Re: [squid-users] SELINUX issue(confined>unconfined)

From: Tiery DENYS <tiery.denys_at_gmail.com>
Date: Wed, 19 May 2010 11:33:40 +0200

Hi,

In permissive mode, you only get log, but selinux will not be active
(it will not forbid unauthorized access). Usually you put selinux in
permissive mode only in order to get all access denied log in
audit.log in order to build policy module or adjust filecontexts.

I suggest you to spend some time on selinux, it can realy increase the
security of your proxy server.

But you will need to build a policy module for squid_kerb_auth witch
is not currently supported by selinux policy on redhat-like systems.

What distrib do you use ?

Tiery

On Wed, May 19, 2010 at 6:17 AM, GIGO . <gigoz_at_msn.com> wrote:
>
> Thank you i will give it a try. However i am also thinking of running SELinux in permissive mode for my proxy server. what do you say about it?
>
>
> regards,
>
> Bilal
>
> ----------------------------------------
>> Date: Tue, 18 May 2010 15:00:05 +0200
>> From: tiery.denys_at_gmail.com
>> To: gigoz_at_msn.com
>> CC: squid-users_at_squid-cache.org
>> Subject: Re: [squid-users] SELINUX issue(confined>unconfined)
>>
>> okay,
>>
>> I have also worked on a similar project (squid/kerberos/selinux).
>> I installed squid in /usr/local/squid but I had to modify
>> /etc/selinux/targeted/contexts/files/file_contexts and adapt it to my
>> squid directory.
>>
>> /usr/local/squid/etc(/.*)? system_u:object_r:squid_conf_t:s0
>> /usr/local/squid/var/logs(/.*)? system_u:object_r:squid_log_t:s0
>> /usr/local/squid/share(/.*)? system_u:object_r:squid_conf_t:s0
>> /usr/local/squid/var/cache(/.*)? system_u:object_r:squid_cache_t:s0
>> /usr/local/squid/sbin/squid -- system_u:object_r:squid_exec_t:s0
>> /usr/local/squid/var/logs/squid\.pid -- system_u:object_r:squid_var_run_t:s0
>> /usr/local/squid/libexec(/.*)? system_u:object_r:lib_t:s0
>> /usr/local/squid -d system_u:object_r:bin_t:s0
>> /usr/local/squid/var -d system_u:object_r:var_t:s0
>>
>> Then restore context (with restorecon or .autorelabel and reboot).
>>
>> But i am not sure modifing this file is the best way.
>> It you update your selinux policy, changement will not be persistent.
>>
>> I think it is better to build a selinux module for our squid.
>>
>> Tiery
>>
>>
>>
>> On Tue, May 18, 2010 at 2:34 PM, GIGO . wrote:
>>>
>>> Yes i am using a compiled version. I have used this command chcon -t unconfined_exec_t /usr/sbin/squid and its working now. Is this a security issue?
>>>
>>> regards,
>>>
>>> Bilal
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ----------------------------------------
>>>> Date: Tue, 18 May 2010 14:26:06 +0200
>>>> From: tiery.denys_at_gmail.com
>>>> To: squid-users_at_squid-cache.org
>>>> Subject: Re: [squid-users] SELINUX issue(confined>unconfined)
>>>>
>>>> Hi,
>>>>
>>>> ps -Z => squid_t and getenforce => enforcing
>>>> squid is started with selinux
>>>>
>>>> Redhat/centos platform:
>>>> If squid is installed with yum, squid will be started with a squid_t
>>>> selinux context.
>>>>
>>>> If you compile your squid and installed it, you will have to change
>>>> squid files contexts manually.
>>>>
>>>> As i see you have squid_kerb_plugin, you should have compile you squid
>>>> to support kerberos, no?
>>>>
>>>> ---
>>>>
>>>> For your problem:
>>>>
>>>> try to check selinux log:
>>>> audit2allow -al
>>>> or cat /var/log/audit/audit.log | audit2allow
>>>>
>>>> You can also try to restore selinux context for all squid files:
>>>> restorecon -R /etc/squid
>>>> restorecon -R /var/log/squid
>>>>
>>>> etc...
>>>>
>>>> or touch /.autorelabel and reboot
>>>>
>>>>
>>>> Tiery
>>>>
>>>> On Tue, May 18, 2010 at 9:47 AM, GIGO . wrote:
>>>>>
>>>>> Dear All,
>>>>>
>>>>> Your guidance is required. Please help.
>>>>>
>>>>> It looks that squid process run by default as a confined process whether its a compiled version or a version that come with the linux distro. It means that the squid software is SELINUX aware.Am i right?
>>>>>
>>>>> [root_at_squidLhr ~]# ps -eZ | grep squid
>>>>> system_u:system_r:squid_t 3173 ? 00:00:00 squid
>>>>> system_u:system_r:squid_t 3175 ? 00:00:00 squid
>>>>> system_u:system_r:squid_t 3177 ? 00:00:00 squid
>>>>> system_u:system_r:squid_t 3179 ? 00:00:00 squid
>>>>> system_u:system_r:squid_t 3222 ? 00:00:00 unlinkd
>>>>> system_u:system_r:squid_t 3223 ? 00:00:00 unlinkd
>>>>>
>>>>>
>>>>> it was successful before i changed the selinux to enforcing.Now i even cannot start squid process that access the parent at localhost(3128) manually even. The other process starts normally if i do manually.
>>>>>
>>>>> When running as an unconfined process by the following command the problem had resolved
>>>>>
>>>>> chcon -t unconfined_exec_t /usr/sbin/squid
>>>>>
>>>>> However it doesnot feel appropriate to me. Please guide me on this.
>>>>>
>>>>>
>>>>>
>>>>> I am starting squid with the following init script if it has something to do with the problem:
>>>>>
>>>>> #!/bin/sh
>>>>> #
>>>>> #my script
>>>>> case "$1" in
>>>>> start)
>>>>> /usr/sbin/squid -D -sYC -f /etc/squid/squidcache.conf
>>>>> /usr/sbin/squid -D -sYC -f /etc/squid/squid.conf
>>>>> #The below line is to automatically start apache with system startup
>>>>> /usr/sbin/httpd -k start
>>>>> #KRB5_KTNAME=/etc/squid/HTTP.keytab
>>>>> #export KRB5_KTNAME
>>>>> #KRB5RCACHETYPE=none
>>>>> #export KRB5RCACHETYPE
>>>>> ;;
>>>>> stop)
>>>>>
>>>>> /usr/sbin/squid -k shutdown -f /etc/squid3/squidcache.conf
>>>>> echo "Shutting down squid secondary process"
>>>>> /usr/sbin/squid -k shutdown -f /etc/squid3/squid.conf
>>>>> echo "Shutting down squid main process"
>>>>> # The below line is to automatically stop apache at system shutdown
>>>>> /usr/sbin/httpd -k stop
>>>>> ;;
>>>>> esac
>>>>>
>>>>>
>>>>> Thanking you & regards,
>>>>>
>>>>> Bilal
>>>>>
>>>>>
>>>>> ----------------------------------------
>>>>>> From: gigoz_at_msn.com
>>>>>> To: squid-users_at_squid-cache.org
>>>>>> Date: Tue, 18 May 2010 06:02:35 +0000
>>>>>> Subject: [squid-users] SELINUX issue
>>>>>>
>>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> When i change SELINUX from permissive mode to Enforcing mode. My multiple instance setup fail to start. Please guide how to overcome this.
>>>>>>
>>>>>> -----------------------Excerpts from cache.log-----------------
>>>>>>
>>>>>> 2010/05/18 10:31:51| TCP connection to 127.0.0.1/3128 failed
>>>>>> 2010/05/18 10:31:51| Store rebuilding is 7.91% complete
>>>>>> 2010/05/18 10:31:52| Done reading /var/spool/squid swaplog (51794 entries)
>>>>>> 2010/05/18 10:31:52| Finished rebuilding storage from disk.
>>>>>> 2010/05/18 10:31:52| 51794 Entries scanned
>>>>>> 2010/05/18 10:31:52| 0 Invalid entries.
>>>>>> 2010/05/18 10:31:52| 0 With invalid flags.
>>>>>> 2010/05/18 10:31:52| 51794 Objects loaded.
>>>>>> 2010/05/18 10:31:52| 0 Objects expired.
>>>>>> 2010/05/18 10:31:52| 0 Objects cancelled.
>>>>>> 2010/05/18 10:31:52| 0 Duplicate URLs purged.
>>>>>> 2010/05/18 10:31:52| 0 Swapfile clashes avoided.
>>>>>> 2010/05/18 10:31:52| Took 1.13 seconds (45641.00 objects/sec).
>>>>>> 2010/05/18 10:31:52| Beginning Validation Procedure
>>>>>> 2010/05/18 10:31:52| Completed Validation Procedure
>>>>>> 2010/05/18 10:31:52| Validated 103614 Entries
>>>>>> 2010/05/18 10:31:52| store_swap_size = 913364
>>>>>> 2010/05/18 10:31:52| storeLateRelease: released 0 objects
>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>> 2010/05/18 10:31:52| Detected DEAD Parent: 127.0.0.1
>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>> 2010/05/18 10:31:52| Failed to select source for 'http://1.channel19.facebook.com/p'
>>>>>> 2010/05/18 10:31:52| always_direct = 0
>>>>>> 2010/05/18 10:31:52| never_direct = 1
>>>>>> 2010/05/18 10:31:52| timedout = 0
>>>>>> 2010/05/18 10:31:57| Failed to select source for 'http://0.channel19.facebook.cm
>>>>>>
>>>>>> --------------------------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> regards,
>>>>>>
>>>>>> Bilal
>>>>>> _________________________________________________________________
>>>>>> Hotmail: Trusted email with powerful SPAM protection.
>>>>>> https://signup.live.com/signup.aspx?id=60969
>>>>> _________________________________________________________________
>>>>> Hotmail: Powerful Free email with security by Microsoft.
>>>>> https://signup.live.com/signup.aspx?id=60969
>>> _________________________________________________________________
>>> Hotmail: Powerful Free email with security by Microsoft.
>>> https://signup.live.com/signup.aspx?id=60969
> _________________________________________________________________
> Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
> https://signup.live.com/signup.aspx?id=60969
Received on Wed May 19 2010 - 09:33:47 MDT

This archive was generated by hypermail 2.2.0 : Wed May 19 2010 - 12:00:06 MDT