RE: [squid-users] SELINUX issue(confined>unconfined) from GIGO . on 2010-05-19 (squid-users)

From: GIGO . <gigoz_at_msn.com>
Date: Wed, 19 May 2010 11:26:55 +0000

Hi,

I use CENTOS 5.3 and currently have no knowledge of SELINUX as yesterday was the first time i studied it. As u could have guessed i am a newbie in Linux field.yes...... i have been assigned the project of migrating from ISA to squid (managing having confidence in my capability to learn/understand things have assigned it... )

And i assume it would take quite a time to be able to build the policy myself for which i have short of time. So i am thinking of pending it for some future time. And concentrate towards other issues/stabalization that are necessary for the required Basic functionality. Once the project is piloted and management show confidence in me i can do more challenging tasks like this.

But if you think its really very necessary then definately i will look forward to complete this task before piloting. Any tips/guidance will be warm welcomed.

Thanking you

&

regards,

Bilal

----------------------------------------
> Date: Wed, 19 May 2010 11:33:40 +0200
> From: tiery.denys_at_gmail.com
> To: gigoz_at_msn.com
> CC: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] SELINUX issue(confined>unconfined)
>
> Hi,
>
> In permissive mode, you only get log, but selinux will not be active
> (it will not forbid unauthorized access). Usually you put selinux in
> permissive mode only in order to get all access denied log in
> audit.log in order to build policy module or adjust filecontexts.
>
> I suggest you to spend some time on selinux, it can realy increase the
> security of your proxy server.
>
> But you will need to build a policy module for squid_kerb_auth witch
> is not currently supported by selinux policy on redhat-like systems.
>
> What distrib do you use ?
>
>
> Tiery
>
>
> On Wed, May 19, 2010 at 6:17 AM, GIGO . wrote:
>>
>> Thank you i will give it a try. However i am also thinking of running SELinux in permissive mode for my proxy server. what do you say about it?
>>
>>
>> regards,
>>
>> Bilal
>>
>> ----------------------------------------
>>> Date: Tue, 18 May 2010 15:00:05 +0200
>>> From: tiery.denys_at_gmail.com
>>> To: gigoz_at_msn.com
>>> CC: squid-users_at_squid-cache.org
>>> Subject: Re: [squid-users] SELINUX issue(confined>unconfined)
>>>
>>> okay,
>>>
>>> I have also worked on a similar project (squid/kerberos/selinux).
>>> I installed squid in /usr/local/squid but I had to modify
>>> /etc/selinux/targeted/contexts/files/file_contexts and adapt it to my
>>> squid directory.
>>>
>>> /usr/local/squid/etc(/.*)? system_u:object_r:squid_conf_t:s0
>>> /usr/local/squid/var/logs(/.*)? system_u:object_r:squid_log_t:s0
>>> /usr/local/squid/share(/.*)? system_u:object_r:squid_conf_t:s0
>>> /usr/local/squid/var/cache(/.*)? system_u:object_r:squid_cache_t:s0
>>> /usr/local/squid/sbin/squid -- system_u:object_r:squid_exec_t:s0
>>> /usr/local/squid/var/logs/squid\.pid -- system_u:object_r:squid_var_run_t:s0
>>> /usr/local/squid/libexec(/.*)? system_u:object_r:lib_t:s0
>>> /usr/local/squid -d system_u:object_r:bin_t:s0
>>> /usr/local/squid/var -d system_u:object_r:var_t:s0
>>>
>>> Then restore context (with restorecon or .autorelabel and reboot).
>>>
>>> But i am not sure modifing this file is the best way.
>>> It you update your selinux policy, changement will not be persistent.
>>>
>>> I think it is better to build a selinux module for our squid.
>>>
>>> Tiery
>>>
>>>
>>>
>>> On Tue, May 18, 2010 at 2:34 PM, GIGO . wrote:
>>>>
>>>> Yes i am using a compiled version. I have used this command chcon -t unconfined_exec_t /usr/sbin/squid and its working now. Is this a security issue?
>>>>
>>>> regards,
>>>>
>>>> Bilal
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ----------------------------------------
>>>>> Date: Tue, 18 May 2010 14:26:06 +0200
>>>>> From: tiery.denys_at_gmail.com
>>>>> To: squid-users_at_squid-cache.org
>>>>> Subject: Re: [squid-users] SELINUX issue(confined>unconfined)
>>>>>
>>>>> Hi,
>>>>>
>>>>> ps -Z => squid_t and getenforce => enforcing
>>>>> squid is started with selinux
>>>>>
>>>>> Redhat/centos platform:
>>>>> If squid is installed with yum, squid will be started with a squid_t
>>>>> selinux context.
>>>>>
>>>>> If you compile your squid and installed it, you will have to change
>>>>> squid files contexts manually.
>>>>>
>>>>> As i see you have squid_kerb_plugin, you should have compile you squid
>>>>> to support kerberos, no?
>>>>>
>>>>> ---
>>>>>
>>>>> For your problem:
>>>>>
>>>>> try to check selinux log:
>>>>> audit2allow -al
>>>>> or cat /var/log/audit/audit.log | audit2allow
>>>>>
>>>>> You can also try to restore selinux context for all squid files:
>>>>> restorecon -R /etc/squid
>>>>> restorecon -R /var/log/squid
>>>>>
>>>>> etc...
>>>>>
>>>>> or touch /.autorelabel and reboot
>>>>>
>>>>>
>>>>> Tiery
>>>>>
>>>>> On Tue, May 18, 2010 at 9:47 AM, GIGO . wrote:
>>>>>>
>>>>>> Dear All,
>>>>>>
>>>>>> Your guidance is required. Please help.
>>>>>>
>>>>>> It looks that squid process run by default as a confined process whether its a compiled version or a version that come with the linux distro. It means that the squid software is SELINUX aware.Am i right?
>>>>>>
>>>>>> [root_at_squidLhr ~]# ps -eZ | grep squid
>>>>>> system_u:system_r:squid_t 3173 ? 00:00:00 squid
>>>>>> system_u:system_r:squid_t 3175 ? 00:00:00 squid
>>>>>> system_u:system_r:squid_t 3177 ? 00:00:00 squid
>>>>>> system_u:system_r:squid_t 3179 ? 00:00:00 squid
>>>>>> system_u:system_r:squid_t 3222 ? 00:00:00 unlinkd
>>>>>> system_u:system_r:squid_t 3223 ? 00:00:00 unlinkd
>>>>>>
>>>>>>
>>>>>> it was successful before i changed the selinux to enforcing.Now i even cannot start squid process that access the parent at localhost(3128) manually even. The other process starts normally if i do manually.
>>>>>>
>>>>>> When running as an unconfined process by the following command the problem had resolved
>>>>>>
>>>>>> chcon -t unconfined_exec_t /usr/sbin/squid
>>>>>>
>>>>>> However it doesnot feel appropriate to me. Please guide me on this.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I am starting squid with the following init script if it has something to do with the problem:
>>>>>>
>>>>>> #!/bin/sh
>>>>>> #
>>>>>> #my script
>>>>>> case "$1" in
>>>>>> start)
>>>>>> /usr/sbin/squid -D -sYC -f /etc/squid/squidcache.conf
>>>>>> /usr/sbin/squid -D -sYC -f /etc/squid/squid.conf
>>>>>> #The below line is to automatically start apache with system startup
>>>>>> /usr/sbin/httpd -k start
>>>>>> #KRB5_KTNAME=/etc/squid/HTTP.keytab
>>>>>> #export KRB5_KTNAME
>>>>>> #KRB5RCACHETYPE=none
>>>>>> #export KRB5RCACHETYPE
>>>>>> ;;
>>>>>> stop)
>>>>>>
>>>>>> /usr/sbin/squid -k shutdown -f /etc/squid3/squidcache.conf
>>>>>> echo "Shutting down squid secondary process"
>>>>>> /usr/sbin/squid -k shutdown -f /etc/squid3/squid.conf
>>>>>> echo "Shutting down squid main process"
>>>>>> # The below line is to automatically stop apache at system shutdown
>>>>>> /usr/sbin/httpd -k stop
>>>>>> ;;
>>>>>> esac
>>>>>>
>>>>>>
>>>>>> Thanking you & regards,
>>>>>>
>>>>>> Bilal
>>>>>>
>>>>>>
>>>>>> ----------------------------------------
>>>>>>> From: gigoz_at_msn.com
>>>>>>> To: squid-users_at_squid-cache.org
>>>>>>> Date: Tue, 18 May 2010 06:02:35 +0000
>>>>>>> Subject: [squid-users] SELINUX issue
>>>>>>>
>>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> When i change SELINUX from permissive mode to Enforcing mode. My multiple instance setup fail to start. Please guide how to overcome this.
>>>>>>>
>>>>>>> -----------------------Excerpts from cache.log-----------------
>>>>>>>
>>>>>>> 2010/05/18 10:31:51| TCP connection to 127.0.0.1/3128 failed
>>>>>>> 2010/05/18 10:31:51| Store rebuilding is 7.91% complete
>>>>>>> 2010/05/18 10:31:52| Done reading /var/spool/squid swaplog (51794 entries)
>>>>>>> 2010/05/18 10:31:52| Finished rebuilding storage from disk.
>>>>>>> 2010/05/18 10:31:52| 51794 Entries scanned
>>>>>>> 2010/05/18 10:31:52| 0 Invalid entries.
>>>>>>> 2010/05/18 10:31:52| 0 With invalid flags.
>>>>>>> 2010/05/18 10:31:52| 51794 Objects loaded.
>>>>>>> 2010/05/18 10:31:52| 0 Objects expired.
>>>>>>> 2010/05/18 10:31:52| 0 Objects cancelled.
>>>>>>> 2010/05/18 10:31:52| 0 Duplicate URLs purged.
>>>>>>> 2010/05/18 10:31:52| 0 Swapfile clashes avoided.
>>>>>>> 2010/05/18 10:31:52| Took 1.13 seconds (45641.00 objects/sec).
>>>>>>> 2010/05/18 10:31:52| Beginning Validation Procedure
>>>>>>> 2010/05/18 10:31:52| Completed Validation Procedure
>>>>>>> 2010/05/18 10:31:52| Validated 103614 Entries
>>>>>>> 2010/05/18 10:31:52| store_swap_size = 913364
>>>>>>> 2010/05/18 10:31:52| storeLateRelease: released 0 objects
>>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>>> 2010/05/18 10:31:52| Detected DEAD Parent: 127.0.0.1
>>>>>>> 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed
>>>>>>> 2010/05/18 10:31:52| Failed to select source for 'http://1.channel19.facebook.com/p'
>>>>>>> 2010/05/18 10:31:52| always_direct = 0
>>>>>>> 2010/05/18 10:31:52| never_direct = 1
>>>>>>> 2010/05/18 10:31:52| timedout = 0
>>>>>>> 2010/05/18 10:31:57| Failed to select source for 'http://0.channel19.facebook.cm
>>>>>>>
>>>>>>> --------------------------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> regards,
>>>>>>>
>>>>>>> Bilal
>>>>>>> _________________________________________________________________
>>>>>>> Hotmail: Trusted email with powerful SPAM protection.
>>>>>>> https://signup.live.com/signup.aspx?id=60969
>>>>>> _________________________________________________________________
>>>>>> Hotmail: Powerful Free email with security by Microsoft.
>>>>>> https://signup.live.com/signup.aspx?id=60969
>>>> _________________________________________________________________
>>>> Hotmail: Powerful Free email with security by Microsoft.
>>>> https://signup.live.com/signup.aspx?id=60969
>> _________________________________________________________________
>> Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
>> https://signup.live.com/signup.aspx?id=60969
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
Received on Wed May 19 2010 - 11:27:02 MDT

This archive was generated by hypermail 2.2.0 : Wed May 19 2010 - 12:00:06 MDT