squid.te

Giuseppe Greco giuseppe.greco at agamura.com
Sat Dec 11 10:44:09 UTC 2004 

Thanks,

now I've added the following two lines
to /etc/selinux/targeted/src/policy/domains/program/squid.te:

allow { squid_t initrc_t } squid_log_t:dir create_dir_perms;
allow { squid_t initrc_t } squid_log_t:file create_file_perms;

... but I still get the following error message when restarting
squid:

Starting squid: audit(1102241826.255.0): avc: denied { getattr } for
  pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2
  scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t
  tclass=dir

audit(1102241826.255.0): avc: denied { getattr } for
  pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2
  scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t
  tclass=dir

I've also a similar problem with sendmail when accessed via
squirrelmail:

audit(1102761151.989:0): avc denied { search } for
  pid=1841 exe=/usr/sbin/httpd name=spool dev=dm-6 ino=224002
  scontext=user_u:system_r:httpd_t
  tcontext=system_u:object_r:var_spool_t tclass=dir

audit(1102761496.288:0): avc denied { getattr } for
  pid=1841 exe=/usr/sbin/httpd path=/var/spool dev=dm-6 ino=224002
  scontext=user_u:system_r:httpd_t
  tcontext=system_u:object_r:var_spool_t tclass=dir

I don't how to proceed...
j3d.

On Fri, 2004-12-10 at 06:40 -0800, Karsten Wade wrote:
> On Fri, 2004-12-10 at 14:23 +0100, Giuseppe Greco wrote:
> > ... sorry for my ignorance, but where are *.te files located?
> > I cannot find them...
> 
> You have to have selinux-policy-<policyname>-sources (the policy source
> package) installed.  Then you can find everything
> within /etc/selinux/<policyname>/src/policy.  In this case, you
> want /etc/selinux/<policyname>/src/policy/domains/program/squid.te.
> 
> - Karsten
> > 
> > j3d.
> > 
> > On Sun, 2004-12-05 at 11:11 -0800, Tom London wrote:
> > > Running strict/enforcing, latest Rawhide
> > > 
> > > squid and initrc needs to create/write /var/log/squid/squid.out, etc
> > > 
> > > Suggest adding:
> > > allow { squid_t initrc_t } squid_log_t:dir create_dir_perms;
> > > allow { squid_t initrc_t } squid_log_t:file create_file_perms;
> > > 
> > > tom
-- 
----------------------------------------
Giuseppe Greco

::agamura::

phone:  +41 (0)91 604 67 65
mobile: +41 (0)79 602 99 27
email:  giuseppe.greco at agamura.com
web:    www.agamura.com
----------------------------------------

More information about the fedora-selinux-list mailing list