[XCSSA] Struggling with Squid + SquidGuard
xcssa@xcssa.org
xcssa@xcssa.org
Sun, 29 Jul 2007 21:34:38 -0500
OK Next step..
SELinux was the culprit, disabling with "setenforce 0" allows squid to
start squidguard. However, when selinux is re-enabled squid errors start
filling /var/log/messages again... After much digging around stumbled
upon the "audit2allow" command and was able to generate some rules.
----------
[root@listener ~]# audit2allow -l -i /var/log/messages
allow initrc_su_t xauth_exec_t:file execute;
allow pam_console_t file_t:dir search;
allow squid_t port_t:tcp_socket name_connect;
allow squid_t usr_t:file { append write };
----------
I am assuming this is compiled from the errors in /var/log/messages such
as the one below.
---------
Jul 29 21:18:02 listener kernel: audit(1185761882.597:329): avc:
denied { appe
nd } for pid=4709 comm="squidGuard" name="squidGuard.log" dev=hda3
ino=1833262
scontext=system_u:system_r:squid_t:s0 tcontext=user_u:object_r:usr_t:s0
tclass=f
ile
----------
Now the audit2allow man page instructs one to use the checkmodule
command which appears to be missing in my FC5 setup.
Further searching leads me to believe there were some changes in Selinux
for FC5 that may have changed how rules are read and enforced.
Any input at this point greatly appreciated.. Squid and Squidguard are
working OK together but once setenforce is enabled no more entries in
the squidguard logs and eventually the squid processes begin failing
when they timeout and restart (and can't run squidguard).
This has to be beatable I just need a nudge in the right direction.
Regards
RD
xcssa-admin@xcssa.org wrote:
> On Thursday 26 July 2007 01:33, xcssa-admin@xcssa.org wrote:
>
>> Tweeks,
>>
>> As usual you are the silver bullet.. So without having to install seedit
>> for one app how can I quickly create a "context" if that is correct to
>> allow squid to run squidGuard..?
>>
>
> So it was seLinux then? Yeah.. only so many things on a stock can prevent an
> executable from executing.
>
> Where did you get your Sqidguard install from? If there's a repo version of
> it.. I would use that first in hopes of getting a preconfigured context... as
> I've never manually created contexts myself.
>
> But yeah.. there is a GUI.. Check out "system-config-securitylevel" (on fedora
> anyway).
>
> Tweeks
>
>
>> RD
>>
>> xcssa-admin@xcssa.org wrote:
>>
>>> On Wednesday 25 July 2007 03:26, xcssa-admin@xcssa.org wrote:
>>>
>>>> WARNING: Cannot run '/usr/local/bin/squidGuard' process
>>>>
>>> If seLinux is turned on, it will report like this:
>>> # getenforce
>>> Enforcing
>>>
>>> If it's "enforcing", try shutting it off for a sec:
>>> # setenforce 0 ; getenforce
>>> Permissive
>>>
>>> Not test your squid.. if it's still not working.. then there may still be
>>> some permission problems. Make sure you're running it as the user
>>> "squid".
>>>
>>> Just before trying to run it again, run :
>>> # tail -f /var/log/messages
>>>
>>> run it.. and then send us the putput of the tail..
>>>
>>> Tweeks
>>>
>>>
>>>
>>> Confidentiality Notice: This e-mail message (including any attached or
>>> embedded documents) is intended for the exclusive and confidential use of
>>> the individual or entity to which this message is addressed, and unless
>>> otherwise expressly indicated, is confidential and privileged information
>>> of Rackspace Managed Hosting. Any dissemination, distribution or copying
>>> of the enclosed material is prohibited. If you receive this transmission
>>> in error, please notify us immediately by e-mail at abuse@rackspace.com,
>>> and delete the original message. Your cooperation is appreciated.
>>>
>>> _______________________________________________
>>> XCSSA mailing list
>>> XCSSA@xcssa.org
>>> http://xcssa.org/mailman/listinfo/xcssa
>>>
>> _______________________________________________
>> XCSSA mailing list
>> XCSSA@xcssa.org
>> http://xcssa.org/mailman/listinfo/xcssa
>>
> _______________________________________________
> XCSSA mailing list
> XCSSA@xcssa.org
> http://xcssa.org/mailman/listinfo/xcssa
>
>