Re: [FC3] squid ftp blocked by selinux

From: Alexander Dalloz (ad+lists_at_uni-x.org)
Date: 07/30/05

Next message: Paul Howarth: "Re: [FC3] squid ftp blocked by selinux"

Previous message: Alexander Dalloz: "Re: adding a primary partition"
In reply to: Jurgen Kramer: "Re: [FC3] squid ftp blocked by selinux"
Next in thread: Paul Howarth: "Re: [FC3] squid ftp blocked by selinux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: For users of Fedora Core releases <fedora-list@redhat.com>
Date: Sat, 30 Jul 2005 15:44:44 +0200

Am Sa, den 30.07.2005 schrieb Jurgen Kramer um 14:14:
> On Sat, 2005-07-30 at 12:57 +0100, Paul Howarth wrote:
> > On Sat, 2005-07-30 at 11:48 +0200, Jurgen Kramer wrote:

> > > After the last selinux policy update I can no longer use squid to proxy
> > > FTP transfers. dmesg shows lots of:
> > >
> > > audit(1122716171.029:8): avc: denied { name_connect } for pid=2553
> > > comm="squid" dest=21 scontext=user_u:system_r:squid_t
> > > tcontext=system_u:object_r:ftp_port_t tclass=tcp_socket
> > > audit(1122716171.129:9): avc: denied { name_connect } for pid=2553
> > > comm="squid" dest=21 scontext=user_u:system_r:squid_t
> > > tcontext=system_u:object_r:ftp_port_t tclass=tcp_socket
> > > audit(1122716171.229:10): avc: denied { name_connect } for pid=2553
> > > comm="squid" dest=21 scontext=user_u:system_r:squid_t
> > > tcontext=system_u:object_r:ftp_port_t tclass=tcp_socket
> > >
> > > HTTP transfers still function fine. How can I fix this?
> >
> > Does this help?
> >
> > # setsebool -P squid_connect_any 1
>
> Yep, that worked. Is this a workaround? Does it survive reboots?

> Jurgen

Not a workaround, but a valid SELinux setting / adjustment. "man
setsebool" would answer you the last question, telling you what
parameter "-P" is for.

Alexander

-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 15:43:23 up 14 days, 20:15, load average: 0.02, 0.08, 0.08

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

application/pgp-signature attachment: Dies ist ein digital signierter Nachrichtenteil

Next message: Paul Howarth: "Re: [FC3] squid ftp blocked by selinux"

Previous message: Alexander Dalloz: "Re: adding a primary partition"
In reply to: Jurgen Kramer: "Re: [FC3] squid ftp blocked by selinux"
Next in thread: Paul Howarth: "Re: [FC3] squid ftp blocked by selinux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]