Re: seLinux, Squid and adzap

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

David Niemi wrote:

> I am trying to get squid to run as an accelerator and also do ad zapping
> with Cameron Simpson's AdZap routine. I am getting lots of SELinux
> errors for the zapping script to be run by squid and also that squid do
> something with swap.state and swap log
>
> setting the SELinux protection off for squid still results in the error
> about the swap.state and swap log.
>
> so it seems that I need to change something with the SELinux context for
> squid and the adzap scripts but have no real idea how to go about.  I
> tried relabeling but that didn't do it.
>
> What can I do to remedy this?
>
> from messages
> Jul 10 11:33:08 rhonda ntpd[2467]: frequency initialized -12.030 PPM
> from /var/lib/ntp/drift
> Jul 10 11:33:08 rhonda squid[2519]: Squid Parent: child process 2522
> started
> Jul 10 11:33:09 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
> swap log.
> Jul 10 11:33:09 rhonda squid[2519]: Squid Parent: child process 2522
> exited due to signal 6
> Jul 10 11:33:12 rhonda squid[2519]: Squid Parent: child process 2533
> started
> Jul 10 11:33:12 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
> swap log.
> Jul 10 11:33:12 rhonda squid[2519]: Squid Parent: child process 2533
> exited due to signal 6
> Jul 10 11:33:15 rhonda squid[2519]: Squid Parent: child process 2544
> started
> Jul 10 11:33:15 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
> swap log.
> Jul 10 11:33:15 rhonda squid[2519]: Squid Parent: child process 2544
> exited due to signal 6
> Jul 10 11:33:18 rhonda squid[2519]: Squid Parent: child process 2555
> started
> Jul 10 11:33:18 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
> swap log.
> Jul 10 11:33:18 rhonda squid[2519]: Squid Parent: child process 2555
> exited due to signal 6
> Jul 10 11:33:21 rhonda squid[2519]: Squid Parent: child process 2569
> started
> Jul 10 11:33:22 rhonda (squid): storeUfsDirOpenSwapLog: Failed to open
> swap log.
> Jul 10 11:33:22 rhonda squid[2519]: Squid Parent: child process 2569
> exited due to signal 6
> Jul 10 11:33:22 rhonda squid[2519]: Exiting due to repeated, frequent
> failures
>
> from audit
> type=SYSCALL msg=audit(1121009601.928:43072): arch=40000003 syscall=102
> success=no exit=-13 a0=3 a1=bfcc0670 a2=2318d0 a3=b7fb36a0 items=0
> pid=2569 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23
> sgid=23 fsgid=23 comm="squid" exe="/usr/sbin/squid"
> type=AVC msg=audit(1121009601.928:43072): avc:  denied  { name_connect }
> for  pid=2569 comm="squid" dest=32811 scontext=system_u:system_r:squid_t
> tcontext=system_u:object_r:port_t tclass=tcp_socket
> type=SOCKETCALL msg=audit(1121009601.929:43096): nargs=3 a0=7
> a1=bfcc06ec a2=10
> type=SOCKADDR msg=audit(1121009601.929:43096):
> saddr=0200802D7F0000010000000000000000
> type=SYSCALL msg=audit(1121009601.929:43096): arch=40000003 syscall=102
> success=no exit=-13 a0=3 a1=bfcc0670 a2=2318d0 a3=b7fb36a0 items=0
> pid=2569 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23
> sgid=23 fsgid=23 comm="squid" exe="/usr/sbin/squid"
> type=AVC msg=audit(1121009601.929:43096): avc:  denied  { name_connect }
> for  pid=2569 comm="squid" dest=32813 scontext=system_u:system_r:squid_t
> tcontext=system_u:object_r:port_t tclass=tcp_socket
> type=SOCKETCALL msg=audit(1121009601.930:43120): nargs=3 a0=7
> a1=bfcc06ec a2=10
> type=SOCKADDR msg=audit(1121009601.930:43120):
> saddr=0200802F7F0000010000000000000000
> type=SYSCALL msg=audit(1121009601.930:43120): arch=40000003 syscall=102
> success=no exit=-13 a0=3 a1=bfcc0670 a2=2318d0 a3=b7fb36a0 items=0
> pid=2569 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23
> sgid=23 fsgid=23 comm="squid" exe="/usr/sbin/squid"
> type=AVC msg=audit(1121009601.930:43120): avc:  denied  { name_connect }
> for  pid=2569 comm="squid" dest=32815 scontext=system_u:system_r:squid_t
> tcontext=system_u:object_r:port_t tclass=tcp_socket
> type=SOCKETCALL msg=audit(1121009601.930:43144): nargs=3 a0=7
> a1=bfcc06ec a2=10
> type=SOCKADDR msg=audit(1121009601.930:43144):
> saddr=020080317F0000010000000000000000
> type=SYSCALL msg=audit(1121009601.930:43144): arch=40000003 syscall=102
> success=no exit=-13 a0=3 a1=bfcc0670 a2=2318d0 a3=b7fb36a0 items=0
> pid=2569 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23
> sgid=23 fsgid=23 comm="squid" exe="/usr/sbin/squid"
> type=AVC msg=audit(1121009601.930:43144): avc:  denied  { name_connect }
> for  pid=2569 comm="squid" dest=32817 scontext=system_u:system_r:squid_t
> tcontext=system_u:object_r:port_t tclass=tcp_socket
>
> from cache.log
> 2005/07/10 11:33:21| Starting Squid Cache version 2.5.STABLE9 for
> i386-redhat-linux-gnu...
> 2005/07/10 11:33:21| Process ID 2569
> 2005/07/10 11:33:21| With 1024 file descriptors available
> 2005/07/10 11:33:21| DNS Socket created at 0.0.0.0, port 32775, FD 5
> 2005/07/10 11:33:21| Adding nameserver 24.153.22.67
> from /etc/resolv.conf
> 2005/07/10 11:33:21| Adding nameserver 24.153.23.66
> from /etc/resolv.conf
> 2005/07/10 11:33:21| helperOpenServers: Starting 5 'squid_redirect'
> processes
> 2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
> process.
> 2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
> process.
> 2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
> process.
> 2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
> process.
> 2005/07/10 11:33:21| WARNING: Cannot run '/usr/local/bin/squid_redirect'
> process.
> 2005/07/10 11:33:21| User-Agent logging is disabled.
> 2005/07/10 11:33:21| Referer logging is disabled.
> 2005/07/10 11:33:21| Unlinkd pipe opened on FD 10
> 2005/07/10 11:33:21| Swap maxSize 102400 KB, estimated 7876 objects
> 2005/07/10 11:33:21| Target number of buckets: 393
> 2005/07/10 11:33:21| Using 8192 Store buckets
> 2005/07/10 11:33:21| Max Mem  size: 8192 KB
> 2005/07/10 11:33:21| Max Swap size: 102400 KB
> 2005/07/10 11:33:21| /var/spool/squid/swap.state: (13) Permission denied
> FATAL: storeUfsDirOpenSwapLog: Failed to open swap log.
> Squid Cache (Version 2.5.STABLE9): Terminated abnormally.
> CPU Usage: 0.019 seconds = 0.006 user + 0.013 sys
> Maximum Resident Size: 0 KB
> Page faults with physical i/o: 0
>
> from squid.out
> squid: ERROR: Could not send signal 0 to process 31876: (3) No such
> process
>
> /var/spool/
> drwxr-x---  squid    squid    system_u:object_r:squid_cache_t  squid
>
> /usr/local/bin/
> [root@rhonda bin]# ls -alZ
> drwxr-xr-x  root     root     system_u:object_r:bin_t          .
> drwxr-xr-x  root     root     system_u:object_r:usr_t          ..
> -rwxr-xr-x  root     root     system_u:object_r:bin_t
> squid_redirect
> -rwxr-xr-x  root     root     system_u:object_r:bin_t          wrapzap
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
Turn on boolean squid_connect_any

setsebool -P squid_connect_any=1

--