Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1319443
Summary: | SELinux is preventing /usr/sbin/squid from 'execmod' accesses on the file /usr/sbin/squid. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael Chapman <redhat-bugzilla> |
Component: | squid | Assignee: | Luboš Uhliarik <luhliari> |
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 22 | CC: | bmbouter, daviddavis, dkliban, dominick.grift, dwalsh, ggainey, henrik, iand, ipanova, jeff.raber, jonathansteffan, luhliari, lvrabec, mgrepl, mhrivnak, pcreech, plautrba, psimerda, rchan, thozza, ttereshc |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:05eed06d1a35737f4237c5ba8432d884bd23818f787d60253876846472b85578; | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-07-19 18:46:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael Chapman
2016-03-20 06:54:42 UTC
Just a note, that report was actually generated while SELinux was in Permissive mode. The same report occurs either way; Squid is able to be started in Permissive mode though. This is caused by new squid version actually in updates-testing repo for Fedora 22. Squid folks, Any new feature in squid? Hello! On an updated F23 with .... May 13 18:41:08 INFO Upgraded: selinux-policy-3.13.1-128.28.fc22.noarch May 13 18:41:08 INFO Upgraded: libecap-1.0.0-1.fc22.x86_64 May 13 18:41:12 INFO Upgraded: squid-7:3.5.10-1.fc22.x86_64 May 13 18:41:40 INFO Upgraded: selinux-policy-targeted-3.13.1-128.28.fc22.noarch ..... I still get type=AVC msg=audit(1463154104.351:701): avc: denied { execmod } for pid=4732 comm="squid" path="/usr/sbin/squid" dev="dm-0" ino=673973 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:squid_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1463154104.455:703): avc: denied { execmod } for pid=4769 comm="squid" path="/usr/sbin/squid" dev="dm-0" ino=673973 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:squid_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1463154142.650:705): avc: denied { execmod } for pid=14365 comm="squid" path="/usr/sbin/squid" dev="dm-0" ino=673973 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:squid_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1463154300.285:213): avc: denied { execmod } for pid=875 comm="squid" path="/usr/sbin/squid" dev="dm-0" ino=673973 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:squid_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1463154336.502:311): avc: denied { execmod } for pid=1100 comm="squid" path="/usr/sbin/squid" dev="dm-0" ino=673973 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:squid_exec_t:s0 tclass=file permissive=1 So in enforced squid is still unable to start, but in permissive mode it works. I just did a dnf update and saw similar issues ... have this now: squid-3.5.10-1.fc22.x86_64 and my selinux is in enforcing mode, which I don't want to turn off. However I tried to allow in the usual way (see example by the first poster) but that didn't work. # grep squid /var/log/audit/audit.log |audit2allow -M squid ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i squid.pp # cat squid.te module squid 1.0; require { type squid_t; type squid_exec_t; class file execmod; } #============= squid_t ============== allow squid_t squid_exec_t:file execmod; # semodule -i squid.pp libsepol.print_missing_requirements: squid's global requirements were not met: type/attribute squid_exec_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! # ll -Z /usr/sbin/squid -rwxr-xr-x. 1 root root system_u:object_r:squid_exec_t:s0 6856352 Mar 8 22:24 /usr/sbin/squid So instead I did this: # chcon -t texrel_shlib_t /usr/sbin/squid # ll -Z /usr/sbin/squid -rwxr-xr-x. 1 root root system_u:object_r:textrel_shlib_t:s0 6856352 Mar 8 22:24 /usr/sbin/squid And now squid starts ok in enforcing mode. The Pulp upstream bug status is at CLOSED - WONTFIX. Updating the external tracker on this bug. The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug. This have been seen in the past for Squid and was caused by mismatch in compiler/libtool flags, resulting in undesired model of linking. This was fixed in Squid package 3.5.2-3.f23 commit b10ea1ad1af585cd2f258000809298aae6340ab8 Author: Henrik Nordstrom <henrik> Date: Tue Mar 17 03:14:46 2015 +0100 Use -fPIC instead of -fpie to keep libtool happy libtool builds some internal table wrongly when using -fpie. But apparently missed when F22 was later updated to Squid-3.5. I have submitted a new squid-3.5.10-5 build for F22 with the needed packaging change backported from F23 which I think will fix this, but I have no F22 machine (real or virtual) to test the change on. squid-3.5.10-5.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-a96ef11fb5 I can't test this either as I'm now on F23, and squid didn't have this issue on F23 after I upgraded to it. Didn't need to apply the chcon. $ ll -Z /usr/sbin/squid -rwxr-xr-x. 1 root root system_u:object_r:squid_exec_t:s0 6879792 Oct 7 2015 /usr/sbin/squid squid-3.5.10-5.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-a96ef11fb5 Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |