Ask Your Question
1

How to add SE Linux Labels to custom squid cache directory?

asked 2017-05-06 09:37:49 -0500

marcinek gravatar image

I decided to configure my squid (running on RPI 3B, Fedora 25 Server) to use custom cache directory. Just for the the sake of education I'm trying to live with SE Linux set to enforcing. I've found lots of labels in /etc/selinux/targeted/contexts/files including the /var/spool/squid and /var/cache/squid entries:

[root@malina files]# grep squid file_contexts file_contexts.local
[ ... ]
file_contexts:/var/cache/squid(/.*)?    system_u:object_r:squid_cache_t:s0
file_contexts:/var/spool/squid(/.*)?    system_u:object_r:squid_cache_t:s0
[...]
file_contexts:/usr/libexec/squid/cache_swap\.sh --  system_u:object_r:squid_exec_t:s0

I assume that my /squid/cache filesystem should be labeled the same way as /var/spool/squid so I added a local context like this:

semanage fcontext -a -t squid_cache_t "/squid/cache(/.*)?"

And got the following entry in my file_contexts.local file:

/squid/cache(/.*)?    system_u:object_r:squid_cache_t:s0

I have run squid -z previously and got swap dirs created, so I ran restorecon -R -v /squid/cache and got these labels on my swap directories:

[root@malina files]# ls -ldZ /squid/cache/
drwxr-x---. 18 squid squid unconfined_u:object_r:squid_cache_t:s0 166 May  5 14:50 /squid/cache/

Now, when I start squid, I get the following entries in my /var/log/audit/audit.log file:

type=AVC msg=audit(1494081141.015:285): avc:  denied  { search } for  pid=1840 comm="cache_swap.sh" name="/" dev="sda1" ino=96 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1494081141.607:286): avc:  denied  { search } for  pid=1845 comm="squid" name="/" dev="sda1" ino=96 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1494081141.607:287): avc:  denied  { search } for  pid=1845 comm="squid" name="/" dev="sda1" ino=96 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=SERVICE_START msg=audit(1494081141.671:288): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=squid comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

Am I missing something? Here are last few lines from journalctl -xe:

-- Unit squid.service has begun starting up.
May 06 16:32:21 malina audit[1840]: AVC avc:  denied  { search } for  pid=1840 comm="cache_swap.sh" name="/" dev="sda1"
May 06 16:32:21 malina audit[1845]: AVC avc:  denied  { search } for  pid=1845 comm="squid" name="/" dev="sda1" ino=96 
May 06 16:32:21 malina audit[1845]: AVC avc:  denied  { search } for  pid=1845 comm="squid" name="/" dev="sda1" ino=96 
May 06 16:32:21 malina squid[1845]: Failed to make swap directory /squid/cache: (13) Permission denied
May 06 16:32:21 malina cache_swap.sh[1840]: init_cache_dir /squid/cache...
May 06 16:32:21 malina systemd[1]: squid.service: Control process exited, code=exited status=1
May 06 16:32:21 malina systemd[1]: Failed to start Squid caching proxy.
-- Subject: Unit squid.service has failed
-- Defined-By: systemd
-- Support: http ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2017-05-08 03:01:41 -0500

marcinek gravatar image

It looks I'm answering myself... I managed to figure out how to run squid on custom cache dir with SELinux enabled, but I'm not sure if it is a proper thing to do.

I've found two issues: 1. I've noticed that previously I've changed only the "type" part of file context, leaving unconfined_u as user. So I changed the context again:

semanage fcontext -a -t squid_cache_t -s system_u /squid/cache(/.*)?

But squid failed to start with same as before audit messages. That leads to second issue: 2. AVC avc: denied { search } - audit.log entries suggests that squid can not enter the directory. This time I decided to create the policy that enables squid to do what was denied:

[root@malina ~]# grep squid /var/log/audit/audit.log | audit2allow -M my_squid
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my_squid.pp

[root@malina ~]# semodule -i my_squid.pp

Now works like charm, but question remains: Should I work more on file contexts to avoid the need of creating custom policy or such policy is an absolute need and can not be avoided?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-05-06 09:37:49 -0500

Seen: 110 times

Last updated: May 08 '17