[XCSSA] Struggling with Squid + SquidGuard

xcssa@xcssa.org xcssa@xcssa.org
Sun, 29 Jul 2007 23:03:44 -0500 

Well Richard.. If you installed squidguard from an official FC6/FC7 
repository, then it should have come with the appropriate selinux targeted 
context files already included:
$ rpm -ql squidGuard-1.2.0-15.fc7.i386.rpm
package squidGuard-1.2.0-15.fc7.i386.rpm is not installed
[tweeks@roadwarrior tmp]$ rpm -qpl squidGuard-1.2.0-15.fc7.i386.rpm
/etc/cron.daily/squidGuard
/etc/logrotate.d/squidGuard
/etc/rc.d/init.d/squidGuard
/etc/rc.d/init.d/transparent-proxying
/etc/selinux/targeted/src/policy/domains/program/squidGuard.te
/etc/selinux/targeted/src/policy/file_contexts/program/squidGuard.fc
/etc/squid/squidGuard.conf
/usr/bin/hostbyname
/usr/bin/sgclean
/usr/bin/squidGuard
...

(the RPM with targeted policy files are available from the Fedora Extras 
channel)

Tweeks


On Sunday 29 July 2007 21:34, xcssa-admin@xcssa.org wrote:
> OK Next step..
>
> SELinux was the culprit, disabling with "setenforce 0" allows squid to
> start squidguard. However, when selinux is re-enabled squid errors start
> filling /var/log/messages again... After much digging around stumbled
> upon the "audit2allow" command and was able to generate some rules.
> ----------
> [root@listener ~]# audit2allow -l -i /var/log/messages
> allow initrc_su_t xauth_exec_t:file execute;
> allow pam_console_t file_t:dir search;
> allow squid_t port_t:tcp_socket name_connect;
> allow squid_t usr_t:file { append write };
> ----------
> I am assuming this is compiled from the errors in /var/log/messages such
> as the one below.
>
> ---------
> Jul 29 21:18:02 listener kernel: audit(1185761882.597:329): avc:
> denied  { appe
> nd } for  pid=4709 comm="squidGuard" name="squidGuard.log" dev=hda3
> ino=1833262
> scontext=system_u:system_r:squid_t:s0 tcontext=user_u:object_r:usr_t:s0
> tclass=f
> ile
> ----------
>
> Now the audit2allow man page instructs one to use the checkmodule
> command which appears to be missing in my FC5 setup.
>
> Further searching leads me to believe there were some changes in Selinux
> for FC5 that may have changed how rules are read and enforced.
>
> Any input at this point greatly appreciated.. Squid and Squidguard are
> working OK together but once setenforce is enabled no more entries in
> the squidguard logs and eventually the squid processes begin failing
> when they timeout and restart (and can't run squidguard).
>
> This has to be beatable I just need a nudge in the right direction.
>
> Regards
>
> RD
>
> xcssa-admin@xcssa.org wrote:
> > On Thursday 26 July 2007 01:33, xcssa-admin@xcssa.org wrote:
> >> Tweeks,
> >>
> >> As usual you are the silver bullet.. So without having to install seedit
> >> for one app how can I quickly create a "context" if that is correct to
> >> allow squid to run squidGuard..?
> >
> > So it was seLinux then?  Yeah.. only so many things on a stock can
> > prevent an executable from executing.
> >
> > Where did you get your Sqidguard install from?  If there's a repo version
> > of it.. I would use that first in hopes of getting a preconfigured
> > context... as I've never manually created contexts myself.
> >
> > But yeah.. there is a GUI.. Check out "system-config-securitylevel" (on
> > fedora anyway).
> >
> > Tweeks
> >
> >> RD
> >>
> >> xcssa-admin@xcssa.org wrote:
> >>> On Wednesday 25 July 2007 03:26, xcssa-admin@xcssa.org wrote:
> >>>> WARNING: Cannot run '/usr/local/bin/squidGuard' process
> >>>
> >>> If seLinux is turned on, it will report like this:
> >>> 	# getenforce
> >>> 	Enforcing
> >>>
> >>> If it's "enforcing", try shutting it off for a sec:
> >>> 	# setenforce 0 ; getenforce
> >>> 	Permissive
> >>>
> >>> Not test your squid.. if it's still not working.. then there may still
> >>> be some permission problems.  Make sure you're running it as the user
> >>> "squid".
> >>>
> >>> Just before trying to run it again, run :
> >>> 	# tail -f /var/log/messages
> >>>
> >>> run it.. and then send us the putput of the tail..
> >>>
> >>> Tweeks
> >>>
> >>>
> >>>
> >>> Confidentiality Notice: This e-mail message (including any attached or
> >>> embedded documents) is intended for the exclusive and confidential use
> >>> of the individual or entity to which this message is addressed, and
> >>> unless otherwise expressly indicated, is confidential and privileged
> >>> information of Rackspace Managed Hosting. Any dissemination,
> >>> distribution or copying of the enclosed material is prohibited. If you
> >>> receive this transmission in error, please notify us immediately by
> >>> e-mail at abuse@rackspace.com, and delete the original message. Your
> >>> cooperation is appreciated.
> >>>
> >>> _______________________________________________
> >>> XCSSA mailing list
> >>> XCSSA@xcssa.org
> >>> http://xcssa.org/mailman/listinfo/xcssa
> >>
> >> _______________________________________________
> >> XCSSA mailing list
> >> XCSSA@xcssa.org
> >> http://xcssa.org/mailman/listinfo/xcssa
> >
> > _______________________________________________
> > XCSSA mailing list
> > XCSSA@xcssa.org
> > http://xcssa.org/mailman/listinfo/xcssa
>
> _______________________________________________
> XCSSA mailing list
> XCSSA@xcssa.org
> http://xcssa.org/mailman/listinfo/xcssa