After the first successfull start of the squid daemon, the daemon cannot append to the cache.log file. Thanks to Swifts Blogpost (see URL) i was able to debug and fix the selinux error: sesearch -s squid_t -c file -p write -SCATd Found 8 semantic av rules: allow squid_t squid_t : file { ioctl read write getattr lock append open } ; allow squid_t squid_var_run_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow squid_t squid_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow squid_t faillog_t : file { ioctl read write getattr lock append open } ; allow squid_t squid_cache_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow squid_t squid_tmpfs_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; DT allow squid_t krb5_host_rcache_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ allow_kerberos ] DT allow squid_t security_t : file { ioctl read write getattr lock append open } ; [ allow_kerberos ] Found 4 semantic te rules: type_transition squid_t tmp_t : file squid_tmp_t; type_transition squid_t tmpfs_t : file squid_tmpfs_t; type_transition squid_t var_run_t : file squid_var_run_t; type_transition squid_t var_log_t : file squid_log_t; Found 1 named file transition rules: type_transition squid_t tmp_t : file krb5_host_rcache_t "host_0"; Before the fix: ls -laZ /var/log/squid/ total 1234 drwxr-xr-x. 2 squid squid system_u:object_r:squid_log_t 4096 Apr 16 20:40 . drwxr-xr-x. 8 root root system_u:object_r:var_log_t 4096 Apr 16 20:40 .. -rw-r--r--. 1 root root staff_u:object_r:squid_log_t 0 Apr 16 20:40 .keep_net-proxy_squid-0 -rw-r-----. 1 squid squid system_u:object_r:squid_log_t 123456 Apr 16 20:40 access.log -rw-r-----. 1 squid squid system_u:object_r:squid_log_t 1234 Apr 16 20:40 cache.log The fix: chcon -t faillog_t /var/log/squid/cache.log Reproducible: Always Steps to Reproduce: 1. start squid: "run_init rc-service squid start" 2. 3. Actual Results: * Starting squid ... WARNING: Cannot write log file: /var/log/squid/cache.log /var/log/squid/cache.log: Permission denied messages will be sent to 'stderr'. [ ok ] d Expected Results: Authenticating root. * Starting squid ... [ ok ] d
Are there other log files involved in squid that do work with the squid_log_t type? It looks like squid wants to open the cache.log for writing, not only for appending. Although not a proper way to deal with log files, it is not that uncommon. If all other log files work (with append) and only this one doesn't (requires write) then I *might* have this file be marked as squid_cachelog_t (new tyep) to allow write rights on it.
(In reply to comment #1) The only other logfile that i know of is netdb.state (/var/lib/squid/netdb.state). Excerpt from the Cache.log: Logfile: opening log stdio:/var/lib/squid/netdb.state: (I changed the type to faillog_t) ls -laZ /var/lib/squid/netdb.state -rw-r-----. 1 squid squid system_u:object_r:faillog_t 0 Apr 16 20:40 /var/lib/squid/netdb.state This one also fails with faillog_t...
Okay, i'll have squid updated with write privileges to the files then.
In live repo, will be in rev 13
In main tree, ~arch'ed (20130424-r1 release)
Now stable in repo