[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux protect my squid using havp as parent proxy



Joshua Brindle wrote:
Paul Howarth wrote:
On Wed, 2006-07-12 at 09:33 +0700, Lutfi wrote:
After upgrade to FC5, my squid cannot using havp (localhost:8080) as
parent proxy anymore. The audit log msg is here:

===> /var/log/audit/audit.log
type=AVC msg=audit(1152671338.823:21775): avc:  denied
{ name_connect } for  pid=2371 comm="squid" dest=8080
scontext=system_u:system_r:squid_t:s0
tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1152671338.823:21775): arch=40000003
syscall=102 success=no exit=-13 a0=3 a1=bf9eb1a0 a2=52e1c4 a3=b7f1ca2c
items=0 pid=2371 auid=4294967295 uid=23 gid=23 euid=23 suid=0 fsuid=23
egid=23 sgid=23 fsgid=23 tty=(none) comm="squid" exe="/usr/sbin/squid"
subj=system_u:system_r:squid_t:s0
type=SOCKADDR msg=audit(1152671338.823:21775):
saddr=02001F907F0000010000000000000000
type=SOCKETCALL msg=audit(1152671338.823:21775): nargs=3 a0=12
a1=bbdd8f8 a2=10

How to fix this? Thx

This is off-topic for fedora-extras-list. Please address any followups
to fedora-selinux-list, where the right people will see it to get the
problem fixed in the next selinux-policy update.

I have fixed this problem here using a local policy module:

policy_module(localmisc, 0.1.0)

require {
        type squid_t;
};

# Squid doing what comes naturally? WTF?
corenet_tcp_connect_http_cache_port(squid_t)
corenet_tcp_sendrecv_http_cache_port(squid_t)

Ah, the real disadvantage of modules comes out.. hopefully policy issues like these will be referred to refpolicy upstream as well, so that the mainline policy can be fixed and not just this persons local setup...

This is why I CC'ed the reply to fedora-selinux-list where I know Dan will see it and it'll get pushed upstream if I haven't suggested something silly.

Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]