Fedora Users — Re: selinux, squid

>On Thu, 2005-08-11 at 13:47 +0800, Richard Pannell wrote: >> >> I am having problems running squid authentication (ntlm_auth) in FC4 >> with selinux turned on. When I use setenforce 0 I have no problems. >> But with setenforce set to 1 it fails. So using "audit2allow -l >> -i /var/log/message" I got the following result >> >> allow auditd_t initrc_t:unix_dgram_socket sendto; >> allow klogd_t device_t:sock_file write; >> allow klogd_t initrc_t:unix_dgram_socket sendto; >> allow rpcd_t etc_runtime_t:file read; >> allow rpcd_t proc_t:file read; >> allow rpcd_t samba_etc_t:dir search; >> allow rpcd_t samba_var_t:dir { getattr search }; >> allow syslogd_t etc_runtime_t:file read; >> allow syslogd_t proc_t:file read; >> >> which I added >> to /etc/selinux/targeted/src/policy/domains/misc/local.te and ran >> >> make -C /etc/selinux/targeted/src/policy clean >> make -C /etc/selinux/targeted/src/policy load > >Do you get the same output from audit2allow after doing this?
Yes I am. > >Are you running auditd? If so, you should be looking >in /var/log/audit/audit.log rather than /var/log/messages for AVC >errors.
Yes I am. So it was showing.

allow apmd_t device_t:sock_file write;
allow apmd_t devpts_t:chr_file { getattr ioctl };
allow apmd_t devpts_t:dir search;
allow apmd_t initrc_t:unix_dgram_socket sendto;
allow apmd_t selinux_config_t:file read;
allow auditd_t device_t:sock_file write;
allow bluetooth_t device_t:sock_file write;
allow httpd_t winbind_var_run_t:dir getattr;
allow ntpd_t device_t:sock_file write;
allow ntpd_t initrc_t:unix_dgram_socket sendto;
allow system_dbusd_t device_t:sock_file write;
allow system_dbusd_t initrc_t:unix_dgram_socket sendto;
allow system_dbusd_t winbind_var_run_t:dir getattr;
allow updfstab_t device_t:sock_file write;
allow winbind_helper_t initrc_t:unix_stream_socket connectto;
allow winbind_helper_t samba_var_t:dir search;

Added this to the local.te file which worked thanks very much. > >Paul.