View Issue Details

IDProjectCategoryView StatusLast Update
0007347CentOS-7squidpublic2019-06-14 15:30
Reportervetsch 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
PlatformESXi 5.5.0OSOS Version
Product Version7.0-1406 
Target VersionFixed in Version 
Summary0007347: ssl_crtd helpers crashing on squid start using ssl-bump
DescriptionAfter adding ssl-bump configuration to squid.

Steps To Reproduce- install squid
- Add ssl-bump configuration to squid.conf:

http_port 192.168.200.25:3128 ssl-bump generate-host-certificates=on key=/etc/squid/certs/proxy.pem cert=/etc/squid/certs/proxy.pem

ssl_bump client-first all

- start squid
Additional InformationGenerated logs:
[root@localhost ~]# systemctl start squid
[root@localhost ~]# journalctl -xn
-- Logs begin at Thu 2014-07-10 09:22:39 EDT, end at Thu 2014-07-10 09:24:17 EDT. --
Jul 10 09:24:11 localhost squid[2226]: Squid Parent: will start 1 kids
Jul 10 09:24:11 localhost squid[2226]: Squid Parent: (squid-1) process 2228 started
Jul 10 09:24:11 localhost (squid-1)[2228]: The ssl_crtd helpers are crashing too rapidly, need help!
Jul 10 09:24:11 localhost squid[2226]: Squid Parent: (squid-1) process 2228 exited with status 1
Jul 10 09:24:14 localhost squid[2226]: Squid Parent: (squid-1) process 2236 started
Jul 10 09:24:14 localhost (squid-1)[2236]: The ssl_crtd helpers are crashing too rapidly, need help!
Jul 10 09:24:14 localhost squid[2226]: Squid Parent: (squid-1) process 2236 exited with status 1
Jul 10 09:24:17 localhost squid[2226]: Squid Parent: (squid-1) process 2244 started
Jul 10 09:24:17 localhost (squid-1)[2244]: The ssl_crtd helpers are crashing too rapidly, need help!
Jul 10 09:24:17 localhost squid[2226]: Squid Parent: (squid-1) process 2244 exited with status 1
TagsNo tags attached.
abrt_hash
URL

Activities

eliezer

eliezer

2015-08-17 23:51

reporter   ~0023930

What is the status of this bug report?
ebekker

ebekker

2015-09-28 11:02

reporter   ~0024471

This is definitely an SELinux issue, if you run in SE permissive mode, you should be able to startup squid with sslbump configured without issues.

Unfortunately, using the normal audit2allow process doesn't yield the correct policy to be added to the local system. Perhaps someone has some more insight as to what policy needs to be added to allow ssl_crtd to operate successfully?
ebekker

ebekker

2015-09-28 11:23

reporter   ~0024472

For the record, I tried in compiling/packagin/installing the following Type Enforcement policy, but it didn't help:

--8<--------------------------------------
module ssl_crtdlocal 1.1;

require {
        type squid_t;
        type var_lib_t;
        class file write;
}

#============= squid_t ==============
allow squid_t var_lib_t:file write;
--------------------------------------------->8--

The only solution for the time being to make it work was to turn on permissive mode permanently.
red_shift_ltd

red_shift_ltd

2019-06-14 15:25

reporter   ~0034670

Encountered this issue today. I did troubleshooting with audit2allow and received these recommendations:




type=AVC msg=audit(1560522787.469:23345): avc: denied { read } for pid=15793 comm="squid" name="squid.pid" dev="tmpfs" ino=5204596 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1560522868.378:23349): avc: denied { unlink } for pid=15844 comm="squid" name="squid-cf__metadata.shm" dev="tmpfs" ino=5204568 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1560522933.867:91): avc: denied { read } for pid=7189 comm="ssl_crtd" name="index.txt" dev="dm-0" ino=5440476 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.






When I make the module ( audit2allow -a -M squid.pp ) and install it ( semodule -i squid.pp ) I get the following error:

libsemanage.semanage_direct_install_info: Overriding squid module at lower priority 100 with module at priority 400.
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/squid/cil:7
semodule: Failed!

Running setenforce 0 lets squid run without any issue
TrevorH

TrevorH

2019-06-14 15:30

manager   ~0034671

>> libsemanage.semanage_direct_install_info: Overriding squid module at lower priority 100 with module at priority 400.

Loosely translated that means "don't call your policy file the same name as the one that already exists unless you aim to duplicate its entire contents".

Pick a different name for your policy - the recommendations in the manuals all say to use something like "mysquid"

Issue History

Date Modified Username Field Change
2014-07-10 16:10 vetsch New Issue
2015-08-17 23:51 eliezer Note Added: 0023930
2015-09-28 11:02 ebekker Note Added: 0024471
2015-09-28 11:23 ebekker Note Added: 0024472
2019-06-14 15:25 red_shift_ltd Note Added: 0034670
2019-06-14 15:30 TrevorH Note Added: 0034671