LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   SElinux rules for squid (https://www.linuxquestions.org/questions/linux-newbie-8/selinux-rules-for-squid-678463/)

sohailkmu 10-22-2008 11:25 PM
SElinux rules for squid
 
I was facing problem with squid because of selinux.

Now I have disabled it by setenforce 0 command. I have also appended selinux=0 in grub.conf file. But disabling selinux is not a good idea.

I want to know about rules for selinux to put the squid in running status instead of disabling selinux.

billymayday 10-23-2008 12:08 AM
Knowing your distro would help.

In RedHat derivatives, it should work out of the box, but there are a number of booleans you could try (see /selinux/booleans). Chief amongst those is probably squid_disable_trans, which effectively turns selinux off for squid.

You use it by "setsebool -P squid_disable_trans 1"

unSpawn 10-23-2008 01:51 AM
The default Tresys policy should support Squid. If you installed Squid from a CentOS repo RPM it Should Just Work. Posting actual AVC messages and Squid error messages might help people here understand *why* it's failing. Instead of disabling SE Linux for Squid by setting squid_disable_trans, I'd search LQ for threads about adding SE Linux rules to build a local policy or build a policy for Squid yourself. It isn't that hard and if you could do with some help just ask.

sohailkmu 10-23-2008 10:54 PM
Quote:
Originally Posted by unSpawn (Post 3319431)
The default Tresys policy should support Squid. If you installed Squid from a CentOS repo RPM it Should Just Work. Posting actual AVC messages and Squid error messages might help people here understand *why* it's failing. Instead of disabling SE Linux for Squid by setting squid_disable_trans, I'd search LQ for threads about adding SE Linux rules to build a local policy or build a policy for Squid yourself. It isn't that hard and if you could do with some help just ask.
As I have mentioned earlier that I don't know about selinux and its rules.
I will read about it. I am using Red Hat Enterprise AS 4 and squid stable 2.5 stable 6.

If you can help me in writing rules for squid in selinux I would be thankful.

unSpawn 10-26-2008 06:07 PM
Quote:
Originally Posted by sohailkmu (Post 3320408)
I am using Red Hat Enterprise AS 4 and squid stable 2.5 stable 6. If you can help me in writing rules for squid in selinux I would be thankful.
I'm kind of familiar with SE Linux, but unfortunately not with RHEL-4 policy.

Generally speaking there's two possibilities: Squid runs in it's own "domain" (it already has some policy rules configured) but misses some. In that case, and if you run Auditd, you should be able to use AVC messages to adjust your local policy. For example if your Squid binary is just called "squid", then running 'grep "AVC.*squid" /var/log/audit/audit.log|audit2allow' should output to stdout a set of rules with which to build a local policy file. The other possibility (not in your case I guess) is that Squid runs in the "unconfined domain" and you would want it to run in its own domain. In that case being able to install and run policycoreutils and policycoreutils-gui could make things a lot easier.

For now let's see what 'grep "AVC.*squid" /var/log/audit/audit.log|audit2allow' shows.

dieghe 05-19-2011 02:56 AM
Hi,

Quote:
setsebool -P squid_connect_any 1
will solve the problem, without disabling selinux.

Pleae let me know!


All times are GMT -5. The time now is 05:07 AM.