Re: selinux, squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Richard Pannell wrote:


>On Thu, 2005-08-11 at 13:47 +0800, Richard Pannell wrote:
>>
>> I am having problems running squid authentication (ntlm_auth) in FC4
>> with selinux turned on. When I use setenforce 0 I have no problems.
>> But with setenforce set to 1 it fails. So using "audit2allow -l
>> -i /var/log/message" I got the following result
>>
>> allow auditd_t initrc_t:unix_dgram_socket sendto;
>> allow klogd_t device_t:sock_file write;
>> allow klogd_t initrc_t:unix_dgram_socket sendto;
>> allow rpcd_t etc_runtime_t:file read;
>> allow rpcd_t proc_t:file read;
>> allow rpcd_t samba_etc_t:dir search;
>> allow rpcd_t samba_var_t:dir { getattr search };
>> allow syslogd_t etc_runtime_t:file read;
>> allow syslogd_t proc_t:file read; >>
>> which I added
>> to /etc/selinux/targeted/src/policy/domains/misc/local.te and ran >>
>> make -C /etc/selinux/targeted/src/policy clean
>> make -C /etc/selinux/targeted/src/policy load
>
>Do you get the same output from audit2allow after doing this?
Yes I am.
>
>Are you running auditd? If so, you should be looking
>in /var/log/audit/audit.log rather than /var/log/messages for AVC
>errors.
Yes I am. So it was showing.

allow apmd_t device_t:sock_file write;
allow apmd_t devpts_t:chr_file { getattr ioctl };
allow apmd_t devpts_t:dir search;
allow apmd_t initrc_t:unix_dgram_socket sendto;
allow apmd_t selinux_config_t:file read;
allow auditd_t device_t:sock_file write;
allow bluetooth_t device_t:sock_file write;
allow httpd_t winbind_var_run_t:dir getattr;
allow ntpd_t device_t:sock_file write;
allow ntpd_t initrc_t:unix_dgram_socket sendto;
allow system_dbusd_t device_t:sock_file write;
allow system_dbusd_t initrc_t:unix_dgram_socket sendto;
allow system_dbusd_t winbind_var_run_t:dir getattr;
allow updfstab_t device_t:sock_file write;
allow winbind_helper_t initrc_t:unix_stream_socket connectto;
allow winbind_helper_t samba_var_t:dir search;

Added this to the local.te file which worked thanks very much.
>
>Paul.

First off this looks like you have a mislabeled /dev/log file?
restorecon -v /dev/log

Does adding

allow winbind_helper_t samba_var_t:dir search;

only fix the problem?

Could you attach the avc messages used to generate the audit rules?

Dan

--



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux