SElinux rules for squid
I was facing problem with squid because of selinux.
Now I have disabled it by setenforce 0 command. I have also appended selinux=0 in grub.conf file. But disabling selinux is not a good idea. I want to know about rules for selinux to put the squid in running status instead of disabling selinux. |
Knowing your distro would help.
In RedHat derivatives, it should work out of the box, but there are a number of booleans you could try (see /selinux/booleans). Chief amongst those is probably squid_disable_trans, which effectively turns selinux off for squid. You use it by "setsebool -P squid_disable_trans 1" |
The default Tresys policy should support Squid. If you installed Squid from a CentOS repo RPM it Should Just Work. Posting actual AVC messages and Squid error messages might help people here understand *why* it's failing. Instead of disabling SE Linux for Squid by setting squid_disable_trans, I'd search LQ for threads about adding SE Linux rules to build a local policy or build a policy for Squid yourself. It isn't that hard and if you could do with some help just ask.
|
Quote:
I will read about it. I am using Red Hat Enterprise AS 4 and squid stable 2.5 stable 6. If you can help me in writing rules for squid in selinux I would be thankful. |
Quote:
Generally speaking there's two possibilities: Squid runs in it's own "domain" (it already has some policy rules configured) but misses some. In that case, and if you run Auditd, you should be able to use AVC messages to adjust your local policy. For example if your Squid binary is just called "squid", then running 'grep "AVC.*squid" /var/log/audit/audit.log|audit2allow' should output to stdout a set of rules with which to build a local policy file. The other possibility (not in your case I guess) is that Squid runs in the "unconfined domain" and you would want it to run in its own domain. In that case being able to install and run policycoreutils and policycoreutils-gui could make things a lot easier. For now let's see what 'grep "AVC.*squid" /var/log/audit/audit.log|audit2allow' shows. |
Hi,
Quote:
Pleae let me know! |
All times are GMT -5. The time now is 05:07 AM. |