Re: SELinux security alert/Squid -
On 09/02/10 09:46, Daniel J Walsh wrote: > yum update setroubleshoot\* --enablerepo=updates-testing > Ok, I have done that on this computer and see what happens after the next re-boot. Will try it on another computer [box9] also displaying the "SELinux security alert" but with a different complaint: Summary: SELinux is preventing /usr/bin/gs "setattr" access on /var/cache/fontconfig. Detailed Description: SELinux denied access requested by gs. It is not expected that this access is required by gs and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Usually I am hardly aware that SELinux is working, just the past few days with this notice. Thanks. Bob -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On 02/09/2010 04:43 AM, Bob Goodwin wrote: > On 09/02/10 02:17, Tim wrote: >> On Mon, 2010-02-08 at 13:23 -0500, Daniel J Walsh wrote: >> >>> squid_connect_any --> off >>> >> Probably not a good idea, the settings there as an aid to protect you >> against maliciousness. If you want to add exceptions, that's a better >> idea than just letting anything through. >> >> I'd make an educated guess that the original poster hadn't tried to >> connect to an alternative port, while going through their proxy, before. >> >> > Well then should it not be possible to tell SELinux that this particular > connection is acceptable? To me it is vital, I need to control system > usage and that's where I get my usage data! The problem is minor and > doesn't warrant disabling SELinux in any way, I only see it upon > rebooting, usually around 04:00 which is my habit. But the "star" is > there again this morning. > > As a result I have once more done [as su/root]: setsebool -P > squid_connect_any=1 as it suggests. Whatever that does takes perhaps 30 > seconds and shows a lot of cpu activity while doing it so I know > something is happening. > > The security alert, generated at this morning's boot: > > Summary: > > SELinux is preventing the squid daemon from connecting to network > port 8180 > > Detailed Description: > > [squid has a permissive type (squid_t). This access was not denied.] > > SELinux has denied the squid daemon from connecting to 8180. By > default squid > policy is setup to deny squid connections. If you did not setup > squid to network > connections, this could signal a intrusion attempt. > > Allowing Access: > > If you want squid to connect to network ports you need to turn on the > squid_connect_any boolean: "setsebool -P squid_connect_any=1" > > Fix Command: > > setsebool -P squid_connect_any=1 > > Additional Information: > > Source Contextsystem_u:system_r:squid_t:s0 > Target Contextsystem_u:object_r:port_t:s0 > Target ObjectsNone [ tcp_socket ] > Sourcesquid > Source Path /usr/sbin/squid > Port 8180 > Host box6 > Source RPM Packages squid-3.1.0.15-2.fc12 > Target RPM Packages > Policy RPMselinux-policy-3.6.32-78.fc12 > Selinux Enabled True > Policy Type targeted > Enforcing ModeEnforcing > Plugin Name squid_connect_any > Host Name box6 > Platform Linux box6 > 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP >Mon Jan 18 19:52:07 UTC 2010 x86_64 > x86_64 > Alert Count 33 > First SeenSun 07 Feb 2010 04:50:46 PM EST > Last Seen Sun 07 Feb 2010 05:08:58 PM EST > Local ID 87daf7bf-ecdf-4025-9780-520ef4d433f5 > Line Numbers > > Raw Audit Messages > > node=box6 type=AVC msg=audit(1265580538.758:20027): avc: denied { > name_connect } for pid=1504 comm="squid" dest=8180 > scontext=system_u:system_r:squid_t:s0 > tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > > node=box6 type=SYSCALL msg=audit(1265580538.758:20027): > arch=c03e syscall=42 success=yes exit=4294967424 a0=e > a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504 > auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 > fsgid=23 tty=(none) ses=4294967295 comm="squid" > exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null) > > Another option would be to identify port 8180 as an http port. semanage port -a -t http_port_t -p tcp 8180 Would label this port http_port_t and squid would be allowed to connect to this port without setting the boolean. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On 02/09/2010 08:01 AM, Bob Goodwin wrote: > On 09/02/10 07:36, Tim wrote: >> On Mon, 2010-02-08 at 16:59 -0500, Bob Goodwin wrote: >> >>> I just added "myaccount.wildblue.net" to the Firefox "no proxy for" >>> list and that seems to satisfy an access problem I didn't know I >>> had. >>> >> If that's you're only need to access an unusual port, then bypassing the >> proxy would be a good solution. There's not going to be a real need for >> a caching proxy between your browser and one site to check your account. >> In fact, going through a caching proxy when you want to see fresh pages >> can be a problem, in itself, if the site has bad expiry time settings. >> >> If you *needed* to go through a proxy (e.g. all your traffic had to go >> through a proxy, or lots of LAN users were browsing the same resource, >> and it was costing you bandwidth), then you would want to fix up your >> proxy to work. >> >> > > Ok, that sounds reasonable, but despite setting "no proxy for" I > still see the security alert? > > Bob > > -- > There is a bug in setroubleshoot that is showing all alerts as new on login. You might be seeing this. Fixed in setroubleshoot-2.2.63-1.fc12 yum update setroubleshoot\* --enablerepo=updates-testing -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On 09/02/10 07:36, Tim wrote: > On Mon, 2010-02-08 at 16:59 -0500, Bob Goodwin wrote: > >> I just added "myaccount.wildblue.net" to the Firefox "no proxy for" >> list and that seems to satisfy an access problem I didn't know I >> had. >> > If that's you're only need to access an unusual port, then bypassing the > proxy would be a good solution. There's not going to be a real need for > a caching proxy between your browser and one site to check your account. > In fact, going through a caching proxy when you want to see fresh pages > can be a problem, in itself, if the site has bad expiry time settings. > > If you *needed* to go through a proxy (e.g. all your traffic had to go > through a proxy, or lots of LAN users were browsing the same resource, > and it was costing you bandwidth), then you would want to fix up your > proxy to work. > > Ok, that sounds reasonable, but despite setting "no proxy for" I still see the security alert? Bob -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On Mon, 2010-02-08 at 16:59 -0500, Bob Goodwin wrote: > I just added "myaccount.wildblue.net" to the Firefox "no proxy for" > list and that seems to satisfy an access problem I didn't know I > had. If that's you're only need to access an unusual port, then bypassing the proxy would be a good solution. There's not going to be a real need for a caching proxy between your browser and one site to check your account. In fact, going through a caching proxy when you want to see fresh pages can be a problem, in itself, if the site has bad expiry time settings. If you *needed* to go through a proxy (e.g. all your traffic had to go through a proxy, or lots of LAN users were browsing the same resource, and it was costing you bandwidth), then you would want to fix up your proxy to work. -- [...@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On 09/02/10 02:17, Tim wrote: > On Mon, 2010-02-08 at 13:23 -0500, Daniel J Walsh wrote: > >> squid_connect_any --> off >> > Probably not a good idea, the settings there as an aid to protect you > against maliciousness. If you want to add exceptions, that's a better > idea than just letting anything through. > > I'd make an educated guess that the original poster hadn't tried to > connect to an alternative port, while going through their proxy, before. > > Well then should it not be possible to tell SELinux that this particular connection is acceptable? To me it is vital, I need to control system usage and that's where I get my usage data! The problem is minor and doesn't warrant disabling SELinux in any way, I only see it upon rebooting, usually around 04:00 which is my habit. But the "star" is there again this morning. As a result I have once more done [as su/root]: setsebool -P squid_connect_any=1 as it suggests. Whatever that does takes perhaps 30 seconds and shows a lot of cpu activity while doing it so I know something is happening. The security alert, generated at this morning's boot: Summary: SELinux is preventing the squid daemon from connecting to network port 8180 Detailed Description: [squid has a permissive type (squid_t). This access was not denied.] SELinux has denied the squid daemon from connecting to 8180. By default squid policy is setup to deny squid connections. If you did not setup squid to network connections, this could signal a intrusion attempt. Allowing Access: If you want squid to connect to network ports you need to turn on the squid_connect_any boolean: "setsebool -P squid_connect_any=1" Fix Command: setsebool -P squid_connect_any=1 Additional Information: Source Contextsystem_u:system_r:squid_t:s0 Target Contextsystem_u:object_r:port_t:s0 Target ObjectsNone [ tcp_socket ] Sourcesquid Source Path /usr/sbin/squid Port 8180 Host box6 Source RPM Packages squid-3.1.0.15-2.fc12 Target RPM Packages Policy RPMselinux-policy-3.6.32-78.fc12 Selinux Enabled True Policy Type targeted Enforcing ModeEnforcing Plugin Name squid_connect_any Host Name box6 Platform Linux box6 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP Mon Jan 18 19:52:07 UTC 2010 x86_64 x86_64 Alert Count 33 First SeenSun 07 Feb 2010 04:50:46 PM EST Last Seen Sun 07 Feb 2010 05:08:58 PM EST Local ID 87daf7bf-ecdf-4025-9780-520ef4d433f5 Line Numbers Raw Audit Messages node=box6 type=AVC msg=audit(1265580538.758:20027): avc: denied { name_connect } for pid=1504 comm="squid" dest=8180 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket node=box6 type=SYSCALL msg=audit(1265580538.758:20027): arch=c03e syscall=42 success=yes exit=4294967424 a0=e a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504 auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="squid" exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On Mon, 2010-02-08 at 13:23 -0500, Daniel J Walsh wrote: > squid_connect_any --> off Probably not a good idea, the settings there as an aid to protect you against maliciousness. If you want to add exceptions, that's a better idea than just letting anything through. I'd make an educated guess that the original poster hadn't tried to connect to an alternative port, while going through their proxy, before. -- [...@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On 08/02/10 16:32, Daniel J Walsh wrote: > On 02/08/2010 03:16 PM, Bob Goodwin wrote: > >> On 08/02/10 13:23, Daniel J Walsh wrote: >> >> . >> Are you sure the boolean is turned on ? >> >> # getsebool squid_connect_any >> squid_connect_any --> off >> >> Once you have set the boolean on it should stay that way permanently if >> you use the -P flag >> >> # setsebool -P squid_connect_any 1 >> >> >> -- >> >> This is what I get: >> >> >> [b...@box6 ~]$ getsebool squid_connect_any >> squid_connect_any --> on >> >> I guess that means it should work? It's not a big problem and only began >> yesterday [after an update?] It just puts a warning star at the bottom >> of my screen. >> >> Bob >> >> >> >> >> .-- >> >> >> > Yes, this means that someone put a web sight at 8180, and now squid wants to > connect to it. SELinux was preventing it. > > Yes my ISP. http://myaccount.wildblue.net:8180/ I just added "myaccount.wildblue.net" to the Firefox "no proxy for" list and that seems to satisfy an access problem I didn't know I had. Don't know if the SELinux alert resulted from that. I'll see what happens when I reboot tomorrow morning. One of the first things I do is check my usage via Firefox to be sure we are within limits. Thanks. Bob -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On 02/08/2010 03:16 PM, Bob Goodwin wrote: > On 08/02/10 13:23, Daniel J Walsh wrote: > > . > Are you sure the boolean is turned on ? > > # getsebool squid_connect_any > squid_connect_any --> off > > Once you have set the boolean on it should stay that way permanently if > you use the -P flag > > # setsebool -P squid_connect_any 1 > > > -- > > This is what I get: > > >[b...@box6 ~]$ getsebool squid_connect_any >squid_connect_any --> on > > I guess that means it should work? It's not a big problem and only began > yesterday [after an update?] It just puts a warning star at the bottom > of my screen. > > Bob > > > > > .-- > > Yes, this means that someone put a web sight at 8180, and now squid wants to connect to it. SELinux was preventing it. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On 08/02/10 13:23, Daniel J Walsh wrote: . Are you sure the boolean is turned on ? # getsebool squid_connect_any squid_connect_any --> off Once you have set the boolean on it should stay that way permanently if you use the -P flag # setsebool -P squid_connect_any 1 -- This is what I get: [b...@box6 ~]$ getsebool squid_connect_any squid_connect_any --> on I guess that means it should work? It's not a big problem and only began yesterday [after an update?] It just puts a warning star at the bottom of my screen. Bob .-- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On 02/08/2010 04:20 AM, Bob Goodwin wrote: > Yesterday I began getting an "SELinux security alert" and Firefox began > to operate erratically [became useless]. > > I did "setsebool -P squid_connect_any=1" per the alert and Firefox began > to work again, however now this morning I am getting a similar notice > although it appears to be making an exception. > > Do I need to take some further action to satisfy SELinux or will I > continue to get this notice until some future update? > > Bob > . > > > > Summary: > > SELinux is preventing the squid daemon from connecting to > network port 8180 > > Detailed Description: > > [squid has a permissive type (squid_t). This access was not denied.] > > SELinux has denied the squid daemon from connecting to 8180. By > default squid > policy is setup to deny squid connections. If you did not setup > squid to network > connections, this could signal a intrusion attempt. > > Allowing Access: > > If you want squid to connect to network ports you need to turn > on the > squid_connect_any boolean: "setsebool -P squid_connect_any=1" > > Fix Command: > > setsebool -P squid_connect_any=1 > > Additional Information: > > Source Contextsystem_u:system_r:squid_t:s0 > Target Contextsystem_u:object_r:port_t:s0 > Target ObjectsNone [ tcp_socket ] > Sourcesquid > Source Path /usr/sbin/squid > Port 8180 > Host box6 > Source RPM Packages squid-3.1.0.15-2.fc12 > Target RPM Packages > Policy RPMselinux-policy-3.6.32-78.fc12 > Selinux Enabled True > Policy Type targeted > Enforcing ModeEnforcing > Plugin Name squid_connect_any > Host Name box6 > Platform Linux box6 > 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP >Mon Jan 18 19:52:07 UTC 2010 > x86_64 x86_64 > Alert Count 33 > First SeenSun 07 Feb 2010 04:50:46 PM EST > Last Seen Sun 07 Feb 2010 05:08:58 PM EST > Local ID 87daf7bf-ecdf-4025-9780-520ef4d433f5 > Line Numbers > > Raw Audit Messages > > node=box6 type=AVC msg=audit(1265580538.758:20027): avc: > denied { name_connect } for pid=1504 comm="squid" dest=8180 > scontext=system_u:system_r:squid_t:s0 > tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > > node=box6 type=SYSCALL msg=audit(1265580538.758:20027): > arch=c03e syscall=42 success=yes exit=4294967424 a0=e > a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504 > auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 > sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="squid" > exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null) > Are you sure the boolean is turned on ? # getsebool squid_connect_any squid_connect_any --> off Once you have set the boolean on it should stay that way permanently if you use the -P flag # setsebool -P squid_connect_any 1 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
SELinux security alert/Squid -
Yesterday I began getting an "SELinux security alert" and Firefox began to operate erratically [became useless]. I did "setsebool -P squid_connect_any=1" per the alert and Firefox began to work again, however now this morning I am getting a similar notice although it appears to be making an exception. Do I need to take some further action to satisfy SELinux or will I continue to get this notice until some future update? Bob . Summary: SELinux is preventing the squid daemon from connecting to network port 8180 Detailed Description: [squid has a permissive type (squid_t). This access was not denied.] SELinux has denied the squid daemon from connecting to 8180. By default squid policy is setup to deny squid connections. If you did not setup squid to network connections, this could signal a intrusion attempt. Allowing Access: If you want squid to connect to network ports you need to turn on the squid_connect_any boolean: "setsebool -P squid_connect_any=1" Fix Command: setsebool -P squid_connect_any=1 Additional Information: Source Contextsystem_u:system_r:squid_t:s0 Target Contextsystem_u:object_r:port_t:s0 Target ObjectsNone [ tcp_socket ] Sourcesquid Source Path /usr/sbin/squid Port 8180 Host box6 Source RPM Packages squid-3.1.0.15-2.fc12 Target RPM Packages Policy RPMselinux-policy-3.6.32-78.fc12 Selinux Enabled True Policy Type targeted Enforcing ModeEnforcing Plugin Name squid_connect_any Host Name box6 Platform Linux box6 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP Mon Jan 18 19:52:07 UTC 2010 x86_64 x86_64 Alert Count 33 First SeenSun 07 Feb 2010 04:50:46 PM EST Last Seen Sun 07 Feb 2010 05:08:58 PM EST Local ID 87daf7bf-ecdf-4025-9780-520ef4d433f5 Line Numbers Raw Audit Messages node=box6 type=AVC msg=audit(1265580538.758:20027): avc: denied { name_connect } for pid=1504 comm="squid" dest=8180 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket node=box6 type=SYSCALL msg=audit(1265580538.758:20027): arch=c03e syscall=42 success=yes exit=4294967424 a0=e a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504 auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=(none) ses=4294967295 comm="squid" exe="/usr/sbin/squid" subj=system_u:system_r:squid_t:s0 key=(null) -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines