Hello Eliezer Croitoru, this is also to the OpenSSL mailing list, because can someone verify thatthe CA certificate and the SSL certificate fit together - the last section of this mail. (of course I can do this by myself, but here I want to opinion of a 3rd party)
I have the solution that worked at my system, to run SELinux with enforcing first you need to install a special package yum install policycoreutils-python then do this to filter the audit log: (at my system only squid entries are questionable, in case there are more programmes that can run only with SELinux turned off or setting to permissive, you must sort out these entries of course) cat /var/log/audit/audit.log | grep -v "success" > avc the next step to generate the policy file audit2allow -M avc < avc this generates avc.pp. with this do: semodule -i avc.pp that was it; (I'm not an expert I got just hints from my workmate) -- I found out something strange ... when using the .repo files here ... http://wiki.squid-cache.org/SquidFaq/BinaryPackages#CentOSthe package http://software.opensuse.org/download.html?project=home%3Aairties%3Aserver&package=squid3
gives this error, when installing with 'yum install squid3'
Error: Package: squid3-3.3.8-6.1.x86_64 (home_airties_server)
Requires: perl(Authen::Smb)
the other packages require the epel repo to be installed before ...
but how can I install squid 3.3?
there is only the question if its ok to install 7:squid-3.4.0-3-1...
I tried this
yum install
http://www1.ngtech.co.il/rpm/centos/6/x86_64/squid-3.3.11-1.el6.x86_64.rpm
and it worked ..., with SELinux=permissive and also with the above with
SELinux=enforcing
the only question: how to use a parent proxy with both of the following ... cache_peer #ip# 3128 0 proxy-only never_direct allow all and ssl_bump server-first all always_direct allow all ..., conflicting a little bit ...? with other words, how to use a parent proxy while doing ssl-bump?(the firewall blocks direkt access of this proxy, only the parent proxy has access to the internet)
-- my squid.conf has the default entries plus (here without parent proxy) <squid.conf> ssl_bump server-first all # these will be adapted to my needs, here for testing only sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB sslcrtd_children 5 always_direct allow allhttp_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/cert/squid.pem options=NO_SSLv2
</squid.conf>I'm using no caching directory, this should be the work of the parent proxy ..., the squid.pem is shown below:
the purpose of this server is just doing smart filtering on HTTPS; --can please someone tell me why I get in FF (in an old 3.6 and in an relatively actual one 24.2esr)
This Connection is Untrusted www.google.nl uses an invalid security certificate.The certificate is not trusted because it was issued by an invalid CA certificate.
(Error code: sec_error_inadequate_key_usage)only for urls that are shown in the Subject alternative name of the attached SSL certificate
and result in this certificate ...? and this is only with FF, not with IE and not with Google Chrome itself ... all other SSL sites work well ... --when I talk about I server, it is of course just a virtual machine on my computer, of these I have a few:
- mail server - dns server - proxy server (with caching and smart filtering for non-https) - ... Thanks, Walter --[ audit.log extract ]--type=AVC msg=audit(1386721165.548:990): avc: denied { write } for pid=6689 co mm="ssl_crtd" name="size" dev=sda3 ino=395149 scontext=unconfined_u:system_r:squ
id_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=filetype=AVC msg=audit(1386721165.548:991): avc: denied { write } for pid=6689 co mm="ssl_crtd" name="certs" dev=sda3 ino=395148 scontext=unconfined_u:system_r:sq
uid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dirtype=AVC msg=audit(1386721165.548:991): avc: denied { remove_name } for pid=6 689 comm="ssl_crtd" name="79B5336452F44EE14155FEF0042BCA6C6A1AFC12.pem" dev=sda3 ino=395199 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:obje
ct_r:var_lib_t:s0 tclass=dirtype=AVC msg=audit(1386721165.548:991): avc: denied { unlink } for pid=6689 c omm="ssl_crtd" name="79B5336452F44EE14155FEF0042BCA6C6A1AFC12.pem" dev=sda3 ino= 395199 scontext=unconfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:
var_lib_t:s0 tclass=filetype=AVC msg=audit(1386721165.550:992): avc: denied { add_name } for pid=6689 comm="ssl_crtd" name="58481355CE5F10BBF9DF4CD4B99692BC308E4D42.pem" scontext=un confined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclas
s=dirtype=AVC msg=audit(1386721165.550:992): avc: denied { create } for pid=6689 c omm="ssl_crtd" name="58481355CE5F10BBF9DF4CD4B99692BC308E4D42.pem" scontext=unco nfined_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=
file
--[ squid.pem ]--
the private key here is no problem, because its only testing purpose;
the final working squid server gets other certificates ...
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQD1Gf2qk287rvKpwEhyZtyiycvl6C9ZsvLHMKygimTqzoiGrIO4
tbw1bqAZcCju1P0HAXXjFmdVW8WPs6rg2uXtsBEiO9/1gQ6ji6/Kl8yEhyRVXRcH
VMuzx9dSAE4IJzaXNgSqqmHNoacxHZICV7GPaxBqVvflGyJqcc0KDD8MQwIDAQAB
AoGAGExQUnW1RERuuBdg1z6NRvIcbZlcAFd2K/sOUggGQyTgcgFuOYSCuQVTh9IP
rMWeo/AoILAa5GJprnpQSWRKANmUw43Vqj3EzZJMglRhUFUZnNYaC1jWGa3C9os5
n8TAqqnYZtcHdiD/wykI33aK7kOfccxMmlUXyJVqbkEsucECQQD+MrytFio3CfZ9
wZ9Oli3wWujPa8PfSZDnA4EYV0HiWAcYzkaYhX0GtGcjrpB/fHHF/jzQpF+p3dcr
uYHNTAejAkEA9ta/SzQtvVk4k2JsB3aJZv5OGzVkXXR7ijvyE2srrU8ez5Yc2hgA
/lOYale9/mmluGPNyTdm9Oh220E2ij+y4QJBAJ/mOItEew+eI8CdcGGV1JXyCaqY
ZmDpvM2khatTEC2aI/S1pPDCX5A9IPfwEhMvq73ZHFY+X7LRyk1F5uHGJrMCQGSg
hRmGawMfBUZoQDwGodsf3v2OlZzXqKlg6L3r2cFsWNYtjxOF55nGwILRxD2cGhgC
b9kQweMjhZi6jB5t+2ECQQCDzLY91w+JgOS2HasRm2DUHo67shRfwmWfFdl1vAs5
Q0ysK1EsBuIQxRLVyBCBqEWZDGTFJMlq8ShfRskD28jz
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICZzCCAdCgAwIBAgIBETANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwItLTEQ
MA4GA1UEChMHU29tZU9yZzEUMBIGA1UECxMLU29tZU9yZ1VuaXQxEDAOBgNVBAMT
B1Jvb3QgQ0EwHhcNNzAwMTAxMDAwMDAwWhcNMzQxMjMxMjM1OTU5WjBHMQswCQYD
VQQGEwItLTEQMA4GA1UEChMHU29tZU9yZzEUMBIGA1UECxMLU29tZU9yZ1VuaXQx
EDAOBgNVBAMTB1Jvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPUZ
/aqTbzuu8qnASHJm3KLJy+XoL1my8scwrKCKZOrOiIasg7i1vDVuoBlwKO7U/QcB
deMWZ1VbxY+zquDa5e2wESI73/WBDqOLr8qXzISHJFVdFwdUy7PH11IATggnNpc2
BKqqYc2hpzEdkgJXsY9rEGpW9+UbImpxzQoMPwxDAgMBAAGjYzBhMA8GA1UdEwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTea3zoMP5FWNxG50df
7Hbnid5sBjAfBgNVHSMEGDAWgBTea3zoMP5FWNxG50df7Hbnid5sBjANBgkqhkiG
9w0BAQUFAAOBgQC2XuM7jij2ujgNDipMLcUE/Tlpg8IeKZThl2cLWUT0RtHW2CHK
hIKOlCMP2xMB3EMbTGSc7p5DMA5P4CcF6PsTfKxl7pAn6uDgWHk3e52imgHs7Q1G
9buVgx3NHrKrbtEGE9vt1QAh8TnLo6LEPAkHCECCeS5gMG4IZpATNReCxQ==
-----END CERTIFICATE-----
--[ SSL certificate ]--
Certificate:
...
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.google.com, DNS:*.android.com,
DNS:*.appengine.google.com,
DNS:*.cloud.google.com, DNS:*.google-analytics.com, DNS:*.google.ca,
DNS:*.goog
le.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk,
DNS:*.google.
com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co,
DNS:*.goo
gle.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de,
DNS:*.goo
gle.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it,
DNS:*.google.nl, DNS:
*.google.pl, DNS:*.google.pt, DNS:*.googleapis.cn,
DNS:*.googlecommerce.com, DNS
:*.gstatic.com, DNS:*.urchin.com, DNS:*.url.google.com,
DNS:*.youtube-nocookie.c
om, DNS:*.youtube.com, DNS:*.youtubeeducation.com, DNS:*.ytimg.com,
DNS:android.
com, DNS:g.co, DNS:goo.gl, DNS:google-analytics.com, DNS:google.com,
DNS:googlec
ommerce.com, DNS:urchin.com, DNS:youtu.be, DNS:youtube.com,
DNS:youtubeeducation
.com ... -----BEGIN CERTIFICATE----- MIIFPTCCBKagAwIBAgIUPXX9MOspr8vFn1yK/75ufujyNyMwDQYJKoZIhvcNAQEF BQAwRzELMAkGA1UEBhMCLS0xEDAOBgNVBAoTB1NvbWVPcmcxFDASBgNVBAsTC1Nv bWVPcmdVbml0MRAwDgYDVQQDEwdSb290IENBMB4XDTEzMTEyMDE1MTMzNloXDTE0 MDMyMDAwMDAwMFowZjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx FjAUBgNVBAcMDU1vdW50YWluIFZpZXcxEzARBgNVBAoMCkdvb2dsZSBJbmMxFTAT BgNVBAMMDCouZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA 9Rn9qpNvO67yqcBIcmbcosnL5egvWbLyxzCsoIpk6s6IhqyDuLW8NW6gGXAo7tT9 BwF14xZnVVvFj7Oq4Nrl7bARIjvf9YEOo4uvypfMhIckVV0XB1TLs8fXUgBOCCc2 lzYEqqphzaGnMR2SAlexj2sQalb35RsianHNCgw/DEMCAwEAAaOCAwUwggMBMIIC wwYDVR0RBIICujCCAraCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5h cHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tghYqLmdvb2ds ZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUuY2yCDiouZ29v Z2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28udWuCDyouZ29v Z2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5jb20uYnKCDyou Z29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20udHKC DyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xlLmVzggsqLmdv b2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdvb2dsZS5ubIIL Ki5nb29nbGUucGyCCyouZ29vZ2xlLnB0gg8qLmdvb2dsZWFwaXMuY26CFCouZ29v Z2xlY29tbWVyY2UuY29tgg0qLmdzdGF0aWMuY29tggwqLnVyY2hpbi5jb22CECou dXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5jb22CDSoueW91dHVi ZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CCyoueXRpbWcuY29tggthbmRy b2lkLmNvbYIEZy5jb4IGZ29vLmdsghRnb29nbGUtYW5hbHl0aWNzLmNvbYIKZ29v Z2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tggp1cmNoaW4uY29tggh5b3V0dS5i ZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tMAsGA1UdDwQEAwIH gDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAN BgkqhkiG9w0BAQUFAAOBgQA4xQFls1FpUScdCmifTkWCrjNrgUCbL56im1/9vSqM P8IplBopOikz3VnxBsyUVaR/yt8zzm158zYdIpA/rOX0WukwO4pAUoi6aw6Q+FoD ZG+3Qe0b7a22Mqgl45OlfljrAMfouvapjx8OA9COSM/2k2TtRnlEy7D929O2H6J6 CQ== -----END CERTIFICATE----- On 09.12.2013 06:30, Eliezer Croitoru wrote:
Hey Walter, I do not know yet of a way to get SELinux work with squid nicely. I do know it can be done with enough knowledge and couple additions.If anyone is a SELinux expert or just can find the appropriate way of handling squid conflicts with SELinux I would be happy to try to push these into the RPMs.For now the suggestion is to use selinux policy to permissive while on most squid systems(dedicated) you wont force selinux but I am still not sure why.Fedora has some docs about it:http://docs.fedoraproject.org/en-US/Fedora/13/html/Managing_Confined_Services/chap-Managing_Confined_Services-Squid_Caching_Proxy.htmlThis setting direction policy will might help something: setsebool -P squid_connect_any 1 And at redhat couple notes:https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/chap-Managing_Confined_Services-Squid_Caching_Proxy.htmlCan you share the errors you see in logs? either squid logs or messages log?Are you using a cache_dir ?There is also a demonstration on how to create a selinux module\policy fro qlproxy: http://sichent.wordpress.com/2011/05/10/build-selinux-policy-for-your-next-daemon-part-1/I hope it helps. Eliezer On 08/12/13 22:34, Walter H. wrote:Hello, I have the ident problem as here: http://comments.gmane.org/gmane.comp.web.squid.general/99601 SELinux=enforcing prevents running squid ... my system: a CentOS 6.5, squid-3.3.11 ./configure --enable-ssl --enable-ssl-crtd --disable-htcp --disable-eui --disable-snmp --enable-useragent-log --enable-referer-log --enable-cachemgr-hostname=localhost --prefix=/usr --includedir=/usr/include --datadir=/usr/share --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --with-dl --with-openssl --with-pthreads --with-logdir=/var/log/squid --with-default-user=squid can someone give me a hint, what to do? by the way, the binary packages from here: http://wiki.squid-cache.org/SquidFaq/BinaryPackages#CentOS have the same problem ... Thanks, Walter
smime.p7s
Description: S/MIME Cryptographic Signature
