Hello Eliezer Croitoru,
this is also to the OpenSSL mailing list, because can someone verify that
the CA certificate and the SSL certificate fit together - the last
section of this mail.
(of course I can do this by myself, but here I want to opinion of a 3rd
party)
I have the solution that worked at my system, to run SELinux with enforcing
first you need to install a special package
yum install policycoreutils-python
then do this to filter the audit log:
(at my system only squid entries are questionable,
in case there are more programmes that can run only
with SELinux turned off or setting to permissive,
you must sort out these entries of course)
cat /var/log/audit/audit.log | grep -v "success" > avc
the next step to generate the policy file
audit2allow -M avc < avc
this generates avc.pp. with this do:
semodule -i avc.pp
that was it;
(I'm not an expert I got just hints from my workmate)
-- I found out something strange ... when using the .repo files here ... http://wiki.squid-cache.org/SquidFaq/BinaryPackages#CentOS the package http://software.opensuse.org/download.html?project=home%3Aairties%3Aserver&package=squid3 gives this error, when installing with 'yum install squid3' Error: Package: squid3-3.3.8-6.1.x86_64 (home_airties_server) Requires: perl(Authen::Smb) the other packages require the epel repo to be installed before ... but how can I install squid 3.3? there is only the question if its ok to install 7:squid-3.4.0-3-1... I tried this yum install http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-3.3.11-1.el6.x86_64.rpm and it worked ..., with SELinux=permissive and also with the above with SELinux=enforcing the only question: how to use a parent proxy with both of the following ... cache_peer #ip# 3128 0 proxy-only never_direct allow all and ssl_bump server-first all always_direct allow all ..., conflicting a little bit ...? with other words, how to use a parent proxy while doing ssl-bump? (the firewall blocks direkt access of this proxy, only the parent proxy has access to the internet) -- my squid.conf has the default entries plus (here without parent proxy) <squid.conf> ssl_bump server-first all # these will be adapted to my needs, here for testing only sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB sslcrtd_children 5 always_direct allow all http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/cert/squid.pem options=NO_SSLv2 </squid.conf> I'm using no caching directory, this should be the work of the parent proxy ..., the squid.pem is shown below: the purpose of this server is just doing smart filtering on HTTPS; -- can please someone tell me why I get in FF (in an old 3.6 and in an relatively actual one 24.2esr) This Connection is Untrusted www.google.nl uses an invalid security certificate. The certificate is not trusted because it was issued by an invalid CA certificate. (Error code: sec_error_inadequate_key_usage) only for urls that are shown in the Subject alternative name of the attached SSL certificate and result in this certificate ...? and this is only with FF, not with IE and not with Google Chrome itself ... all other SSL sites work well ... -- when I talk about I server, it is of course just a virtual machine on my computer, of these I have a few: - mail server - dns server - proxy server (with caching and smart filtering for non-https) - ... Thanks, Walter --[ audit.log extract ]-- type=AVC msg=audit(1386721165.548:990): avc: denied { write } for pid=6689 co mm="ssl_crtd" name="size" dev=sda3 ino=395149 scontext=unconfined_u:system_r:squ id_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1386721165.548:991): avc: denied { write } for pid=6689 co mm="ssl_crtd" name="certs" dev=sda3 ino=395148 scontext=unconfined_u:system_r:sq uid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1386721165.548:991): avc: denied { remove_name } for pid=6 689 comm="ssl_crtd" name="79B5336452F44EE14155FEF0042BCA6C6A1AFC12.pem" dev=sda3 ino=395199 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:obje ct_r:var_lib_t:s0 tclass=dir type=AVC msg=audit(1386721165.548:991): avc: denied { unlink } for pid=6689 c omm="ssl_crtd" name="79B5336452F44EE14155FEF0042BCA6C6A1AFC12.pem" dev=sda3 ino= 395199 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r: var_lib_t:s0 tclass=file type=AVC msg=audit(1386721165.550:992): avc: denied { add_name } for pid=6689 comm="ssl_crtd" name="58481355CE5F10BBF9DF4CD4B99692BC308E4D42.pem" scontext=un confined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclas s=dir type=AVC msg=audit(1386721165.550:992): avc: denied { create } for pid=6689 c omm="ssl_crtd" name="58481355CE5F10BBF9DF4CD4B99692BC308E4D42.pem" scontext=unco nfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass= file --[ squid.pem ]-- the private key here is no problem, because its only testing purpose; the final working squid server gets other certificates ... -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQD1Gf2qk287rvKpwEhyZtyiycvl6C9ZsvLHMKygimTqzoiGrIO4 tbw1bqAZcCju1P0HAXXjFmdVW8WPs6rg2uXtsBEiO9/1gQ6ji6/Kl8yEhyRVXRcH VMuzx9dSAE4IJzaXNgSqqmHNoacxHZICV7GPaxBqVvflGyJqcc0KDD8MQwIDAQAB AoGAGExQUnW1RERuuBdg1z6NRvIcbZlcAFd2K/sOUggGQyTgcgFuOYSCuQVTh9IP rMWeo/AoILAa5GJprnpQSWRKANmUw43Vqj3EzZJMglRhUFUZnNYaC1jWGa3C9os5 n8TAqqnYZtcHdiD/wykI33aK7kOfccxMmlUXyJVqbkEsucECQQD+MrytFio3CfZ9 wZ9Oli3wWujPa8PfSZDnA4EYV0HiWAcYzkaYhX0GtGcjrpB/fHHF/jzQpF+p3dcr uYHNTAejAkEA9ta/SzQtvVk4k2JsB3aJZv5OGzVkXXR7ijvyE2srrU8ez5Yc2hgA /lOYale9/mmluGPNyTdm9Oh220E2ij+y4QJBAJ/mOItEew+eI8CdcGGV1JXyCaqY ZmDpvM2khatTEC2aI/S1pPDCX5A9IPfwEhMvq73ZHFY+X7LRyk1F5uHGJrMCQGSg hRmGawMfBUZoQDwGodsf3v2OlZzXqKlg6L3r2cFsWNYtjxOF55nGwILRxD2cGhgC b9kQweMjhZi6jB5t+2ECQQCDzLY91w+JgOS2HasRm2DUHo67shRfwmWfFdl1vAs5 Q0ysK1EsBuIQxRLVyBCBqEWZDGTFJMlq8ShfRskD28jz -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICZzCCAdCgAwIBAgIBETANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwItLTEQ MA4GA1UEChMHU29tZU9yZzEUMBIGA1UECxMLU29tZU9yZ1VuaXQxEDAOBgNVBAMT B1Jvb3QgQ0EwHhcNNzAwMTAxMDAwMDAwWhcNMzQxMjMxMjM1OTU5WjBHMQswCQYD VQQGEwItLTEQMA4GA1UEChMHU29tZU9yZzEUMBIGA1UECxMLU29tZU9yZ1VuaXQx EDAOBgNVBAMTB1Jvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPUZ /aqTbzuu8qnASHJm3KLJy+XoL1my8scwrKCKZOrOiIasg7i1vDVuoBlwKO7U/QcB deMWZ1VbxY+zquDa5e2wESI73/WBDqOLr8qXzISHJFVdFwdUy7PH11IATggnNpc2 BKqqYc2hpzEdkgJXsY9rEGpW9+UbImpxzQoMPwxDAgMBAAGjYzBhMA8GA1UdEwEB /wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTea3zoMP5FWNxG50df 7Hbnid5sBjAfBgNVHSMEGDAWgBTea3zoMP5FWNxG50df7Hbnid5sBjANBgkqhkiG 9w0BAQUFAAOBgQC2XuM7jij2ujgNDipMLcUE/Tlpg8IeKZThl2cLWUT0RtHW2CHK hIKOlCMP2xMB3EMbTGSc7p5DMA5P4CcF6PsTfKxl7pAn6uDgWHk3e52imgHs7Q1G 9buVgx3NHrKrbtEGE9vt1QAh8TnLo6LEPAkHCECCeS5gMG4IZpATNReCxQ== -----END CERTIFICATE----- --[ SSL certificate ]-- Certificate: ... X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.google.com, DNS:*.android.com, DNS:*.appengine.google.com, DNS:*.cloud.google.com, DNS:*.google-analytics.com, DNS:*.google.ca, DNS:*.goog le.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google. com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.goo gle.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.goo gle.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS: *.google.pl, DNS:*.google.pt, DNS:*.googleapis.cn, DNS:*.googlecommerce.com, DNS :*.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.c om, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.ytimg.com, DNS:android. com, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com, DNS:googlec ommerce.com, DNS:urchin.com, DNS:youtu.be, DNS:youtube.com, DNS:youtubeeducation .com ... -----BEGIN CERTIFICATE----- MIIFPTCCBKagAwIBAgIUPXX9MOspr8vFn1yK/75ufujyNyMwDQYJKoZIhvcNAQEF BQAwRzELMAkGA1UEBhMCLS0xEDAOBgNVBAoTB1NvbWVPcmcxFDASBgNVBAsTC1Nv bWVPcmdVbml0MRAwDgYDVQQDEwdSb290IENBMB4XDTEzMTEyMDE1MTMzNloXDTE0 MDMyMDAwMDAwMFowZjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx FjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoMCkdvb2dsZSBJbmMxFTAT BgNVBAMMDCouZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA 9Rn9qpNvO67yqcBIcmbcosnL5egvWbLyxzCsoIpk6s6IhqyDuLW8NW6gGXAo7tT9 BwF14xZnVVvFj7Oq4Nrl7bARIjvf9YEOo4uvypfMhIckVV0XB1TLs8fXUgBOCCc2 lzYEqqphzaGnMR2SAlexj2sQalb35RsianHNCgw/DEMCAwEAAaOCAwUwggMBMIIC wwYDVR0RBIICujCCAraCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5h cHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tghYqLmdvb2ds ZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUuY2yCDiouZ29v Z2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28udWuCDyouZ29v Z2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5jb20uYnKCDyou Z29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20udHKC DyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xlLmVzggsqLmdv b2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdvb2dsZS5ubIIL Ki5nb29nbGUucGyCCyouZ29vZ2xlLnB0gg8qLmdvb2dsZWFwaXMuY26CFCouZ29v Z2xlY29tbWVyY2UuY29tgg0qLmdzdGF0aWMuY29tggwqLnVyY2hpbi5jb22CECou dXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5jb22CDSoueW91dHVi ZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CCyoueXRpbWcuY29tggthbmRy b2lkLmNvbYIEZy5jb4IGZ29vLmdsghRnb29nbGUtYW5hbHl0aWNzLmNvbYIKZ29v Z2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tggp1cmNoaW4uY29tggh5b3V0dS5i ZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tMAsGA1UdDwQEAwIH gDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAN BgkqhkiG9w0BAQUFAAOBgQA4xQFls1FpUScdCmifTkWCrjNrgUCbL56im1/9vSqM P8IplBopOikz3VnxBsyUVaR/yt8zzm158zYdIpA/rOX0WukwO4pAUoi6aw6Q+FoD ZG+3Qe0b7a22Mqgl45OlfljrAMfouvapjx8OA9COSM/2k2TtRnlEy7D929O2H6J6 CQ== -----END CERTIFICATE----- On 09.12.2013 06:30, Eliezer Croitoru wrote: > Hey Walter, > > I do not know yet of a way to get SELinux work with squid nicely. > I do know it can be done with enough knowledge and couple additions. > > If anyone is a SELinux expert or just can find the appropriate way of > handling squid conflicts with SELinux I would be happy to try to push > these into the RPMs. > > For now the suggestion is to use selinux policy to permissive while on > most squid systems(dedicated) you wont force selinux but I am still > not sure why. > > Fedora has some docs about it: > http://docs.fedoraproject.org/en-US/Fedora/13/html/Managing_Confined_Services/chap-Managing_Confined_Services-Squid_Caching_Proxy.html > > > This setting direction policy will might help something: > setsebool -P squid_connect_any 1 > > And at redhat couple notes: > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/chap-Managing_Confined_Services-Squid_Caching_Proxy.html > > > > Can you share the errors you see in logs? either squid logs or > messages log? > > Are you using a cache_dir ? > > There is also a demonstration on how to create a selinux module\policy > fro qlproxy: > http://sichent.wordpress.com/2011/05/10/build-selinux-policy-for-your-next-daemon-part-1/ > > > I hope it helps. > > Eliezer > > On 08/12/13 22:34, Walter H. wrote: >> Hello, >> >> I have the ident problem as here: >> http://comments.gmane.org/gmane.comp.web.squid.general/99601 >> >> SELinux=enforcing prevents running squid ... >> >> my system: a CentOS 6.5, squid-3.3.11 >> >> ./configure --enable-ssl >> --enable-ssl-crtd >> --disable-htcp >> --disable-eui >> --disable-snmp >> --enable-useragent-log >> --enable-referer-log >> --enable-cachemgr-hostname=localhost >> --prefix=/usr >> --includedir=/usr/include >> --datadir=/usr/share >> --bindir=/usr/sbin >> --libexecdir=/usr/lib/squid >> --localstatedir=/var >> --sysconfdir=/etc/squid >> --with-dl >> --with-openssl >> --with-pthreads >> --with-logdir=/var/log/squid >> --with-default-user=squid >> >> can someone give me a hint, what to do? >> >> by the way, the binary packages from here: >> http://wiki.squid-cache.org/SquidFaq/BinaryPackages#CentOS >> have the same problem ... >> >> Thanks, >> Walter >> >>
This archive was generated by hypermail 2.2.0 : Thu Dec 12 2013 - 12:00:04 MST