Hey Mike,
I was wondering if you have these Selinux rules in binary or another
format(src) which I can try to use and package them in RPM?
Thanks,
Eliezer
On 06/27/2014 12:08 AM, Mike wrote:
> After some deeper digging, it seems selinux was only temporarily
> disabled (via " echo 0 >/selinux/enforce"), not disabled in the primary
> config file. But this actually allowed me to track down a fix to keep
> using selinux (which we definitely need for server security). I am going
> to add it here for others that may run into the same problem (in RedHat,
> CentOS and Scientific Linux) and how to fix it. This allows us to use
> ssl-bump with selinux. I had one where "pinger" was also having an issue
> so I am including it here.
> Scientific Linux 6.5 (would also work for RedHat and CentOS 6)
> squid 3.4.5 and 3.4.6
>
> Edit /etc/selinux/config and change to “permissive”. Then cycle the
> audit logs:
> cd /var/log/audit/
> mv audit.log audit.log.0
> touch audit.log
>
> Thenreboot the system and let selinux come back up and catch the items
> in its log (usually ssl_crtd and pinger) located at
> /var/log/audit/audit.log. Many times squid will try to start but end up
> with “the ssl_crtd helpers are crashing too quickly” which will shut the
> squid service down.
>
> *
>
> Install the needed tool for selinux: yum install
> policycoreutils-python (which will also install a few other needed
> dependencies).
>
> ssl_crtd: Start in /tmp/ folder since we will not need these files for
> long.
>
> *
>
> grep ssl_crtd /var/log/audit/audit.log | audit2allow -m
> ssl_crtdlocal > ssl_crtdlocal.te
>
> o
>
> outputs the suggested settings into the file ssl_crtdlocal.te,
> which we will review below in “cat”
>
> *
>
> cat ssl_crtdlocal.te # to review the created file and show what will
> be done
>
> *
>
> grep ssl_crtd /var/log/audit/audit.log | audit2allow -M ssl_crtdlocal
>
> o
>
> Note the capital M, this makes the needed file, ready for
> selinux to import, and then the next command below actually
> enables it.
>
> *
>
> semodule -i ssl_crtdlocal.pp
>
>
> 1.
>
> Now for pinger (if needed):
>
> *
>
> grep pinger /var/log/audit/audit.log | audit2allow -m pingerlocal >
> pingerlocal.te
>
> *
>
> cat pingerlocal.te # to review the created file and show what will
> be done
>
> *
>
> grep pinger /var/log/audit/audit.log | audit2allow -M pingerlocal
>
> *
>
> semodule -i pingerlocal.pp
>
> After those are entered, go back in and edit /etc/selinux/config and
> change to “enforcing”. Reboot the system one more time and watch the
> logs for any other entries relating to squid like “ssl_crtd” or “pinger”
> (look at the comm="ssl_crtd" aspect) to see if any other squid based
> items need an allowance:
>
> *
>
> type=AVC msg=audit(1403808338.272:24): avc: denied { read } for
> pid=1457 comm="ssl_crtd" name="index.txt" dev=dm -0 ino=5376378
> scontext=system_u:system_r:squid_t:s0
> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
>
> o
>
> -OR-
>
> *
>
> type=SYSCALL msg=audit(1403808338.272:24): arch=c000003e syscall=2
> success=yes exit=3 a0=cfe2e8 a1=0 a2=1b6 a3=0 items=0 ppid=1454
> pid=1457 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295
> comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd"
> subj=system_u:system_r:squid_t:s0 key=(null)
>
>
>
> Thanks all
> Mike
Received on Wed Jul 09 2014 - 01:32:50 MDT
This archive was generated by hypermail 2.2.0 : Wed Jul 09 2014 - 12:00:07 MDT