net foss
2007-Apr-19 02:17 UTC
[CentOS] selinux problem with squid and snmp_port in centos 5
Hi all, Just want to enable squid's SNMP support to get information about its perfomance through snmp client. I set "snmp_port 3401" in squid.conf SELinux is in enforcing state with targeted policy. But squid daemon doesn't start. There are some messages in audit.log like type=SYSCALL msg=audit(1176946812.492:244): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf880060 a2=81109f0 a3=bf88007c items=0 ppid=15684 pid=15705 auid=500 uid=23 gid=23 euid=0 suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 tty=(none) comm="squid" exe="/usr/sbin/squid" subj=user_u:system_r:squid_t:s0 key=(null) Note that squid can run if I make one of two following changes 1) switch selinux to permissive (setenfoce 0), and keep snmp_port 3401 in squid.conf 2) keep selinux in enforcing state, and disable snmp_port in squid.conf This problem happens in CentOS 5. The same configuration (i.e. selinux enforcing, and snmp_port 3401) works well in 4.4. Any hint to solve the problem is appreciated. -- NetFOSS netfoss at gmail.com
Stefan Held
2007-Apr-19 12:16 UTC
[CentOS] selinux problem with squid and snmp_port in centos 5
Am Donnerstag, den 19.04.2007, 11:17 +0900 schrieb net foss:> Hi all,su - cd ~ cp that one:> type=SYSCALL msg=audit(1176946812.492:244): arch=40000003 syscall=102 > success=no exit=-13 a0=2 a1=bf880060 a2=81109f0 a3=bf88007c items=0 > ppid=15684 pid=15705 auid=500 uid=23 gid=23 euid=0 suid=0 fsuid=0 > egid=23 sgid=23 fsgid=23 tty=(none) comm="squid" exe="/usr/sbin/squid" > subj=user_u:system_r:squid_t:s0 key=(null)into a file named: squid_snmp_audit.log run: audit2allow -M squid_snmp -i squid_snmp_audit.log after that: semodule -i squid_snmp.pp> Any hint to solve the problem is appreciated.Greetings -- Stefan Held VI has only 2 Modes: obi unixkiste org The first one is for beeping all the time, FreeNode: foo_bar the second destroys the text. --------------------------------------------------------------------------- Fedora Ambassador: http://fedoraproject.org/wiki/StefanHeld --------------------------------------------------------------------------- perl -e'map{print pack c,($|++?1:13)+ord,select$,,$,,$,,$|}split//,ESEL.$/' --------------------------------------------------------------------------- GPG-Keyprint = 75C0 F029 CA71 F061 6C07 0640 38F7 E5F9 4EA5 A385 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: <http://lists.centos.org/pipermail/centos/attachments/20070419/452e8366/attachment-0004.sig>
admin at coolcommon-sense.com
2007-Apr-19 12:16 UTC
Automated Reply Re: "Re: [CentOS] selinux problem with squid and snmp_port in centos 5"
This is an automated reply to your message "Re: [CentOS] selinux problem with squid and snmp_port in centos 5" sent to admin at coolcommon-sense.com. Dear CEN$original_local_part@$original_domainS List Thank you for your email. I am away from the office at present but will reply as soon as I can.
net foss
2007-Apr-20 06:19 UTC
[CentOS] selinux problem with squid and snmp_port in centos 5
On 4/19/07, Stefan Held <obi at unixkiste.org> wrote:> Am Donnerstag, den 19.04.2007, 11:17 +0900 schrieb net foss: > > Hi all, > > su - > > cd ~ > > cp that one: > > type=SYSCALL msg=audit(1176946812.492:244): arch=40000003 syscall=102 > > success=no exit=-13 a0=2 a1=bf880060 a2=81109f0 a3=bf88007c items=0 > > ppid=15684 pid=15705 auid=500 uid=23 gid=23 euid=0 suid=0 fsuid=0 > > egid=23 sgid=23 fsgid=23 tty=(none) comm="squid" exe="/usr/sbin/squid" > > subj=user_u:system_r:squid_t:s0 key=(null) > > into a file named: squid_snmp_audit.log > > run: audit2allow -M squid_snmp -i squid_snmp_audit.log > > after that: > > semodule -i squid_snmp.pp >Thank you very much for you help, Stefan. Everything I had to do with SELinux in CentOS 4.x (enforcing and targeted mode) is only changing the context of web contents. But now several different SELinux problems happen to my CentOS 5 box. One of them is access denied when squid opens snmp_port that I have described in previous mail. Another one is access denied when squirrelmail connects to localhost:imap (cyrus-imapd server here). I think that I can apply your suggested method to solve these problems. I have another question. Must I make these rules again after update the policy package or not (i.e. will the next updates of selinux-policy package overwrite the manually edit rules or not?).> > Any hint to solve the problem is appreciated. > > Greetings > > -- > > Stefan Held VI has only 2 Modes: > obi unixkiste org The first one is for beeping all the time, > FreeNode: foo_bar the second destroys the text. > --------------------------------------------------------------------------- > Fedora Ambassador: http://fedoraproject.org/wiki/StefanHeld > --------------------------------------------------------------------------- > perl -e'map{print pack c,($|++?1:13)+ord,select$,,$,,$,,$|}split//,ESEL.$/' > --------------------------------------------------------------------------- > GPG-Keyprint = 75C0 F029 CA71 F061 6C07 0640 38F7 E5F9 4EA5 A385 > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > > >-- NetFOSS netfoss at gmail.com