squid proxy server cache_dir in different partition problem

tr3s · 10-15-2009, 09:34 PM

hi! i managed to install and can successfully start squid when it's using the default cache_dir (/var/spool/squid). but when i changed the cache_dir to a separate partition (/cache/squid), then a permission denied error is encountered in creating cache files when i restart squid.

i'm running fedora 11 64bit. the /cache/squid directory is already owned by the squid user and has 710 permission, just like the permission of /var/cache/squid. both the /var/ and /cache partitions are members of a LVM group and has ext4 as its filesystem.

what else could be the problem?

many thanks

WorldIsNotFair · 10-15-2009, 09:37 PM

selinux maybe ?

what the audit.log and messages says ?

Febi881 · 10-15-2009, 09:38 PM

Quote:

Originally Posted by tr3s

hi! i managed to install and can successfully start squid when it's using the default cache_dir (/var/spool/squid). but when i what else could be the problem?

many thanks

Might be ext4 filesystem causes the problem.

tr3s · 10-15-2009, 10:05 PM

i dont think its an ext4 problem since /var partition is also formatted as ext4.

here's something from dmesg:

Code:

type=1400 audit(1255661133.086:13927): avc:  denied  { search } for  pid=2427 comm="squid" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=dir
type=1400 audit(1255661133.086:13928): avc:  denied  { search } for  pid=2427 comm="squid" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=dir

here's from /var/log/messages:

Code:

Oct 16 10:46:48 kalabaw squid[2483]: Squid Parent: child process 2504 started
Oct 16 10:46:48 kalabaw kernel: type=1400 audit(1255661208.426:13939): avc:  denied  { search } for  pid=2504 comm="squid" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=dir
Oct 16 10:46:48 kalabaw (squid): #011Failed to verify one of the swap directories, Check cache.log#012#011for details.  Run 'squid -z' to create swap directories#012#011if needed, or if running Squid for the first time.
Oct 16 10:46:48 kalabaw squid[2483]: Squid Parent: child process 2504 exited with status 1

there's nothing written in audit.log that pertains to squid

WorldIsNotFair · 10-15-2009, 10:21 PM

can u list the security context of your /cache/squid directory and put it here.

use #ls -lZd /cache/squid

should be something like squid_cache_t

tr3s · 10-15-2009, 10:27 PM

Code:

#ls -lZd /cache/squid
drwxr-x---. squid squid unconfined_u:object_r:etc_runtime_t:s0 /cache/squid

Febi881 · 10-15-2009, 10:27 PM

It seems to be a selinux problem. Edit /etc/seliux/config file and put SELINUX=disabled and SELINUXTYPE=disabled..and try..

tr3s · 10-15-2009, 10:39 PM

disabling SELinux solved the problem. thanks a bunch. but should i really permanently disable SELinux? or is there any other workaround?

WorldIsNotFair · 10-16-2009, 12:43 AM

i don't use fedora but
you can try to disabled selinux boolean for squid only.

get the boolean first
#getsebool -a | grep squid

u should see like squid_disable_trans, if the value is off then u should make it on.

#setsebool -P squid_disable_trans=on

reconfig the selinux to enforcing, reboot it.