Re: SELinux security alert/Squid -
On 09/02/10 02:17, Tim wrote:
On Mon, 2010-02-08 at 13:23 -0500, Daniel J Walsh wrote:
squid_connect_any -- off
Probably not a good idea, the settings there as an aid to protect you
against maliciousness. If you want to add exceptions, that's a better
idea than just letting anything through.
I'd make an educated guess that the original poster hadn't tried to
connect to an alternative port, while going through their proxy, before.
Well then should it not be possible to tell SELinux that this particular
connection is acceptable? To me it is vital, I need to control system
usage and that's where I get my usage data! The problem is minor and
doesn't warrant disabling SELinux in any way, I only see it upon
rebooting, usually around 04:00 which is my habit. But the star is
there again this morning.
As a result I have once more done [as su/root]: setsebool -P
squid_connect_any=1 as it suggests. Whatever that does takes perhaps 30
seconds and shows a lot of cpu activity while doing it so I know
something is happening.
The security alert, generated at this morning's boot:
Summary:
SELinux is preventing the squid daemon from connecting to network
port 8180
Detailed Description:
[squid has a permissive type (squid_t). This access was not denied.]
SELinux has denied the squid daemon from connecting to 8180. By
default squid
policy is setup to deny squid connections. If you did not setup
squid to network
connections, this could signal a intrusion attempt.
Allowing Access:
If you want squid to connect to network ports you need to turn on the
squid_connect_any boolean: setsebool -P squid_connect_any=1
Fix Command:
setsebool -P squid_connect_any=1
Additional Information:
Source Contextsystem_u:system_r:squid_t:s0
Target Contextsystem_u:object_r:port_t:s0
Target ObjectsNone [ tcp_socket ]
Sourcesquid
Source Path /usr/sbin/squid
Port 8180
Host box6
Source RPM Packages squid-3.1.0.15-2.fc12
Target RPM Packages
Policy RPMselinux-policy-3.6.32-78.fc12
Selinux Enabled True
Policy Type targeted
Enforcing ModeEnforcing
Plugin Name squid_connect_any
Host Name box6
Platform Linux box6
2.6.31.12-174.2.3.fc12.x86_64 #1 SMP
Mon Jan 18 19:52:07 UTC 2010 x86_64
x86_64
Alert Count 33
First SeenSun 07 Feb 2010 04:50:46 PM EST
Last Seen Sun 07 Feb 2010 05:08:58 PM EST
Local ID 87daf7bf-ecdf-4025-9780-520ef4d433f5
Line Numbers
Raw Audit Messages
node=box6 type=AVC msg=audit(1265580538.758:20027): avc: denied {
name_connect } for pid=1504 comm=squid dest=8180
scontext=system_u:system_r:squid_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
node=box6 type=SYSCALL msg=audit(1265580538.758:20027):
arch=c03e syscall=42 success=yes exit=4294967424 a0=e
a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504
auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23
fsgid=23 tty=(none) ses=4294967295 comm=squid
exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null)
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On Mon, 2010-02-08 at 16:59 -0500, Bob Goodwin wrote: I just added myaccount.wildblue.net to the Firefox no proxy for list and that seems to satisfy an access problem I didn't know I had. If that's you're only need to access an unusual port, then bypassing the proxy would be a good solution. There's not going to be a real need for a caching proxy between your browser and one site to check your account. In fact, going through a caching proxy when you want to see fresh pages can be a problem, in itself, if the site has bad expiry time settings. If you *needed* to go through a proxy (e.g. all your traffic had to go through a proxy, or lots of LAN users were browsing the same resource, and it was costing you bandwidth), then you would want to fix up your proxy to work. -- [...@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On 09/02/10 07:36, Tim wrote: On Mon, 2010-02-08 at 16:59 -0500, Bob Goodwin wrote: I just added myaccount.wildblue.net to the Firefox no proxy for list and that seems to satisfy an access problem I didn't know I had. If that's you're only need to access an unusual port, then bypassing the proxy would be a good solution. There's not going to be a real need for a caching proxy between your browser and one site to check your account. In fact, going through a caching proxy when you want to see fresh pages can be a problem, in itself, if the site has bad expiry time settings. If you *needed* to go through a proxy (e.g. all your traffic had to go through a proxy, or lots of LAN users were browsing the same resource, and it was costing you bandwidth), then you would want to fix up your proxy to work. Ok, that sounds reasonable, but despite setting no proxy for I still see the security alert? Bob -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On 02/09/2010 08:01 AM, Bob Goodwin wrote: On 09/02/10 07:36, Tim wrote: On Mon, 2010-02-08 at 16:59 -0500, Bob Goodwin wrote: I just added myaccount.wildblue.net to the Firefox no proxy for list and that seems to satisfy an access problem I didn't know I had. If that's you're only need to access an unusual port, then bypassing the proxy would be a good solution. There's not going to be a real need for a caching proxy between your browser and one site to check your account. In fact, going through a caching proxy when you want to see fresh pages can be a problem, in itself, if the site has bad expiry time settings. If you *needed* to go through a proxy (e.g. all your traffic had to go through a proxy, or lots of LAN users were browsing the same resource, and it was costing you bandwidth), then you would want to fix up your proxy to work. Ok, that sounds reasonable, but despite setting no proxy for I still see the security alert? Bob -- There is a bug in setroubleshoot that is showing all alerts as new on login. You might be seeing this. Fixed in setroubleshoot-2.2.63-1.fc12 yum update setroubleshoot\* --enablerepo=updates-testing -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
SELinux security alert/Squid -
Yesterday I began getting an SELinux security alert and Firefox began
to operate erratically [became useless].
I did setsebool -P squid_connect_any=1 per the alert and Firefox began
to work again, however now this morning I am getting a similar notice
although it appears to be making an exception.
Do I need to take some further action to satisfy SELinux or will I
continue to get this notice until some future update?
Bob
.
Summary:
SELinux is preventing the squid daemon from connecting to
network port 8180
Detailed Description:
[squid has a permissive type (squid_t). This access was not denied.]
SELinux has denied the squid daemon from connecting to 8180. By
default squid
policy is setup to deny squid connections. If you did not setup
squid to network
connections, this could signal a intrusion attempt.
Allowing Access:
If you want squid to connect to network ports you need to turn
on the
squid_connect_any boolean: setsebool -P squid_connect_any=1
Fix Command:
setsebool -P squid_connect_any=1
Additional Information:
Source Contextsystem_u:system_r:squid_t:s0
Target Contextsystem_u:object_r:port_t:s0
Target ObjectsNone [ tcp_socket ]
Sourcesquid
Source Path /usr/sbin/squid
Port 8180
Host box6
Source RPM Packages squid-3.1.0.15-2.fc12
Target RPM Packages
Policy RPMselinux-policy-3.6.32-78.fc12
Selinux Enabled True
Policy Type targeted
Enforcing ModeEnforcing
Plugin Name squid_connect_any
Host Name box6
Platform Linux box6
2.6.31.12-174.2.3.fc12.x86_64 #1 SMP
Mon Jan 18 19:52:07 UTC 2010
x86_64 x86_64
Alert Count 33
First SeenSun 07 Feb 2010 04:50:46 PM EST
Last Seen Sun 07 Feb 2010 05:08:58 PM EST
Local ID 87daf7bf-ecdf-4025-9780-520ef4d433f5
Line Numbers
Raw Audit Messages
node=box6 type=AVC msg=audit(1265580538.758:20027): avc:
denied { name_connect } for pid=1504 comm=squid dest=8180
scontext=system_u:system_r:squid_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
node=box6 type=SYSCALL msg=audit(1265580538.758:20027):
arch=c03e syscall=42 success=yes exit=4294967424 a0=e
a1=7fd5727bb730 a2=1c a3=1c items=0 ppid=1502 pid=1504
auid=4294967295 uid=0 gid=23 euid=23 suid=0 fsuid=23 egid=23
sgid=23 fsgid=23 tty=(none) ses=4294967295 comm=squid
exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null)
--
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On 08/02/10 13:23, Daniel J Walsh wrote: . Are you sure the boolean is turned on ? # getsebool squid_connect_any squid_connect_any -- off Once you have set the boolean on it should stay that way permanently if you use the -P flag # setsebool -P squid_connect_any 1 -- This is what I get: [b...@box6 ~]$ getsebool squid_connect_any squid_connect_any -- on I guess that means it should work? It's not a big problem and only began yesterday [after an update?] It just puts a warning star at the bottom of my screen. Bob .-- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On 02/08/2010 03:16 PM, Bob Goodwin wrote: On 08/02/10 13:23, Daniel J Walsh wrote: . Are you sure the boolean is turned on ? # getsebool squid_connect_any squid_connect_any -- off Once you have set the boolean on it should stay that way permanently if you use the -P flag # setsebool -P squid_connect_any 1 -- This is what I get: [b...@box6 ~]$ getsebool squid_connect_any squid_connect_any -- on I guess that means it should work? It's not a big problem and only began yesterday [after an update?] It just puts a warning star at the bottom of my screen. Bob .-- Yes, this means that someone put a web sight at 8180, and now squid wants to connect to it. SELinux was preventing it. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: SELinux security alert/Squid -
On 08/02/10 16:32, Daniel J Walsh wrote: On 02/08/2010 03:16 PM, Bob Goodwin wrote: On 08/02/10 13:23, Daniel J Walsh wrote: . Are you sure the boolean is turned on ? # getsebool squid_connect_any squid_connect_any -- off Once you have set the boolean on it should stay that way permanently if you use the -P flag # setsebool -P squid_connect_any 1 -- This is what I get: [b...@box6 ~]$ getsebool squid_connect_any squid_connect_any -- on I guess that means it should work? It's not a big problem and only began yesterday [after an update?] It just puts a warning star at the bottom of my screen. Bob .-- Yes, this means that someone put a web sight at 8180, and now squid wants to connect to it. SELinux was preventing it. Yes my ISP. http://myaccount.wildblue.net:8180/ I just added myaccount.wildblue.net to the Firefox no proxy for list and that seems to satisfy an access problem I didn't know I had. Don't know if the SELinux alert resulted from that. I'll see what happens when I reboot tomorrow morning. One of the first things I do is check my usage via Firefox to be sure we are within limits. Thanks. Bob -- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
