Re: SELinux security alert/Squid -

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/09/2010 04:43 AM, Bob Goodwin wrote:
> On 09/02/10 02:17, Tim wrote:
>> On Mon, 2010-02-08 at 13:23 -0500, Daniel J Walsh wrote:
>>    
>>> squid_connect_any -->  off
>>>      
>> Probably not a good idea, the settings there as an aid to protect you
>> against maliciousness.  If you want to add exceptions, that's a better
>> idea than just letting anything through.
>>
>> I'd make an educated guess that the original poster hadn't tried to
>> connect to an alternative port, while going through their proxy, before.
>>
>>    
> Well then should it not be possible to tell SELinux that this particular 
> connection is acceptable? To me it is vital, I need to control system 
> usage and that's where I get my usage data! The problem is minor and 
> doesn't warrant disabling SELinux in any way, I only see it upon 
> rebooting, usually around 04:00 which is my habit. But the "star" is 
> there again this morning.
> 
> As a result I have once more done [as su/root]: setsebool -P 
> squid_connect_any=1 as it suggests. Whatever that does takes perhaps 30 
> seconds and shows a lot of cpu activity while doing it so I know 
> something is happening.
> 
> The security alert, generated at this morning's boot:
> 
>     Summary:
> 
>     SELinux is preventing the squid daemon from connecting to network
>     port 8180
> 
>     Detailed Description:
> 
>     [squid has a permissive type (squid_t). This access was not denied.]
> 
>     SELinux has denied the squid daemon from connecting to 8180. By
>     default squid
>     policy is setup to deny squid connections. If you did not setup
>     squid to network
>     connections, this could signal a intrusion attempt.
> 
>     Allowing Access:
> 
>     If you want squid to connect to network ports you need to turn on the
>     squid_connect_any boolean: "setsebool -P squid_connect_any=1"
> 
>     Fix Command:
> 
>     setsebool -P squid_connect_any=1
> 
>     Additional Information:
> 
>     Source Context                system_u:system_r:squid_t:s0
>     Target Context                system_u:object_r:port_t:s0
>     Target Objects                None [ tcp_socket ]
>     Source                        squid
>     Source Path                   /usr/sbin/squid
>     Port                          8180
>     Host                          box6
>     Source RPM Packages           squid-3.1.0.15-2.fc12
>     Target RPM Packages
>     Policy RPM                    selinux-policy-3.6.32-78.fc12
>     Selinux Enabled               True
>     Policy Type                   targeted
>     Enforcing Mode                Enforcing
>     Plugin Name                   squid_connect_any
>     Host Name                     box6
>     Platform                      Linux box6
>     2.6.31.12-174.2.3.fc12.x86_64 #1 SMP
>                                    Mon Jan 18 19:52:07 UTC 2010 x86_64
>     x86_64
>     Alert Count                   33
>     First Seen                    Sun 07 Feb 2010 04:50:46 PM EST
>     Last Seen                     Sun 07 Feb 2010 05:08:58 PM EST
>     Local ID                      87daf7bf-ecdf-4025-9780-520ef4d433f5
>     Line Numbers
> 
>     Raw Audit Messages
> 
>     node=box6 type=AVC msg=audit(1265580538.758:20027): avc:  denied  {
>     name_connect } for  pid=1504 comm="squid" dest=8180
>     scontext=system_u:system_r:squid_t:s0
>     tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> 
>     node=box6 type=SYSCALL msg=audit(1265580538.758:20027):
>     arch=c000003e syscall=42 success=yes exit=4294967424 a0=e
>     a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504
>     auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23
>     fsgid=23 tty=(none) ses=4294967295 comm="squid"
>     exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null)
> 
> 
Another option would be to identify port 8180 as an http port.

semanage port -a -t http_port_t -p tcp 8180

Would label this port http_port_t and squid would be allowed to connect to this port without setting the boolean.
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux