LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-23-2008, 12:25 AM   #1
sohailkmu
Member
 
Registered: Oct 2008
Posts: 82
Blog Entries: 1

Rep: Reputation: 15
SElinux rules for squid


I was facing problem with squid because of selinux.

Now I have disabled it by setenforce 0 command. I have also appended selinux=0 in grub.conf file. But disabling selinux is not a good idea.

I want to know about rules for selinux to put the squid in running status instead of disabling selinux.
 
Old 10-23-2008, 01:08 AM   #2
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Knowing your distro would help.

In RedHat derivatives, it should work out of the box, but there are a number of booleans you could try (see /selinux/booleans). Chief amongst those is probably squid_disable_trans, which effectively turns selinux off for squid.

You use it by "setsebool -P squid_disable_trans 1"
 
Old 10-23-2008, 02:51 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
The default Tresys policy should support Squid. If you installed Squid from a CentOS repo RPM it Should Just Work. Posting actual AVC messages and Squid error messages might help people here understand *why* it's failing. Instead of disabling SE Linux for Squid by setting squid_disable_trans, I'd search LQ for threads about adding SE Linux rules to build a local policy or build a policy for Squid yourself. It isn't that hard and if you could do with some help just ask.
 
Old 10-23-2008, 11:54 PM   #4
sohailkmu
Member
 
Registered: Oct 2008
Posts: 82
Blog Entries: 1

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unSpawn View Post
The default Tresys policy should support Squid. If you installed Squid from a CentOS repo RPM it Should Just Work. Posting actual AVC messages and Squid error messages might help people here understand *why* it's failing. Instead of disabling SE Linux for Squid by setting squid_disable_trans, I'd search LQ for threads about adding SE Linux rules to build a local policy or build a policy for Squid yourself. It isn't that hard and if you could do with some help just ask.
As I have mentioned earlier that I don't know about selinux and its rules.
I will read about it. I am using Red Hat Enterprise AS 4 and squid stable 2.5 stable 6.

If you can help me in writing rules for squid in selinux I would be thankful.
 
Old 10-26-2008, 07:07 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by sohailkmu View Post
I am using Red Hat Enterprise AS 4 and squid stable 2.5 stable 6. If you can help me in writing rules for squid in selinux I would be thankful.
I'm kind of familiar with SE Linux, but unfortunately not with RHEL-4 policy.

Generally speaking there's two possibilities: Squid runs in it's own "domain" (it already has some policy rules configured) but misses some. In that case, and if you run Auditd, you should be able to use AVC messages to adjust your local policy. For example if your Squid binary is just called "squid", then running 'grep "AVC.*squid" /var/log/audit/audit.log|audit2allow' should output to stdout a set of rules with which to build a local policy file. The other possibility (not in your case I guess) is that Squid runs in the "unconfined domain" and you would want it to run in its own domain. In that case being able to install and run policycoreutils and policycoreutils-gui could make things a lot easier.

For now let's see what 'grep "AVC.*squid" /var/log/audit/audit.log|audit2allow' shows.
 
Old 05-19-2011, 03:56 AM   #6
dieghe
LQ Newbie
 
Registered: May 2011
Posts: 1

Rep: Reputation: Disabled
Hi,

Quote:
setsebool -P squid_connect_any 1
will solve the problem, without disabling selinux.

Pleae let me know!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
cat: /etc/udev/rules.d/70-persistent-net.rules: No such file or directory rcg1984 Linux From Scratch 2 09-17-2008 08:02 AM
squid Num of rules dos WildBoy Linux - Networking 1 06-07-2008 02:27 PM
How to write two snort detection rules to alert on packets to those rules romafiel *BSD 0 06-08-2007 08:00 PM
Squid and Port Rules maxsthecat Linux - Networking 2 08-12-2006 09:45 AM
DansGuardian, Squid, and Firewall rules jwgeurk Linux - Networking 7 06-18-2004 03:26 AM


All times are GMT -5. The time now is 01:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration