selinux, squid

Daniel J Walsh dwalsh at redhat.com
Mon Aug 15 15:43:13 UTC 2005 

Richard Pannell wrote:

>
> >On Thu, 2005-08-11 at 13:47 +0800, Richard Pannell wrote:
> >>
> >> I am having problems running squid authentication (ntlm_auth) in FC4
> >> with selinux turned on. When I use setenforce 0 I have no problems.
> >> But with setenforce set to 1 it fails. So using "audit2allow -l
> >> -i /var/log/message" I got the following result
> >>
> >> allow auditd_t initrc_t:unix_dgram_socket sendto;
> >> allow klogd_t device_t:sock_file write;
> >> allow klogd_t initrc_t:unix_dgram_socket sendto;
> >> allow rpcd_t etc_runtime_t:file read;
> >> allow rpcd_t proc_t:file read;
> >> allow rpcd_t samba_etc_t:dir search;
> >> allow rpcd_t samba_var_t:dir { getattr search };
> >> allow syslogd_t etc_runtime_t:file read;
> >> allow syslogd_t proc_t:file read;  
> >>
> >> which I added
> >> to /etc/selinux/targeted/src/policy/domains/misc/local.te and ran  
> >>
> >> make -C /etc/selinux/targeted/src/policy clean
> >> make -C /etc/selinux/targeted/src/policy load
> >
> >Do you get the same output from audit2allow after doing this?
> Yes I am.
> >
> >Are you running auditd? If so, you should be looking
> >in /var/log/audit/audit.log rather than /var/log/messages for AVC
> >errors.
> Yes I am. So it was showing.
>
> allow apmd_t device_t:sock_file write;
> allow apmd_t devpts_t:chr_file { getattr ioctl };
> allow apmd_t devpts_t:dir search;
> allow apmd_t initrc_t:unix_dgram_socket sendto;
> allow apmd_t selinux_config_t:file read;
> allow auditd_t device_t:sock_file write;
> allow bluetooth_t device_t:sock_file write;
> allow httpd_t winbind_var_run_t:dir getattr;
> allow ntpd_t device_t:sock_file write;
> allow ntpd_t initrc_t:unix_dgram_socket sendto;
> allow system_dbusd_t device_t:sock_file write;
> allow system_dbusd_t initrc_t:unix_dgram_socket sendto;
> allow system_dbusd_t winbind_var_run_t:dir getattr;
> allow updfstab_t device_t:sock_file write;
> allow winbind_helper_t initrc_t:unix_stream_socket connectto;
> allow winbind_helper_t samba_var_t:dir search;
>
> Added this to the local.te file which worked thanks very much.
> >
> >Paul. 

First off this looks like you have a mislabeled /dev/log file?
restorecon -v /dev/log

Does adding

allow winbind_helper_t samba_var_t:dir search;

only fix the problem?

Could you attach the avc messages used to generate the audit rules?

Dan

--

More information about the fedora-list mailing list