Project

Profile

Help

Issue #1904

closed

New SELinux Denials on Fedora 22

Added by semyers over 8 years ago. Updated over 5 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
Platform Release:
2.8.3
OS:
Fedora 22
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2, SELinux
Sprint:
Quarter:

Description

Squid isn't starting on our fedora 22 pulp-smash install due to selinux denials. :(

# grep -a squid /var/log/audit/audit.log | audit2allow

#============= squid_t ==============
allow squid_t squid_exec_t:file execmod;
allow squid_t tmpfs_t:file { read write getattr open };
type=AVC msg=audit(1462897205.699:918): avc:  denied  { execmod } for  pid=3701 comm="squid" path="/usr/sbin/squid" dev="vda1" ino=18220 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:squid_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1462897205.715:919): avc:  denied  { read write } for  pid=3701 comm="squid" name="squid-cf__metadata.shm" dev="tmpfs" ino=29900 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1462897205.715:920): avc:  denied  { open } for  pid=3701 comm="squid" path="/dev/shm/squid-cf__metadata.shm" dev="tmpfs" ino=29900 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1462897205.715:921): avc:  denied  { getattr } for  pid=3701 comm="squid" path="/dev/shm/squid-cf__metadata.shm" dev="tmpfs" ino=29900 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1

I can't tell if these failures are related to our config, or if squid itself has had a regression in fedora 22.

Actions #1

Updated by semyers over 8 years ago

At least the failures related to /dev/shm/squid-cf__metadata.shm have been reported upstream recently, but against fedora 23:

https://bugzilla.redhat.com/show_bug.cgi?id=1331574

This has me thinking that this isn't a pulp problem, but I'd like a little more evidence.

Actions #2

Updated by semyers over 8 years ago

Actions #3

Updated by semyers over 8 years ago

  • Status changed from NEW to CLOSED - WONTFIX
  • Assignee set to semyers
  • OS set to Fedora 22
  • Tags SELinux added

I've opened an issue against fedora specifically for fedora 22, found here: https://bugzilla.redhat.com/show_bug.cgi?id=1334928

In the meantime, you can adjust your selinux policy as-needed to get squid working:

# grep squid /var/log/audit/audit.log | audit2allow -M squid
# semodule -i squid.pp

Since there's really nothing we can do for fedora 22 at this time, I'm closing this issue.

Added by semyers over 8 years ago

Revision b2aa38a3 | View on GitHub

set selinux to permissive on fedora 22

re #1904 https://pulp.plan.io/issues/1904

Actions #4

Updated by semyers over 8 years ago

  • Triaged changed from No to Yes
Actions #5

Updated by bmbouter over 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF