Re: [squid-users] Squid selinux audit review needed.

From: Pavel Kazlenka <pavel.kazlenka_at_measurement-factory.com>
Date: Mon, 10 Mar 2014 19:11:59 +0300

Hi Elizer,

I'm pretty far from selinux understanding, but I have two suggestions
for you:
1) sealert tool can be used for getting human-readable output. E.g.

sealert -a /var/log/audit/audit.log > /path/to/mylogfile.txt
2) If you just want just to start squid again and do not care about
reasons of problem, you can just follow
http://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191c257c01

Hope this will be helpful for you.

Best wishes,
Pavel

On 03/10/2014 04:34 PM, Eliezer Croitoru wrote:
> Since I am not selinux expret but I am looking at couple issues I am
> not sure what the issue is.
> I have a glusterfs squid machine as a client and then I restarted the
> squid instance.
> All of a sudden I got a "Permission Denied(13)" in the logs.
> I took an audit.log output for the time of server restarting.
> Please take a look on it.
> it maybe related to fusefs?
>
> ##START
> tail /var/log/audit/audit.log -f
> type=AVC msg=audit(1394456998.422:4293): avc: denied { search } for
> pid=17578 comm="squid" name="/" dev="fuse" ino=1
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1394456998.422:4293): arch=c000003e syscall=59
> success=no exit=-13 a0=7fffeb15b980 a1=7fffeb1598e0 a2=7fffeb15bce8
> a3=376e018240 items=0 ppid=17577 pid=17578 auid=0 uid=23 gid=23 euid=0
> suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 ses=388 tty=(none)
> comm="squid" exe="/usr/sbin/squid"
> subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394456998.470:4294): avc: denied { getattr } for
> pid=17583 comm="squid" path="/mnt/gluster" dev="fuse" ino=1
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1394456998.470:4294): arch=c000003e syscall=4
> success=no exit=-13 a0=254d830 a1=7fff24caccf0 a2=7fff24caccf0 a3=0
> items=0 ppid=17577 pid=17583 auid=0 uid=23 gid=23 euid=23 suid=0
> fsuid=23 egid=23 sgid=23 fsgid=23 ses=388 tty=(none) comm="squid"
> exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394456998.509:4295): avc: denied { search } for
> pid=17582 comm="squid" name="/" dev="fuse" ino=1
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1394456998.509:4295): arch=c000003e syscall=2
> success=no exit=-13 a0=1bc4d30 a1=2 a2=1a4 a3=1 items=0 ppid=17577
> pid=17582 auid=0 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23
> fsgid=23 ses=388 tty=(none) comm="squid" exe="/usr/sbin/squid"
> subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394456998.591:4296): avc: denied { create } for
> pid=17579 comm="squid" name="coordinator.ipc"
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
> type=SYSCALL msg=audit(1394456998.591:4296): arch=c000003e syscall=49
> success=no exit=-13 a0=a a1=254f9ac a2=20 a3=98 items=0 ppid=17577
> pid=17579 auid=0 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23
> fsgid=23 ses=388 tty=(none) comm="squid" exe="/usr/sbin/squid"
> subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394456998.611:4297): avc: denied { search } for
> pid=17580 comm="squid" name="/" dev="fuse" ino=1
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1394456998.611:4297): arch=c000003e syscall=2
> success=no exit=-13 a0=1375d30 a1=2 a2=1a4 a3=1 items=0 ppid=17577
> pid=17580 auid=0 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23
> fsgid=23 ses=388 tty=(none) comm="squid" exe="/usr/sbin/squid"
> subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394456998.625:4298): avc: denied { create } for
> pid=17582 comm="squid" name="kid-2.ipc"
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
> type=SYSCALL msg=audit(1394456998.625:4298): arch=c000003e syscall=49
> success=no exit=-13 a0=a a1=1ff4f0c a2=1a a3=98 items=0 ppid=17577
> pid=17582 auid=0 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23
> fsgid=23 ses=388 tty=(none) comm="squid" exe="/usr/sbin/squid"
> subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394456998.675:4299): avc: denied { create } for
> pid=17580 comm="squid" name="kid-3.ipc"
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
> type=SYSCALL msg=audit(1394456998.675:4299): arch=c000003e syscall=49
> success=no exit=-13 a0=a a1=17a5f0c a2=1a a3=98 items=0 ppid=17577
> pid=17580 auid=0 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23
> fsgid=23 ses=388 tty=(none) comm="squid" exe="/usr/sbin/squid"
> subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394457000.930:4300): avc: denied { search } for
> pid=17589 comm="squid" name="/" dev="fuse" ino=1
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1394457000.930:4300): arch=c000003e syscall=59
> success=no exit=-13 a0=7ffffc192040 a1=7ffffc18ffa0 a2=7ffffc1923a8
> a3=376e018240 items=0 ppid=17515 pid=17589 auid=0 uid=23 gid=23 euid=0
> suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 ses=388 tty=(none)
> comm="squid" exe="/usr/sbin/squid"
> subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394457001.475:4301): avc: denied { search } for
> pid=17590 comm="squid" name="/" dev="fuse" ino=1
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1394457001.475:4301): arch=c000003e syscall=59
> success=no exit=-13 a0=7fffeb15b980 a1=7fffeb1598e0 a2=7fffeb15bce8
> a3=376e018240 items=0 ppid=17577 pid=17590 auid=0 uid=23 gid=23 euid=0
> suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 ses=388 tty=(none)
> comm="squid" exe="/usr/sbin/squid"
> subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394457001.601:4302): avc: denied { getattr } for
> pid=17591 comm="squid" path="/mnt/gluster" dev="fuse" ino=1
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1394457001.601:4302): arch=c000003e syscall=4
> success=no exit=-13 a0=2604830 a1=7fff2803ffd0 a2=7fff2803ffd0 a3=0
> items=0 ppid=17577 pid=17591 auid=0 uid=23 gid=23 euid=23 suid=0
> fsuid=23 egid=23 sgid=23 fsgid=23 ses=388 tty=(none) comm="squid"
> exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=USER_ACCT msg=audit(1394457001.778:4303): pid=17593 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=CRED_ACQ msg=audit(1394457001.778:4304): pid=17593 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=LOGIN msg=audit(1394457001.791:4305): login pid=17593 uid=0 old
> auid=4294967295 new auid=0 old ses=4294967295 new ses=634
> type=USER_START msg=audit(1394457001.794:4306): pid=17593 uid=0 auid=0
> ses=634 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
> msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=?
> addr=? terminal=cron res=success'
> type=CRED_DISP msg=audit(1394457001.874:4307): pid=17593 uid=0 auid=0
> ses=634 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
> msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=?
> addr=? terminal=cron res=success'
> type=USER_END msg=audit(1394457001.874:4308): pid=17593 uid=0 auid=0
> ses=634 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
> msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=?
> addr=? terminal=cron res=success'
> type=AVC msg=audit(1394457004.605:4309): avc: denied { search } for
> pid=17596 comm="squid" name="/" dev="fuse" ino=1
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1394457004.605:4309): arch=c000003e syscall=59
> success=no exit=-13 a0=7fffeb15b980 a1=7fffeb1598e0 a2=7fffeb15bce8
> a3=376e018240 items=0 ppid=17577 pid=17596 auid=0 uid=23 gid=23 euid=0
> suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 ses=388 tty=(none)
> comm="squid" exe="/usr/sbin/squid"
> subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394457004.642:4310): avc: denied { getattr } for
> pid=17597 comm="squid" path="/mnt/gluster" dev="fuse" ino=1
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1394457004.642:4310): arch=c000003e syscall=4
> success=no exit=-13 a0=26db830 a1=7fffe7c992e0 a2=7fffe7c992e0 a3=0
> items=0 ppid=17577 pid=17597 auid=0 uid=23 gid=23 euid=23 suid=0
> fsuid=23 egid=23 sgid=23 fsgid=23 ses=388 tty=(none) comm="squid"
> exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394457007.646:4311): avc: denied { search } for
> pid=17599 comm="squid" name="/" dev="fuse" ino=1
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1394457007.646:4311): arch=c000003e syscall=59
> success=no exit=-13 a0=7fffeb15b980 a1=7fffeb1598e0 a2=7fffeb15bce8
> a3=376e018240 items=0 ppid=17577 pid=17599 auid=0 uid=23 gid=23 euid=0
> suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 ses=388 tty=(none)
> comm="squid" exe="/usr/sbin/squid"
> subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394457007.678:4312): avc: denied { getattr } for
> pid=17600 comm="squid" path="/mnt/gluster" dev="fuse" ino=1
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1394457007.678:4312): arch=c000003e syscall=4
> success=no exit=-13 a0=23af830 a1=7fff5a8c0670 a2=7fff5a8c0670 a3=0
> items=0 ppid=17577 pid=17600 auid=0 uid=23 gid=23 euid=23 suid=0
> fsuid=23 egid=23 sgid=23 fsgid=23 ses=388 tty=(none) comm="squid"
> exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394457010.680:4313): avc: denied { search } for
> pid=17602 comm="squid" name="/" dev="fuse" ino=1
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1394457010.680:4313): arch=c000003e syscall=59
> success=no exit=-13 a0=7fffeb15b980 a1=7fffeb1598e0 a2=7fffeb15bce8
> a3=376e018240 items=0 ppid=17577 pid=17602 auid=0 uid=23 gid=23 euid=0
> suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 ses=388 tty=(none)
> comm="squid" exe="/usr/sbin/squid"
> subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394457010.714:4314): avc: denied { getattr } for
> pid=17603 comm="squid" path="/mnt/gluster" dev="fuse" ino=1
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1394457010.714:4314): arch=c000003e syscall=4
> success=no exit=-13 a0=2065830 a1=7fffaef4cf80 a2=7fffaef4cf80 a3=0
> items=0 ppid=17577 pid=17603 auid=0 uid=23 gid=23 euid=23 suid=0
> fsuid=23 egid=23 sgid=23 fsgid=23 ses=388 tty=(none) comm="squid"
> exe="/usr/sbin/squid" subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=AVC msg=audit(1394457013.717:4315): avc: denied { search } for
> pid=17606 comm="squid" name="/" dev="fuse" ino=1
> scontext=unconfined_u:system_r:squid_t:s0
> tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1394457013.717:4315): arch=c000003e syscall=59
> success=no exit=-13 a0=7fffeb15b980 a1=7fffeb1598e0 a2=7fffeb15bce8
> a3=376e018240 items=0 ppid=17577 pid=17606 auid=0 uid=23 gid=23 euid=0
> suid=0 fsuid=0 egid=23 sgid=23 fsgid=23 ses=388 tty=(none)
> comm="squid" exe="/usr/sbin/squid"
> subj=unconfined_u:system_r:squid_t:s0 key=(null)
> type=CRYPTO_SESSION msg=audit(1394457058.505:4316): pid=11244 uid=0
> auid=0 ses=388 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=start direction=from-client cipher=aes256-ctr ksize=256
> spid=11244 suid=0 rport=52477 laddr=192.168.10.111 lport=22
> exe="/usr/sbin/sshd" hostname=? addr=192.168.10.125 terminal=?
> res=success'
> type=CRYPTO_SESSION msg=audit(1394457058.506:4317): pid=11244 uid=0
> auid=0 ses=388 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=start direction=from-server cipher=aes256-ctr ksize=256
> spid=11244 suid=0 rport=52477 laddr=192.168.10.111 lport=22
> exe="/usr/sbin/sshd" hostname=? addr=192.168.10.125 terminal=?
> res=success'
> type=CRYPTO_KEY_USER msg=audit(1394457058.684:4318): pid=11244 uid=0
> auid=0 ses=388 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=destroy kind=session fp=? direction=from-client spid=11244
> suid=0 rport=52477 laddr=192.168.10.111 lport=22 exe="/usr/sbin/sshd"
> hostname=? addr=192.168.10.125 terminal=? res=success'
> type=CRYPTO_KEY_USER msg=audit(1394457058.836:4319): pid=11244 uid=0
> auid=0 ses=388 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='op=destroy kind=session fp=? direction=from-server spid=11244
> suid=0 rport=52477 laddr=192.168.10.111 lport=22 exe="/usr/sbin/sshd"
> hostname=? addr=192.168.10.125 terminal=? res=success'
> ##END
>
> Eliezer
Received on Mon Mar 10 2014 - 16:14:55 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 10 2014 - 12:00:05 MDT