[squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)

Walter H. walter.h at mathemainzel.info
Tue Oct 18 12:56:03 UTC 2016


On Tue, October 18, 2016 13:31, Garri Djavadyan wrote:
> On Tue, 2016-10-18 at 13:02 +0200, Walter H. wrote:
>> Hello,
>>
>> just in case anybody wants to run Squid 3.5.x on CentOS
>> with SELinux enforcing,
>>
>> here is the semodule
>>
>> <squid_update.tt>
>> module squid_update 1.0;
>>
>> require {
>>         type squid_conf_t;
>>         type squid_t;
>>         type var_t;
>>         class file { append open read write getattr lock
>> execute_no_trans };
>> }
>>
>> #============= squid_t ==============
>> allow squid_t squid_conf_t:file execute_no_trans;
>> allow squid_t var_t:file { append open read write getattr lock };
>> </squid_update.tt>
>>
>> and do the following:
>>
>> checkmodule -M -m -o squid_update.mod squid_update.tt
>> semodule_package -o squid_update.pp -m squid_update.mod
>> semodule -i squid_update.pp
>
> Hi,
>
> Have you tried to use default policy and relabel target dirs/files
> using types dedicated for squid? For example:
>
> # semanage fcontext -l | grep squid
> ...

my output differs a little bit; and yes the target files/dirs are labeled
as dedicated;

don't ask me why, but I have two CentOS 6.x VMs (each latest) one with the
official package (release 3.1.23) and one with this 3.5.20 RPM package;

with the 3.1.x there is no problem with
<squid.conf>
url_rewrite_program /etc/squid/url-rewrite-program.pl
url_rewrite_children 8
url_rewrite_host_header on
url_rewrite_access allow all
</squid.conf>
but with the 3.5.x there is access denied (shown in /var/log/audit/audit.log)
and squid doesn't start;

specific to the 3.5.x release, I added a certificate validator helper,
which has also problems ...

with this semodule package everything works fine ...

so there must be something different, between these two releases;

with SELinux disabled or permissive there is no need of this semodule
package;

Greetings,
Walter




More information about the squid-users mailing list