SELinux & ncsa_auth in Squid

Question

I'm trying to enable SELinux on a CentOS 5.5 server with Squid 3.1.12 that handles authentication via ncsa_auth.

When I turn off SElinux everything works fine, but when I enable it, Squid crashes on the authentication-plugin, ncsa_auth.

This is the error message:

May 29 19:12:21 us squid[1458]: Squid Parent: child process 1493 started
May 29 19:12:21 us kernel: printk: 27 messages suppressed.
May 29 19:12:21 us kernel: type=1400 audit(1306696341.922:74): avc:  denied  { execute } for  pid=1494 comm="squid" name="ncsa_auth" dev=xvda1 ino=610563 scontext=root:system_r:squid_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file
May 29 19:12:22 us (squid): The basicauthenticator helpers are crashing too rapidly, need help! 
May 29 19:12:22 us squid[1458]: Squid Parent: child process 1493 exited with status 1
May 29 19:12:22 us squid[1458]: Exiting due to repeated, frequent failures

When SELinux is permissive, these are the warnings I'm getting:

May 29 19:25:27 us kernel: type=1400 audit(1306697127.741:81): avc:  denied  { execute } for  pid=1524 comm="squid" name="ncsa_auth" dev=xvda1 ino=610563 scontext=root:system_r:squid_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file
May 29 19:25:27 us kernel: type=1400 audit(1306697127.741:82): avc:  denied  { execute_no_trans } for  pid=1524 comm="squid" path="/opt/squid-3.1.12/helpers/basic_auth/NCSA/ncsa_auth" dev=xvda1 ino=610563 scontext=root:system_r:squid_t:s0 tcontext=user_u:object_r:usr_t:s0 tclass=file

The ncsa-auth:

[bart@us NCSA]# ls -alZ ncsa_auth
-rwxrwxrwx  root root user_u:object_r:usr_t            ncsa_auth

I think he expects the label to be unconfined_u:system_r:squid_t:s0, but I have no idea how to set it properly. After I tried setting it with:

chcon unconfined_u:system_r:squid_t:s0 ncsa_auth

I got the following error: chcon: failed to change context of ncsa_auth to unconfined_u:system_r:squid_t:s0: Invalid argument

wzzrd · Answer 1 · 2011-05-31T10:30:49.197

That would be chcon -t squid_t ncsa_auth there, but on my RHEL5.5 machine, there is a rule allowing Squid execute rights on files labeled bin_t, which is probably what it should be, not squid_t:

allow squid_t bin_t : file { ioctl read getattr lock execute execute_no_trans open } ;

You can check this with sesearch -s squid_t --allow. The same rule exists for lib_t, see Iains answer.

The squid_t type is meant for the domain, not files. A file could be labeled squid_exec_t, but that is for the daemon binary, not helper files. To make a long story short, the file should probably be labeled bin_t and put in /usr/local/bin.

I suspect your ncsa_auth plugin is installed in a weird location. If you put it in /usr/local/bin, and run restorecon -Fv on it, Squid will try to execute it as a bin_t file, which is a lot more likely to succeed.

It was indeed in the wrong place, after I moved it and applied the permissions and context, it worked! — Bart De Vos, May 31 '11 at 11:22

score 2 · Accepted Answer · answered May 31 '11 at 10:01

I just checked on a CentOS 5.6 system where I have squid + ncsa_auth working. The permissions on my /usr/lib64/squid/ncsa_auth are

ls -lZ  /usr/lib64/squid/ncsa_auth
-rwsr-x---  root squid system_u:object_r:lib_t   /usr/lib64/squid/ncsa_auth

If I set the permissions on /usr/lib64/squid/ncsa_auth to be the same as you have then I get exactly the same error message as you do.

chown root:squid /usr/lib64/squid/ncsa_auth
chmod 4750 /usr/lib64/squid/ncsa_auth
chcon system_u:object_r:lib_t  /usr/lib64/squid/ncsa_auth

fixes the problem on my system.

It was indeed in the wrong place, after I moved it and applied the permissions and context, it worked! — Bart De Vos, May 31 '11 at 11:23

SELinux & ncsa_auth in Squid

2 Answers2