Project

Profile

Help

Issue #1904

New SELinux Denials on Fedora 22

Added by semyers almost 3 years ago. Updated 5 days ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Severity:
3. High
Version:
Platform Release:
2.8.3
Blocks Release:
OS:
Fedora 22
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2, SELinux
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:

Description

Squid isn't starting on our fedora 22 pulp-smash install due to selinux denials. :(

# grep -a squid /var/log/audit/audit.log | audit2allow

#============= squid_t ==============
allow squid_t squid_exec_t:file execmod;
allow squid_t tmpfs_t:file { read write getattr open };
type=AVC msg=audit(1462897205.699:918): avc:  denied  { execmod } for  pid=3701 comm="squid" path="/usr/sbin/squid" dev="vda1" ino=18220 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:squid_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1462897205.715:919): avc:  denied  { read write } for  pid=3701 comm="squid" name="squid-cf__metadata.shm" dev="tmpfs" ino=29900 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1462897205.715:920): avc:  denied  { open } for  pid=3701 comm="squid" path="/dev/shm/squid-cf__metadata.shm" dev="tmpfs" ino=29900 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1462897205.715:921): avc:  denied  { getattr } for  pid=3701 comm="squid" path="/dev/shm/squid-cf__metadata.shm" dev="tmpfs" ino=29900 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1

I can't tell if these failures are related to our config, or if squid itself has had a regression in fedora 22.

Associated revisions

Revision b2aa38a3 View on GitHub
Added by semyers almost 3 years ago

set selinux to permissive on fedora 22

re #1904
https://pulp.plan.io/issues/1904

History

#1 Updated by semyers almost 3 years ago

At least the failures related to /dev/shm/squid-cf__metadata.shm have been reported upstream recently, but against fedora 23:

https://bugzilla.redhat.com/show_bug.cgi?id=1331574

This has me thinking that this isn't a pulp problem, but I'd like a little more evidence.

#2 Updated by semyers almost 3 years ago

#3 Updated by semyers almost 3 years ago

  • Status changed from NEW to CLOSED - WONTFIX
  • Assignee set to semyers
  • OS set to Fedora 22
  • Tags SELinux added

I've opened an issue against fedora specifically for fedora 22, found here: https://bugzilla.redhat.com/show_bug.cgi?id=1334928

In the meantime, you can adjust your selinux policy as-needed to get squid working:

# grep squid /var/log/audit/audit.log | audit2allow -M squid
# semodule -i squid.pp

Since there's really nothing we can do for fedora 22 at this time, I'm closing this issue.

#4 Updated by semyers almost 3 years ago

  • Triaged changed from No to Yes

#5 Updated by bmbouter 5 days ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF