On 02/08/2010 04:20 AM, Bob Goodwin wrote:
> Yesterday I began getting an "SELinux security alert" and Firefox began
> to operate erratically [became useless].
>
> I did "setsebool -P squid_connect_any=1" per the alert and Firefox began
> to work again, however now this morning I am getting a similar notice
> although it appears to be making an exception.
>
> Do I need to take some further action to satisfy SELinux or will I
> continue to get this notice until some future update?
>
> Bob
> .
>
>
>
> Summary:
>
> SELinux is preventing the squid daemon from connecting to
> network port 8180
>
> Detailed Description:
>
> [squid has a permissive type (squid_t). This access was not denied.]
>
> SELinux has denied the squid daemon from connecting to 8180. By
> default squid
> policy is setup to deny squid connections. If you did not setup
> squid to network
> connections, this could signal a intrusion attempt.
>
> Allowing Access:
>
> If you want squid to connect to network ports you need to turn
> on the
> squid_connect_any boolean: "setsebool -P squid_connect_any=1"
>
> Fix Command:
>
> setsebool -P squid_connect_any=1
>
> Additional Information:
>
> Source Context system_u:system_r:squid_t:s0
> Target Context system_u:object_r:port_t:s0
> Target Objects None [ tcp_socket ]
> Source squid
> Source Path /usr/sbin/squid
> Port 8180
> Host box6
> Source RPM Packages squid-3.1.0.15-2.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.32-78.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name squid_connect_any
> Host Name box6
> Platform Linux box6
> 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP
> Mon Jan 18 19:52:07 UTC 2010
> x86_64 x86_64
> Alert Count 33
> First Seen Sun 07 Feb 2010 04:50:46 PM EST
> Last Seen Sun 07 Feb 2010 05:08:58 PM EST
> Local ID 87daf7bf-ecdf-4025-9780-520ef4d433f5
> Line Numbers
>
> Raw Audit Messages
>
> node=box6 type=AVC msg=audit(1265580538.758:20027): avc:
> denied { name_connect } for pid=1504 comm="squid" dest=8180
> scontext=system_u:system_r:squid_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>
> node=box6 type=SYSCALL msg=audit(1265580538.758:20027):
> arch=c000003e syscall=42 success=yes exit=4294967424 a0=e
> a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504
> auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23
> sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="squid"
> exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null)
>
Are you sure the boolean is turned on ?
# getsebool squid_connect_any
squid_connect_any --> off
Once you have set the boolean on it should stay that way permanently if you use the -P flag
# setsebool -P squid_connect_any 1
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
