Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 224409

Summary: Denials with squid's cachemgr.cgi
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: 2.4.6-37.fc6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-22 18:12:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
Loadable policy module to fix your problem. none

Description Orion Poplawski 2007-01-25 16:22:28 UTC
Description of problem:

When using squid's cachemgr.cgi as configured by the Fedora squid package I get:

Jan 24 16:47:09 hawk kernel: audit(1169682429.577:42): avc:  denied  { search }
for  pid=22647 comm="cachemgr.cgi" name="squid" dev=dm-0 ino=47143
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:squid_conf_t:s0

This is trying to search /etc/squid.

Version-Release number of selected component (if applicable):

Comment 1 Orion Poplawski 2007-01-25 16:27:14 UTC
*** Bug 224412 has been marked as a duplicate of this bug. ***

Comment 2 Daniel Walsh 2007-01-25 19:10:53 UTC
Why is cachemgr.cgi in /etc/squid directory?

Comment 3 Orion Poplawski 2007-01-25 19:20:45 UTC
It's not.  It's in /usr/lib/squid/cachemgr.cgi, but it's trying to read
/etc/squid/cachemgr.conf.  It may be trying to do other stuff too, not sure. 
Running from the command line under strace I see:

8115  open("/etc/squid/cachemgr.conf", O_RDONLY|O_LARGEFILE) = 3

Comment 4 Orion Poplawski 2007-01-25 19:21:45 UTC
Note that it seems to run fine.

Comment 5 Daniel Walsh 2007-01-25 20:13:03 UTC
Created attachment 146614 [details]
Loadable policy module to fix your problem.

Could you save this te file and execute

make -f /usr/share/selinux/devel/Makefile 
semodule -i squid-cgi.pp 
chcon -t httpd_squid_script_exec_t /usr/lib/squid/cachemgr.cgi 

And try it out.
This fix will be in the next policy.

Comment 6 Orion Poplawski 2007-01-25 20:19:44 UTC
Similar but different:

Jan 25 13:18:42 hawk kernel: audit(1169756322.593:47): avc:  denied  { search }
for  pid=9004 comm="cachemgr.cgi" name="squid" dev=dm-0 ino=47143
tcontext=system_u:object_r:squid_conf_t:s0 tclass=dir

Comment 7 Daniel Walsh 2007-01-25 20:28:33 UTC
Yes I knew about that one.  Sorry forgot to tell you.  

That was added to /usr/share/selinux/devel/include/services/squid.if

## <summary>
##	Read squid configuration file.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
		type squid_conf_t;

	allow $1 squid_conf_t:dir search_dir_perms;
	allow $1 squid_conf_t:file r_file_perms;

Comment 8 Daniel Walsh 2007-02-14 20:33:04 UTC
Fixed in selinux-policy-2.4.6-37.fc6

Comment 9 Orion Poplawski 2007-02-16 18:45:20 UTC
Still see it:

audit(1171651371.459:7): avc:  denied  { search } for  pid=3384
comm="cachemgr.cgi" name="squid" dev=dm-0 ino=47143
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:squid_conf_t:s0

[root@hawk ~]# restorecon -r -v /usr/lib/squid/ /etc/squid
[root@hawk ~]# rpm -q selinux-policy

Comment 10 Daniel Walsh 2007-02-16 21:05:43 UTC
For some reason cachemgr.cgi is not transitioning to httpd_squid_script_t?

getsebool -a | grep http

Comment 11 Orion Poplawski 2007-02-16 21:07:33 UTC
allow_httpd_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> off
httpd_unified --> on

Comment 12 Daniel Walsh 2007-02-20 19:48:36 UTC
ls -lZ /usr/lib/squid/cachemgr.cgi

Comment 13 Orion Poplawski 2007-02-20 19:56:54 UTC
-rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/lib/squid/cachemgr.cgi

Comment 14 Daniel Walsh 2007-02-22 17:53:29 UTC
restorecon -F -R -v /usr/lib/squid/cachemgr.cgi

The context is wrong.

Comment 15 Orion Poplawski 2007-02-22 18:12:44 UTC
That indeed fixed the context and removed the denial.