Re: [squid-users] SELINUX issue(confinedunconfined)
Hi, In permissive mode, you only get log, but selinux will not be active (it will not forbid unauthorized access). Usually you put selinux in permissive mode only in order to get all access denied log in audit.log in order to build policy module or adjust filecontexts. I suggest you to spend some time on selinux, it can realy increase the security of your proxy server. But you will need to build a policy module for squid_kerb_auth witch is not currently supported by selinux policy on redhat-like systems. What distrib do you use ? Tiery On Wed, May 19, 2010 at 6:17 AM, GIGO . gi...@msn.com wrote: Thank you i will give it a try. However i am also thinking of running SELinux in permissive mode for my proxy server. what do you say about it? regards, Bilal Date: Tue, 18 May 2010 15:00:05 +0200 From: tiery.de...@gmail.com To: gi...@msn.com CC: squid-users@squid-cache.org Subject: Re: [squid-users] SELINUX issue(confinedunconfined) okay, I have also worked on a similar project (squid/kerberos/selinux). I installed squid in /usr/local/squid but I had to modify /etc/selinux/targeted/contexts/files/file_contexts and adapt it to my squid directory. /usr/local/squid/etc(/.*)? system_u:object_r:squid_conf_t:s0 /usr/local/squid/var/logs(/.*)? system_u:object_r:squid_log_t:s0 /usr/local/squid/share(/.*)? system_u:object_r:squid_conf_t:s0 /usr/local/squid/var/cache(/.*)? system_u:object_r:squid_cache_t:s0 /usr/local/squid/sbin/squid -- system_u:object_r:squid_exec_t:s0 /usr/local/squid/var/logs/squid\.pid -- system_u:object_r:squid_var_run_t:s0 /usr/local/squid/libexec(/.*)? system_u:object_r:lib_t:s0 /usr/local/squid -d system_u:object_r:bin_t:s0 /usr/local/squid/var -d system_u:object_r:var_t:s0 Then restore context (with restorecon or .autorelabel and reboot). But i am not sure modifing this file is the best way. It you update your selinux policy, changement will not be persistent. I think it is better to build a selinux module for our squid. Tiery On Tue, May 18, 2010 at 2:34 PM, GIGO . wrote: Yes i am using a compiled version. I have used this command chcon -t unconfined_exec_t /usr/sbin/squid and its working now. Is this a security issue? regards, Bilal Date: Tue, 18 May 2010 14:26:06 +0200 From: tiery.de...@gmail.com To: squid-users@squid-cache.org Subject: Re: [squid-users] SELINUX issue(confinedunconfined) Hi, ps -Z = squid_t and getenforce = enforcing squid is started with selinux Redhat/centos platform: If squid is installed with yum, squid will be started with a squid_t selinux context. If you compile your squid and installed it, you will have to change squid files contexts manually. As i see you have squid_kerb_plugin, you should have compile you squid to support kerberos, no? --- For your problem: try to check selinux log: audit2allow -al or cat /var/log/audit/audit.log | audit2allow You can also try to restore selinux context for all squid files: restorecon -R /etc/squid restorecon -R /var/log/squid etc... or touch /.autorelabel and reboot Tiery On Tue, May 18, 2010 at 9:47 AM, GIGO . wrote: Dear All, Your guidance is required. Please help. It looks that squid process run by default as a confined process whether its a compiled version or a version that come with the linux distro. It means that the squid software is SELINUX aware.Am i right? [r...@squidlhr ~]# ps -eZ | grep squid system_u:system_r:squid_t 3173 ? 00:00:00 squid system_u:system_r:squid_t 3175 ? 00:00:00 squid system_u:system_r:squid_t 3177 ? 00:00:00 squid system_u:system_r:squid_t 3179 ? 00:00:00 squid system_u:system_r:squid_t 3222 ? 00:00:00 unlinkd system_u:system_r:squid_t 3223 ? 00:00:00 unlinkd it was successful before i changed the selinux to enforcing.Now i even cannot start squid process that access the parent at localhost(3128) manually even. The other process starts normally if i do manually. When running as an unconfined process by the following command the problem had resolved chcon -t unconfined_exec_t /usr/sbin/squid However it doesnot feel appropriate to me. Please guide me on this. I am starting squid with the following init script if it has something to do with the problem: #!/bin/sh # #my script case $1 in start) /usr/sbin/squid -D -sYC -f /etc/squid/squidcache.conf /usr/sbin/squid -D -sYC -f /etc/squid/squid.conf #The below line is to automatically start apache with system startup /usr/sbin/httpd -k start #KRB5_KTNAME=/etc/squid/HTTP.keytab #export KRB5_KTNAME #KRB5RCACHETYPE=none #export KRB5RCACHETYPE ;; stop) /usr/sbin/squid -k shutdown -f /etc/squid3/squidcache.conf echo Shutting down squid secondary process /usr/sbin/squid -k shutdown -f /etc/squid3/squid.conf echo Shutting down squid main process # The below line is to automatically stop apache at system shutdown
Re: [squid-users] SELINUX issue(confinedunconfined)
Hi, ps -Z = squid_t and getenforce = enforcing squid is started with selinux Redhat/centos platform: If squid is installed with yum, squid will be started with a squid_t selinux context. If you compile your squid and installed it, you will have to change squid files contexts manually. As i see you have squid_kerb_plugin, you should have compile you squid to support kerberos, no? --- For your problem: try to check selinux log: audit2allow -al or cat /var/log/audit/audit.log | audit2allow You can also try to restore selinux context for all squid files: restorecon -R /etc/squid restorecon -R /var/log/squid etc... or touch /.autorelabel and reboot Tiery On Tue, May 18, 2010 at 9:47 AM, GIGO . gi...@msn.com wrote: Dear All, Your guidance is required. Please help. It looks that squid process run by default as a confined process whether its a compiled version or a version that come with the linux distro. It means that the squid software is SELINUX aware.Am i right? [r...@squidlhr ~]# ps -eZ | grep squid system_u:system_r:squid_t 3173 ? 00:00:00 squid system_u:system_r:squid_t 3175 ? 00:00:00 squid system_u:system_r:squid_t 3177 ? 00:00:00 squid system_u:system_r:squid_t 3179 ? 00:00:00 squid system_u:system_r:squid_t 3222 ? 00:00:00 unlinkd system_u:system_r:squid_t 3223 ? 00:00:00 unlinkd it was successful before i changed the selinux to enforcing.Now i even cannot start squid process that access the parent at localhost(3128) manually even. The other process starts normally if i do manually. When running as an unconfined process by the following command the problem had resolved chcon -t unconfined_exec_t /usr/sbin/squid However it doesnot feel appropriate to me. Please guide me on this. I am starting squid with the following init script if it has something to do with the problem: #!/bin/sh # #my script case $1 in start) /usr/sbin/squid -D -sYC -f /etc/squid/squidcache.conf /usr/sbin/squid -D -sYC -f /etc/squid/squid.conf #The below line is to automatically start apache with system startup /usr/sbin/httpd -k start #KRB5_KTNAME=/etc/squid/HTTP.keytab #export KRB5_KTNAME #KRB5RCACHETYPE=none #export KRB5RCACHETYPE ;; stop) /usr/sbin/squid -k shutdown -f /etc/squid3/squidcache.conf echo Shutting down squid secondary process /usr/sbin/squid -k shutdown -f /etc/squid3/squid.conf echo Shutting down squid main process # The below line is to automatically stop apache at system shutdown /usr/sbin/httpd -k stop ;; esac Thanking you regards, Bilal From: gi...@msn.com To: squid-users@squid-cache.org Date: Tue, 18 May 2010 06:02:35 + Subject: [squid-users] SELINUX issue Hi all, When i change SELINUX from permissive mode to Enforcing mode. My multiple instance setup fail to start. Please guide how to overcome this. ---Excerpts from cache.log- 2010/05/18 10:31:51| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:51| Store rebuilding is 7.91% complete 2010/05/18 10:31:52| Done reading /var/spool/squid swaplog (51794 entries) 2010/05/18 10:31:52| Finished rebuilding storage from disk. 2010/05/18 10:31:52| 51794 Entries scanned 2010/05/18 10:31:52| 0 Invalid entries. 2010/05/18 10:31:52| 0 With invalid flags. 2010/05/18 10:31:52| 51794 Objects loaded. 2010/05/18 10:31:52| 0 Objects expired. 2010/05/18 10:31:52| 0 Objects cancelled. 2010/05/18 10:31:52| 0 Duplicate URLs purged. 2010/05/18 10:31:52| 0 Swapfile clashes avoided. 2010/05/18 10:31:52| Took 1.13 seconds (45641.00 objects/sec). 2010/05/18 10:31:52| Beginning Validation Procedure 2010/05/18 10:31:52| Completed Validation Procedure 2010/05/18 10:31:52| Validated 103614 Entries 2010/05/18 10:31:52| store_swap_size = 913364 2010/05/18 10:31:52| storeLateRelease: released 0 objects 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| Detected DEAD Parent: 127.0.0.1 2010/05/18 10:31:52| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:52| Failed to select source for 'http://1.channel19.facebook.com/p' 2010/05/18 10:31:52| always_direct = 0 2010/05/18 10:31:52| never_direct = 1 2010/05/18 10:31:52| timedout = 0 2010/05/18 10:31:57| Failed to select source for 'http://0.channel19.facebook.cm
Re: [squid-users] SELINUX issue(confinedunconfined)
okay, I have also worked on a similar project (squid/kerberos/selinux). I installed squid in /usr/local/squid but I had to modify /etc/selinux/targeted/contexts/files/file_contexts and adapt it to my squid directory. /usr/local/squid/etc(/.*)? system_u:object_r:squid_conf_t:s0 /usr/local/squid/var/logs(/.*)? system_u:object_r:squid_log_t:s0 /usr/local/squid/share(/.*)?system_u:object_r:squid_conf_t:s0 /usr/local/squid/var/cache(/.*)?system_u:object_r:squid_cache_t:s0 /usr/local/squid/sbin/squid -- system_u:object_r:squid_exec_t:s0 /usr/local/squid/var/logs/squid\.pid-- system_u:object_r:squid_var_run_t:s0 /usr/local/squid/libexec(/.*)? system_u:object_r:lib_t:s0 /usr/local/squid-d system_u:object_r:bin_t:s0 /usr/local/squid/var-d system_u:object_r:var_t:s0 Then restore context (with restorecon or .autorelabel and reboot). But i am not sure modifing this file is the best way. It you update your selinux policy, changement will not be persistent. I think it is better to build a selinux module for our squid. Tiery On Tue, May 18, 2010 at 2:34 PM, GIGO . gi...@msn.com wrote: Yes i am using a compiled version. I have used this command chcon -t unconfined_exec_t /usr/sbin/squid and its working now. Is this a security issue? regards, Bilal Date: Tue, 18 May 2010 14:26:06 +0200 From: tiery.de...@gmail.com To: squid-users@squid-cache.org Subject: Re: [squid-users] SELINUX issue(confinedunconfined) Hi, ps -Z = squid_t and getenforce = enforcing squid is started with selinux Redhat/centos platform: If squid is installed with yum, squid will be started with a squid_t selinux context. If you compile your squid and installed it, you will have to change squid files contexts manually. As i see you have squid_kerb_plugin, you should have compile you squid to support kerberos, no? --- For your problem: try to check selinux log: audit2allow -al or cat /var/log/audit/audit.log | audit2allow You can also try to restore selinux context for all squid files: restorecon -R /etc/squid restorecon -R /var/log/squid etc... or touch /.autorelabel and reboot Tiery On Tue, May 18, 2010 at 9:47 AM, GIGO . wrote: Dear All, Your guidance is required. Please help. It looks that squid process run by default as a confined process whether its a compiled version or a version that come with the linux distro. It means that the squid software is SELINUX aware.Am i right? [r...@squidlhr ~]# ps -eZ | grep squid system_u:system_r:squid_t 3173 ? 00:00:00 squid system_u:system_r:squid_t 3175 ? 00:00:00 squid system_u:system_r:squid_t 3177 ? 00:00:00 squid system_u:system_r:squid_t 3179 ? 00:00:00 squid system_u:system_r:squid_t 3222 ? 00:00:00 unlinkd system_u:system_r:squid_t 3223 ? 00:00:00 unlinkd it was successful before i changed the selinux to enforcing.Now i even cannot start squid process that access the parent at localhost(3128) manually even. The other process starts normally if i do manually. When running as an unconfined process by the following command the problem had resolved chcon -t unconfined_exec_t /usr/sbin/squid However it doesnot feel appropriate to me. Please guide me on this. I am starting squid with the following init script if it has something to do with the problem: #!/bin/sh # #my script case $1 in start) /usr/sbin/squid -D -sYC -f /etc/squid/squidcache.conf /usr/sbin/squid -D -sYC -f /etc/squid/squid.conf #The below line is to automatically start apache with system startup /usr/sbin/httpd -k start #KRB5_KTNAME=/etc/squid/HTTP.keytab #export KRB5_KTNAME #KRB5RCACHETYPE=none #export KRB5RCACHETYPE ;; stop) /usr/sbin/squid -k shutdown -f /etc/squid3/squidcache.conf echo Shutting down squid secondary process /usr/sbin/squid -k shutdown -f /etc/squid3/squid.conf echo Shutting down squid main process # The below line is to automatically stop apache at system shutdown /usr/sbin/httpd -k stop ;; esac Thanking you regards, Bilal From: gi...@msn.com To: squid-users@squid-cache.org Date: Tue, 18 May 2010 06:02:35 + Subject: [squid-users] SELINUX issue Hi all, When i change SELINUX from permissive mode to Enforcing mode. My multiple instance setup fail to start. Please guide how to overcome this. ---Excerpts from cache.log- 2010/05/18 10:31:51| TCP connection to 127.0.0.1/3128 failed 2010/05/18 10:31:51| Store rebuilding is 7.91% complete 2010/05/18 10:31:52| Done reading /var/spool/squid swaplog (51794 entries) 2010/05/18 10:31:52| Finished rebuilding storage from disk. 2010/05/18 10:31:52| 51794 Entries scanned 2010/05/18 10:31:52| 0 Invalid entries. 2010/05/18 10:31:52| 0 With invalid flags. 2010/05/18 10:31:52| 51794 Objects loaded. 2010/05/18 10:31:52| 0 Objects expired. 2010/05/18
Re: [squid-users] Re: squid_kerb_auth multiple GET request
Ok I will look for firefox plugins, But i tred other authentication mecanisms, like auth_digest_pw and I was suprised to see that clients get only one *authentication request* at the begining. Then, client always send proxy authentication param. Regards Tiery On Fri, Apr 16, 2010 at 4:07 PM, Markus Moeller hua...@moeller.plus.com wrote: In theory you can, but it has to be implemented in the client (e.g. the Browser). Regards Markus Tiery DENYS tiery.de...@gmail.com wrote in message news:h2kfdcc38011004140653p92fd561fv81febc7501188...@mail.gmail.com... Hi, I am using squid with squid_kerb_auth plugin for authentication on a kerberized network. Squid listen on port 3128 and clients use this proxy. The transparent authentication works pretty well but if i look at network flow, i see that for each website request, the client does two requests: 1) normal GET request Squid says proxy authentication required 2) second GET request with tgs Is it possible for clients to automatically send tgs in first request ? Thanks in advance, Tiery
[squid-users] squid_kerb_auth multiple GET request
Hi, I am using squid with squid_kerb_auth plugin for authentication on a kerberized network. Squid listen on port 3128 and clients use this proxy. The transparent authentication works pretty well but if i look at network flow, i see that for each website request, the client does two requests: 1) normal GET request Squid says proxy authentication required 2) second GET request with tgs Is it possible for clients to automatically send tgs in first request ? Thanks in advance, Tiery
