[squid-users] configuring Eliezer RPMs for CentOS 6 for SMP

From: <fernando_at_lozano.eti.br>
Date: Thu, 08 May 2014 15:15:02 -0300

Hi there,

First of all, thanks Elizer for providing the packages!

The package installed and run fine with the default, single process
config. I'm trying to follow best-practices like keeping SELinux enabled
(enfocing) and I was happy to see the packages follow the standard
targete policies included on CentOS 6.5.

But, when I tried a SMP setup, I got some SELinux AVCs.

Those were related to the socket files used for IPC betweeb workers and
coordinator, and shm files for shared cache_mem and (i guess) rock
store.

Here are the revelant settings from my squid.conf (this is my test
machine, the production one has more RAM, cores and disk):

--- SNIP ---
workers 2
cache_mem 1024 MB
cache_dir rock /cache/shared 2000 min-size=1 max-size=31000
max-swap-rate=250 swap-timeout=350
cache_dir aufs /cache/worker${process_number} 2000 16 256
min-size=31001
max-size=346030080
--- SNIP ---

I followed standard advice and run audit2allow to build aditional
SELinux
policy modules. After everything was working fine, I took the time to
build and test a consolidated policy module. Here it is:

--- squid-snmp.te ---
module squid-smp 1.0;

# for ipc channels between kids/workers
require {
        type var_run_t;
        type squid_t;
        class sock_file { create write };
}
allow squid_t var_run_t:sock_file { create write };
allow squid_t var_run_t:sock_file create;

# for shm used by cache_mem and rock store(?)
require {
        type squid_t;
        type tmpfs_t;
        class dir { remove_name add_name write };
        class file { unlink create };
}
allow squid_t tmpfs_t:dir { remove_name write add_name };
allow squid_t tmpfs_t:file { unlink create };
--- squid-snmp.te ---

To compile and install this policy module, please run:

# checkmodule -M -m -o squid-smp.mod squid-smp.te
# semodule_package -o squid-smp.pp -m squid-smp.mod
# semodule -i squid-smp.pp

I hope Eliezer can add this to the next update to his packages, so
others can try SMP without fighting with SELinux.

But, as I'm not so experienced with SELinux, I'd be glad to receive
advice on how to make this policy more strict, more "secure".

For example, I guess I could use squid_var_run_t instead of using
var_run_t, to have a more specific fcontext for squid IPC files. I know
how to do this manually:

# semanage fcontext -a -t squid_var_run_t "/var/run/squid(/.*)?"
# restorecon -Fv /var/run/squid/

But I don't know hot to add this to the policy file.

I also guess I could be more strict about the shm files (tmpfs_t) but I
don't know how to do this.

Another hurdle I had with the RPM packages was about setting ulimit
nofile. I'm used to add them to /etc/security/limits.conf and this work
fo r CentOS init.d scripts, but not for the squid script.

My solution was to a line to /etc/sysconfig/squid:
ulimit -n 32768

But maybe I should edit the init.d/squid script to use function
daemon() from /etc/init.d/functions or runuser like other CentOS init.d
scripts do.

Well, I hope my findins and ideas can be useful to ther CentOS/RHEL
admins, and someone there can help me making the squid RPM more "Red
Hat-ish".

[]s, Fernando Lozano
Received on Thu May 08 2014 - 18:15:12 MDT

This archive was generated by hypermail 2.2.0 : Thu May 22 2014 - 12:00:06 MDT