[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux protect my squid using havp as parent proxy



On Wed, 2006-07-12 at 09:33 +0700, Lutfi wrote:
> After upgrade to FC5, my squid cannot using havp (localhost:8080) as
> parent proxy anymore. The audit log msg is here:
> 
> ===> /var/log/audit/audit.log
> type=AVC msg=audit(1152671338.823:21775): avc:  denied
> { name_connect } for  pid=2371 comm="squid" dest=8080
> scontext=system_u:system_r:squid_t:s0
> tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1152671338.823:21775): arch=40000003
> syscall=102 success=no exit=-13 a0=3 a1=bf9eb1a0 a2=52e1c4 a3=b7f1ca2c
> items=0 pid=2371 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23
> egid=23 sgid=23 fsgid=23 tty=(none) comm="squid" exe="/usr/sbin/squid"
> subj=system_u:system_r:squid_t:s0
> type=SOCKADDR msg=audit(1152671338.823:21775):
> saddr=02001F907F0000010000000000000000
> type=SOCKETCALL msg=audit(1152671338.823:21775): nargs=3 a0=12
> a1=bbdd8f8 a2=10
> 
> How to fix this? Thx

This is off-topic for fedora-extras-list. Please address any followups
to fedora-selinux-list, where the right people will see it to get the
problem fixed in the next selinux-policy update.

I have fixed this problem here using a local policy module:

policy_module(localmisc, 0.1.0)

require {
        type squid_t;
};

# Squid doing what comes naturally? WTF?
corenet_tcp_connect_http_cache_port(squid_t)
corenet_tcp_sendrecv_http_cache_port(squid_t)


Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]