Summary: | net-proxy/squid-3.3.3: /var/log/squid/cache.log: Permission denied | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Florian Steinel <Florian.Steinel> |
Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://blog.siphos.be/2013/04/what-could-selinux-have-done-to-mitigate-the-postgresql-vulnerability/ | ||
Whiteboard: | sec-policy r1 | ||
Package list: | Runtime testing required: | --- |
Description
Florian Steinel
2013-04-16 20:14:03 UTC
Are there other log files involved in squid that do work with the squid_log_t type? It looks like squid wants to open the cache.log for writing, not only for appending. Although not a proper way to deal with log files, it is not that uncommon. If all other log files work (with append) and only this one doesn't (requires write) then I *might* have this file be marked as squid_cachelog_t (new tyep) to allow write rights on it. (In reply to comment #1) The only other logfile that i know of is netdb.state (/var/lib/squid/netdb.state). Excerpt from the Cache.log: Logfile: opening log stdio:/var/lib/squid/netdb.state: (I changed the type to faillog_t) ls -laZ /var/lib/squid/netdb.state -rw-r-----. 1 squid squid system_u:object_r:faillog_t 0 Apr 16 20:40 /var/lib/squid/netdb.state This one also fails with faillog_t... Okay, i'll have squid updated with write privileges to the files then. In live repo, will be in rev 13 In main tree, ~arch'ed (20130424-r1 release) Now stable in repo |