewrite_program /etc/squid/url-rewrite-program.pl url_rewrite_children 8 url_rewrite_host_header on url_rewrite_access allow all but with the 3.5.x there is access denied (shown in /var/log/audit/audit.log) and squid doesn't start; specific to the 3.5.x release, I added a certificate validator helper, which has also problems ... with this semodule package everything works fine ... so there must be something different, between these two releases; with SELinux disabled or permissive there is no need of this semodule package; Greetings, Walter ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)
On Tue, 2016-10-18 at 13:02 +0200, Walter H. wrote: > Hello, > > just in case anybody wants to run Squid 3.5.x on CentOS > with SELinux enforcing, > > here is the semodule > > > module squid_update 1.0; > > require { > type squid_conf_t; > type squid_t; > type var_t; > class file { append open read write getattr lock > execute_no_trans }; > } > > #= squid_t == > allow squid_t squid_conf_t:file execute_no_trans; > allow squid_t var_t:file { append open read write getattr lock }; > > > and do the following: > > checkmodule -M -m -o squid_update.mod squid_update.tt > semodule_package -o squid_update.pp -m squid_update.mod > semodule -i squid_update.pp Hi, Have you tried to use default policy and relabel target dirs/files using types dedicated for squid? For example: # semanage fcontext -l | grep squid /etc/squid(/.*)? all files system_u:object_r:squid_conf_t:s0 /var/run/squid.* all files system_u:object_r:squid_var_run_t:s0 /var/log/squid(/.*)? all files system_u:object_r:squid_log_t:s0 /usr/share/squid(/.*)? all files system_u:object_r:squid_conf_t:s0 /var/cache/squid(/.*)? all files system_u:object_r:squid_cache_t:s0 /var/spool/squid(/.*)? all files system_u:object_r:squid_cache_t:s0 /usr/sbin/squidregular file system_u:object_r:squid_exec_t:s0 /etc/rc\.d/init\.d/squid regular file system_u:object_r:squid_initrc_exec_t:s0 /usr/lib/squid/cachemgr\.cgi regular file system_u:object_r:httpd_squid_script_exec_t:s0 /usr/lib64/squid/cachemgr\.cgi regular file system_u:object_r:httpd_squid_script_exec_t:s0 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)
Hello, just in case anybody wants to run Squid 3.5.x on CentOS with SELinux enforcing, here is the semodule module squid_update 1.0; require { type squid_conf_t; type squid_t; type var_t; class file { append open read write getattr lock execute_no_trans }; } #= squid_t == allow squid_t squid_conf_t:file execute_no_trans; allow squid_t var_t:file { append open read write getattr lock }; and do the following: checkmodule -M -m -o squid_update.mod squid_update.tt semodule_package -o squid_update.pp -m squid_update.mod semodule -i squid_update.pp in case someone wants to throw away the cache, whatever reason; use this script: #!/bin/sh DIR=/var/spool/squid service squid stop mv $DIR $DIR.temp mkdir $DIR chcon -t squid_cache_t $DIR chown squid:squid $DIR chmod 750 $DIR squid -N -z service squid start rm -fr $DIR.temp date +"%Y/%m/%d %T| Old Swap Directories removed" ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users