Squid question in FC3

[Paul Howarth]

Chris wrote:
> Thanks, and it's exactly because of that. I didn't realize that I installed SELinux...
> 
> I got following error messages when I do 'squid -z':
> 
> Feb 25 00:30:26 eden kernel: audit(1109259026.091:0): avc:  denied  { search } for 
> pid=4836 exe=/usr/sbin/squid name=tmp dev=hda12 ino=480001 scontext=root:system_r:squid_t
> tcontext=system_u:object_r:tmp_t tclass=dir
> Feb 25 00:30:26 eden squid: Failed to make swap directory /tmp/squid: (13) Permission
> denied
> 
> I just don't get it since the dir is writable for squid:
> 
> drwxr-xr-x   2 squid squid  4096 Feb 25 00:06 squid/
> 
> Is this a known issue of SELinux? Is there any way to work around it?

This is a feature, not a bug ;-)

SELinux imposes additional restrictions on what the squid server can do, 
so that if it is compromised, it is difficult for the attacker to do 
anything useful with it, like write a rootkit to /tmp. This is all on 
top of the existing unix permissions.

Try approaching the problem a different way. What is the underlying 
reason why you want the squid cache to be in /tmp instead of 
/var/spool/squid?

Paul.