Re: [squid-users] Squid exiting on its own at sys startup

Unfortunately no, because each system has minor differences, the desired
rules to be used by squid varies based on other programs and
interactions within the system. This is why I just typed them out here
so others can figure out why squid or pinger or ssl_crtd is getting
caught by selinux, and how to at least allow it through selinux, for
that specific system.

These rules are not setup via setsebool, instead they are installed
directly via semodule.

Mike

On 7/8/2014 8:30 PM, Eliezer Croitoru wrote:
> Hey Mike,
>
> I was wondering if you have these Selinux rules in binary or another
> format(src) which I can try to use and package them in RPM?
>
> Thanks,
> Eliezer
>
> On 06/27/2014 12:08 AM, Mike wrote:
>> After some deeper digging, it seems selinux was only temporarily
>> disabled (via " echo 0 >/selinux/enforce"), not disabled in the primary
>> config file. But this actually allowed me to track down a fix to keep
>> using selinux (which we definitely need for server security). I am going
>> to add it here for others that may run into the same problem (in RedHat,
>> CentOS and Scientific Linux) and how to fix it. This allows us to use
>> ssl-bump with selinux. I had one where "pinger" was also having an issue
>> so I am including it here.
>> Scientific Linux 6.5 (would also work for RedHat and CentOS 6)
>> squid 3.4.5 and 3.4.6
>>
>> Edit /etc/selinux/config and change to “permissive”. Then cycle the
>> audit logs:
>> cd /var/log/audit/
>> mv audit.log audit.log.0
>> touch audit.log
>>
>> Thenreboot the system and let selinux come back up and catch the items
>> in its log (usually ssl_crtd and pinger) located at
>> /var/log/audit/audit.log. Many times squid will try to start but end up
>> with “the ssl_crtd helpers are crashing too quickly” which will shut the
>> squid service down.
>>
>> *
>>
>> Install the needed tool for selinux: yum install
>> policycoreutils-python (which will also install a few other needed
>> dependencies).
>>
>> ssl_crtd: Start in /tmp/ folder since we will not need these files for
>> long.
>>
>> *
>>
>> grep ssl_crtd /var/log/audit/audit.log | audit2allow -m
>> ssl_crtdlocal > ssl_crtdlocal.te
>>
>> o
>>
>> outputs the suggested settings into the file ssl_crtdlocal.te,
>> which we will review below in “cat”
>>
>> *
>>
>> cat ssl_crtdlocal.te # to review the created file and show what will
>> be done
>>
>> *
>>
>> grep ssl_crtd /var/log/audit/audit.log | audit2allow -M
>> ssl_crtdlocal
>>
>> o
>>
>> Note the capital M, this makes the needed file, ready for
>> selinux to import, and then the next command below actually
>> enables it.
>>
>> *
>>
>> semodule -i ssl_crtdlocal.pp
>>
>>
>> 1.
>>
>> Now for pinger (if needed):
>>
>> *
>>
>> grep pinger /var/log/audit/audit.log | audit2allow -m pingerlocal >
>> pingerlocal.te
>>
>> *
>>
>> cat pingerlocal.te # to review the created file and show what will
>> be done
>>
>> *
>>
>> grep pinger /var/log/audit/audit.log | audit2allow -M pingerlocal
>>
>> *
>>
>> semodule -i pingerlocal.pp
>>
>> After those are entered, go back in and edit /etc/selinux/config and
>> change to “enforcing”. Reboot the system one more time and watch the
>> logs for any other entries relating to squid like “ssl_crtd” or “pinger”
>> (look at the comm="ssl_crtd" aspect) to see if any other squid based
>> items need an allowance:
>>
>> *
>>
>> type=AVC msg=audit(1403808338.272:24): avc: denied { read } for
>> pid=1457 comm="ssl_crtd" name="index.txt" dev=dm -0 ino=5376378
>> scontext=system_u:system_r:squid_t:s0
>> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
>>
>> o
>>
>> -OR-
>>
>> *
>>
>> type=SYSCALL msg=audit(1403808338.272:24): arch=c000003e syscall=2
>> success=yes exit=3 a0=cfe2e8 a1=0 a2=1b6 a3=0 items=0 ppid=1454
>> pid=1457 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
>> egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295
>> comm="ssl_crtd" exe="/usr/lib64/squid/ssl_crtd"
>> subj=system_u:system_r:squid_t:s0 key=(null)
>>
>>
>>
>> Thanks all
>> Mike
>
Received on Wed Jul 09 2014 - 14:44:30 MDT