我正在尝试在带有Squid 3.1.12的CentOS 5.5服务器上启用SE
Linux,它通过ncsa_auth处理身份验证.
当我关闭SElinux时,一切正常,但是当我启用它时,Squid在身份验证插件ncsa_auth上崩溃了.
这是错误消息:
May 29 19:12:21 us squid[1458]: Squid Parent: child process 1493 started
May 29 19:12:21 us kernel: printk: 27 messages suppressed.
May 29 19:12:21 us kernel: type=1400 audit(1306696341.922:74): avc: denied { execute } for pid=1494 comm="squid" name="ncsa_auth" dev=xvda1 ino=610563 scontext=root:system_r:squid_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file
May 29 19:12:22 us (squid): The basicauthenticator helpers are crashing too rapidly,need help!
May 29 19:12:22 us squid[1458]: Squid Parent: child process 1493 exited with status 1
May 29 19:12:22 us squid[1458]: Exiting due to repeated,frequent failures
当SELinux允许时,这些是我得到的警告:
May 29 19:25:27 us kernel: type=1400 audit(1306697127.741:81): avc: denied { execute } for pid=1524 comm="squid" name="ncsa_auth" dev=xvda1 ino=610563 scontext=root:system_r:squid_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file
May 29 19:25:27 us kernel: type=1400 audit(1306697127.741:82): avc: denied { execute_no_trans } for pid=1524 comm="squid" path="/opt/squid-3.1.12/helpers/basic_auth/NCSA/ncsa_auth" dev=xvda1 ino=610563 scontext=root:system_r:squid_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file
ncsa-auth:
[bart@us NCSA]# ls -alZ ncsa_auth -rwxrwxrwx root root user_u:object_r:usr_t ncsa_auth
我think他希望标签是unconfined_u:system_r:squid_t:s0,但我不知道如何正确设置它.我尝试设置后:
chcon unconfined_u:system_r:squid_t:s0 ncsa_auth
我收到以下错误:chcon:未能将ncsa_auth的上下文更改为unconfined_u:system_r:squid_t:s0:参数无效
解决方法
我刚刚查看了CentOS 5.6系统,我的squid ncsa_auth工作正常. /usr/lib64 / squid / ncsa_auth的权限是
ls -lZ /usr/lib64/squid/ncsa_auth -rwsr-x--- root squid system_u:object_r:lib_t /usr/lib64/squid/ncsa_auth
如果我将/usr/lib64 / squid / ncsa_auth上的权限设置为与您相同,那么我会得到与您完全相同的错误消息.
chown root:squid /usr/lib64/squid/ncsa_auth chmod 4750 /usr/lib64/squid/ncsa_auth chcon system_u:object_r:lib_t /usr/lib64/squid/ncsa_auth
修复了我的系统上的问题.
