Re: SELinux security alert/Squid -

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/08/2010 04:20 AM, Bob Goodwin wrote:
> Yesterday I began getting an "SELinux security alert" and Firefox began 
> to operate erratically [became useless].
> 
> I did "setsebool -P squid_connect_any=1" per the alert and Firefox began 
> to work again, however now this morning I am getting a similar notice 
> although it appears to be making an exception.
> 
> Do I need to take some further action to satisfy SELinux or will I 
> continue to get this notice until some future update?
> 
> Bob
> .
> 
> 
> 
>         Summary:
> 
>         SELinux is preventing the squid daemon from connecting to
>         network port 8180
> 
>         Detailed Description:
> 
>         [squid has a permissive type (squid_t). This access was not denied.]
> 
>         SELinux has denied the squid daemon from connecting to 8180. By
>         default squid
>         policy is setup to deny squid connections. If you did not setup
>         squid to network
>         connections, this could signal a intrusion attempt.
> 
>         Allowing Access:
> 
>         If you want squid to connect to network ports you need to turn
>         on the
>         squid_connect_any boolean: "setsebool -P squid_connect_any=1"
> 
>         Fix Command:
> 
>         setsebool -P squid_connect_any=1
> 
>         Additional Information:
> 
>         Source Context                system_u:system_r:squid_t:s0
>         Target Context                system_u:object_r:port_t:s0
>         Target Objects                None [ tcp_socket ]
>         Source                        squid
>         Source Path                   /usr/sbin/squid
>         Port                          8180
>         Host                          box6
>         Source RPM Packages           squid-3.1.0.15-2.fc12
>         Target RPM Packages
>         Policy RPM                    selinux-policy-3.6.32-78.fc12
>         Selinux Enabled               True
>         Policy Type                   targeted
>         Enforcing Mode                Enforcing
>         Plugin Name                   squid_connect_any
>         Host Name                     box6
>         Platform                      Linux box6
>         2.6.31.12-174.2.3.fc12.x86_64 #1 SMP
>                                        Mon Jan 18 19:52:07 UTC 2010
>         x86_64 x86_64
>         Alert Count                   33
>         First Seen                    Sun 07 Feb 2010 04:50:46 PM EST
>         Last Seen                     Sun 07 Feb 2010 05:08:58 PM EST
>         Local ID                      87daf7bf-ecdf-4025-9780-520ef4d433f5
>         Line Numbers
> 
>         Raw Audit Messages
> 
>         node=box6 type=AVC msg=audit(1265580538.758:20027): avc: 
>         denied  { name_connect } for  pid=1504 comm="squid" dest=8180
>         scontext=system_u:system_r:squid_t:s0
>         tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> 
>         node=box6 type=SYSCALL msg=audit(1265580538.758:20027):
>         arch=c000003e syscall=42 success=yes exit=4294967424 a0=e
>         a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504
>         auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23
>         sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="squid"
>         exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null)
> 
Are you sure the boolean is turned on ?

# getsebool squid_connect_any
squid_connect_any --> off

Once you have set the boolean on it should stay that way permanently if you use the -P flag

# setsebool -P squid_connect_any 1

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux