Cd Chen's Services

ba ba ba la~~

Squid Server問題

原始問題:SElinux denied!
Summary
SELinux is preventing access to files with the default label, default_t.

Detailed Description
SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label.

Allowing Access
If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot"

Additional Information
Source Context: root:system_r:squid_t
Target Context: system_u:object_r:default_t
Target Objects: /data [ dir ]Affected RPM Packages: squid-2.6.STABLE6-3.el5 [application]
Policy RPM: selinux-policy-2.4.6-30.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: plugins.default
Host Name: server1.example.com
Platform: Linux server1.example.com 2.6.18-8.el5xen #1 SMP Fri Jan 26 14:42:21 EST 2007 i686 i686
Alert Count: 4
Line Numbers:

Raw Audit Messages :

avc: denied { getattr } for comm="squid" dev=md0 egid=23 euid=23 exe="/usr/sbin/squid" exit=-13 fsgid=23 fsuid=23 gid=23 items=0 name="/" path="/data" pid=4382 scontext=root:system_r:squid_t:s0 sgid=23 subj=root:system_r:squid_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:default_t:s0 tty=(none) uid=23
RPM 檢查:
[root@server1 ~]# rpm -V squid-2.6.STABLE6-3.el5
S.5....T c /etc/squid/squid.conf
修改內容:
acl all src 0.0.0.0/0.0.0.0
acl example src 192.168.0.0/24
http_access allow example
http_access deny all
因為有修改過內容,所以出現有動過的檔案.
請問老師:
原始檔案RPM,載入都依原始入徑,但是,卻出現這樣的問題..../data?不相關的問題? /data 是使用raid0建立的資料夾,為什squid會去讀這資料的脈絡?
Squid 仍可以抓到資料給使用者.....
使用chcon -t 去修改脈絡,會被selinux 存取遭拒...-_-!<打錯脈絡文被拒改>

這篇內容的 Trackback 網址:

http://cdchen.idv.tw/trackback/531