Running strict/enforcing, latest Rawhide
squid and initrc needs to create/write /var/log/squid/squid.out, etc
Suggest adding: allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; allow { squid_t initrc_t } squid_log_t:file create_file_perms;
tom
Tom,
Thanks a lot! I'll be back on Friday, and I'll try then.
j3d.
Running strict/enforcing, latest Rawhide
squid and initrc needs to create/write /var/log/squid/squid.out, etc
Suggest adding: allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; allow { squid_t initrc_t } squid_log_t:file create_file_perms;
tom
Tom London
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
---------------------------------------- Giuseppe Greco
::agamura::
phone: +41 (0)91 604 67 65 mobile: +41 (0)79 602 99 27 email: giuseppe.greco@agamura.com web: www.agamura.com ----------------------------------------
... sorry for my ignorance, but where are *.te files located? I cannot find them...
j3d.
On Sun, 2004-12-05 at 11:11 -0800, Tom London wrote:
Running strict/enforcing, latest Rawhide
squid and initrc needs to create/write /var/log/squid/squid.out, etc
Suggest adding: allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; allow { squid_t initrc_t } squid_log_t:file create_file_perms;
tom
On Fri, 2004-12-10 at 14:23 +0100, Giuseppe Greco wrote:
... sorry for my ignorance, but where are *.te files located? I cannot find them...
You have to have selinux-policy-<policyname>-sources (the policy source package) installed. Then you can find everything within /etc/selinux/<policyname>/src/policy. In this case, you want /etc/selinux/<policyname>/src/policy/domains/program/squid.te.
- Karsten
j3d.
On Sun, 2004-12-05 at 11:11 -0800, Tom London wrote:
Running strict/enforcing, latest Rawhide
squid and initrc needs to create/write /var/log/squid/squid.out, etc
Suggest adding: allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; allow { squid_t initrc_t } squid_log_t:file create_file_perms;
tom
Thanks,
now I've added the following two lines to /etc/selinux/targeted/src/policy/domains/program/squid.te:
allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; allow { squid_t initrc_t } squid_log_t:file create_file_perms;
... but I still get the following error message when restarting squid:
Starting squid: audit(1102241826.255.0): avc: denied { getattr } for pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t tclass=dir
audit(1102241826.255.0): avc: denied { getattr } for pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t tclass=dir
I've also a similar problem with sendmail when accessed via squirrelmail:
audit(1102761151.989:0): avc denied { search } for pid=1841 exe=/usr/sbin/httpd name=spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir
audit(1102761496.288:0): avc denied { getattr } for pid=1841 exe=/usr/sbin/httpd path=/var/spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir
I don't how to proceed... j3d.
On Fri, 2004-12-10 at 06:40 -0800, Karsten Wade wrote:
On Fri, 2004-12-10 at 14:23 +0100, Giuseppe Greco wrote:
... sorry for my ignorance, but where are *.te files located? I cannot find them...
You have to have selinux-policy-<policyname>-sources (the policy source package) installed. Then you can find everything within /etc/selinux/<policyname>/src/policy. In this case, you want /etc/selinux/<policyname>/src/policy/domains/program/squid.te.
- Karsten
j3d.
On Sun, 2004-12-05 at 11:11 -0800, Tom London wrote:
Running strict/enforcing, latest Rawhide
squid and initrc needs to create/write /var/log/squid/squid.out, etc
Suggest adding: allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; allow { squid_t initrc_t } squid_log_t:file create_file_perms;
tom
Giuseppe Greco wrote:
Thanks,
now I've added the following two lines to /etc/selinux/targeted/src/policy/domains/program/squid.te:
allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; allow { squid_t initrc_t } squid_log_t:file create_file_perms;
... but I still get the following error message when restarting squid:
Starting squid: audit(1102241826.255.0): avc: denied { getattr } for pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t tclass=dir
audit(1102241826.255.0): avc: denied { getattr } for pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t tclass=dir
I've also a similar problem with sendmail when accessed via squirrelmail:
audit(1102761151.989:0): avc denied { search } for pid=1841 exe=/usr/sbin/httpd name=spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir
audit(1102761496.288:0): avc denied { getattr } for pid=1841 exe=/usr/sbin/httpd path=/var/spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir
I don't how to proceed... j3d.
All of these should be covered by the latest policy files. Have you updated your policy files?
Dan
On Mon, 2004-12-13 at 09:26 -0500, Daniel J Walsh wrote:
Giuseppe Greco wrote:
Thanks,
now I've added the following two lines to /etc/selinux/targeted/src/policy/domains/program/squid.te:
allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; allow { squid_t initrc_t } squid_log_t:file create_file_perms;
... but I still get the following error message when restarting squid:
Starting squid: audit(1102241826.255.0): avc: denied { getattr } for pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t tclass=dir
audit(1102241826.255.0): avc: denied { getattr } for pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t tclass=dir
I've also a similar problem with sendmail when accessed via squirrelmail:
audit(1102761151.989:0): avc denied { search } for pid=1841 exe=/usr/sbin/httpd name=spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir
audit(1102761496.288:0): avc denied { getattr } for pid=1841 exe=/usr/sbin/httpd path=/var/spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir
I don't how to proceed... j3d.
All of these should be covered by the latest policy files. Have you updated your policy files?
Yes, I'm up2date... j3d.
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Giuseppe Greco wrote:
On Mon, 2004-12-13 at 09:26 -0500, Daniel J Walsh wrote:
Giuseppe Greco wrote:
Thanks,
now I've added the following two lines to /etc/selinux/targeted/src/policy/domains/program/squid.te:
allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; allow { squid_t initrc_t } squid_log_t:file create_file_perms;
... but I still get the following error message when restarting squid:
Starting squid: audit(1102241826.255.0): avc: denied { getattr } for pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t tclass=dir
audit(1102241826.255.0): avc: denied { getattr } for pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t tclass=dir
I've also a similar problem with sendmail when accessed via squirrelmail:
audit(1102761151.989:0): avc denied { search } for pid=1841 exe=/usr/sbin/httpd name=spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir
audit(1102761496.288:0): avc denied { getattr } for pid=1841 exe=/usr/sbin/httpd path=/var/spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir
I don't how to proceed... j3d.
All of these should be covered by the latest policy files. Have you updated your policy files?
Yes, I'm up2date... j3d.
What version of selinux-policy-targeted?
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Mon, 2004-12-13 at 09:59 -0500, Daniel J Walsh wrote:
Giuseppe Greco wrote:
On Mon, 2004-12-13 at 09:26 -0500, Daniel J Walsh wrote:
Giuseppe Greco wrote:
Thanks,
now I've added the following two lines to /etc/selinux/targeted/src/policy/domains/program/squid.te:
allow { squid_t initrc_t } squid_log_t:dir create_dir_perms; allow { squid_t initrc_t } squid_log_t:file create_file_perms;
... but I still get the following error message when restarting squid:
Starting squid: audit(1102241826.255.0): avc: denied { getattr } for pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t tclass=dir
audit(1102241826.255.0): avc: denied { getattr } for pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2 scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t tclass=dir
I've also a similar problem with sendmail when accessed via squirrelmail:
audit(1102761151.989:0): avc denied { search } for pid=1841 exe=/usr/sbin/httpd name=spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir
audit(1102761496.288:0): avc denied { getattr } for pid=1841 exe=/usr/sbin/httpd path=/var/spool dev=dm-6 ino=224002 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_spool_t tclass=dir
I don't how to proceed... j3d.
All of these should be covered by the latest policy files. Have you updated your policy files?
Yes, I'm up2date... j3d.
What version of selinux-policy-targeted?
The version is 1.17.30-2.39
j3d.
Dan
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Giuseppe Greco -
Karsten Wade -
Tom London