SELINUX : squid service failed to start/restart
After installing the Squid Version 3.5.0 in CentOS 6.5. I got the issue,squid service was failed to start/restart. Generally, after installing the package with by-default configuration,we can start/stop/restart the service without any problem.This time squid gave me trouble here.
I checked the /var/log/messages and there was no sufficient logs giving any hint. In other words,I have not found any sufficient information in message logs. And apart of this,no other logs were helping me here.
This time it was sure,this troubleshooting will take lot of time. And it has taken my 4-5 hours of whole day.
I tried this practical 3-4 times and finally came to decision to write with generic troubleshooting steps for this issue.
Lets have look on problem given below,before jumping to troubleshooting part
Here, SELINUX is in enforcing mode.And I just started the squid service after installation.And got the statusFAILED
Here, SELINUX is in enforcing mode.And I just started the squid service after installation.And got the statusFAILED
1
2
3
4
5
6
|
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]#
[root@localhost ~]# /etc/init.d/squid start
Starting squid: [FAILED]
[root@localhost ~]#
|
NOTE: In this practical, SELINUX always has Enforcing mode.We have not disable the SELINUX and disabling is not required.
Description Of Server :
Operating System : CentOS 6.5
Arch : x86_64
Package : Squid version 3.5.0
Arch : x86_64
Package : Squid version 3.5.0
Troubleshooting steps for SELINUX for Squid version 3.5.0
Step 1 : Installing policycoreutils-python
Policycore-utils is a package utility,which helps to operate SELINUX system and policies.There are many commands comes when you install policycoreutils-python . For eg. semanage , audit2allow etc. (Reference, semanage command not found)
After installing policycoreutils-python it helped me a lot.Because now I also has /var/log/audit/audit.log in the system which can log the SELINUX related activity.
Install policycoreutils-python
1
|
yum install policycoreutils-python
|
Step 2 : Restart the Squid service
After installing the policycoreutils-python , restart the squid service . Squid service should be failed to restart and this is we want intentionally. The failed restart reason will be logged in /var/log/audit/audit.logand this is we require for our next step.
Have a look in /var/log/audit/audit.log file. And check logs related to squid. You can use tail command to see output from the end of the file.
1
|
tail -n 50 /var/log/audit/audit.log
|
In my server, the audit.log file shows given below information
See
avc: denied { write } ,it means SELINUX is not allowing Squid to write.type=AVC msg=audit(1394114838.911:45): avc: denied { write } for pid=1505 comm=”squid” name=”/” dev=tmpfs ino=5421 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1394114838.911:45): arch=c000003e syscall=2 success=no exit=-13 a0=7fff32db9a10 a1=a0242 a2=180 a3=7fff32db9790 items=0 ppid=1493 pid=1505 auid=0 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=pts0 ses=2 comm=”squid” exe=”/usr/sbin/squid” subj=unconfined_u:system_r:squid_t:s0 key=(null)
Step 3 :Use audit2allow
In this step,we will use audit2allow which helps to generate SELINUX policy allow rules from denied logs of operation. In other words, by using audit2allow command we will generate allow rule SELINUX policy from /var/log/audit/audit.log .
Use given below commands as it is,for using audit2allow
1
|
audit2allow -M MYPOLICY < /var/log/audit/audit.log
|
In current directory,it will create two files MYPOLICY.pp and MYPOLICY.te.
Read MYPOLICY.te file which has allow policy written in readable format.
Read MYPOLICY.te file which has allow policy written in readable format.
1
|
cat MYPOLICY.te
|
After readingthe file MYPOLICY.te. If you agree with allow policy then install the newly generated module. It takes a few seconds of time to install.
1
|
semodule -i MYPOLICY.pp
|
Below given section is reference from my server.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
[root@localhost ~]# audit2allow -M MYPOLICY < /var/log/audit/audit.log
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i MYPOLICY.pp
[root@localhost ~]#
[root@localhost ~]# ls -l
total 28
-rw-------. 1 root root 1215 Mar 6 18:53 anaconda-ks.cfg
-rw-r--r--. 1 root root 8815 Mar 6 18:53 install.log
-rw-r--r--. 1 root root 3314 Mar 6 18:51 install.log.syslog
-rw-r--r--. 1 root root 1107 Mar 6 20:02 MYPOLICY.pp
-rw-r--r--. 1 root root 488 Mar 6 20:02 MYPOLICY.te
[root@localhost ~]# cat MYPOLICY.te
module MYPOLICY 1.0;
require {
type tmpfs_t;
type squid_t;
class dir { write add_name };
class file create;
}
#============= squid_t ==============
#!!!! The source type 'squid_t' can write to a 'dir' of the following types:
# var_run_t, squid_log_t, var_log_t, pcscd_var_run_t, squid_var_run_t, squid_cache_t, cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t
allow squid_t tmpfs_t:dir { write add_name };
allow squid_t tmpfs_t:file create;
[root@localhost ~]#
[root@localhost ~]#
|
Step 4: start/restart squid service
After successfully installing the SELINUX module. Start/Restart the squid service 2-3 times for recheck. I hope the service will be starting/restarting without any problem now
1
2
3
4
5
6
7
8
|
[root@localhost ~]# /etc/init.d/squid restart
Stopping squid: [FAILED]
Starting squid: . [ OK ]
[root@localhost ~]#
[root@localhost ~]# /etc/init.d/squid restart
Stopping squid: ................ [ OK ]
Starting squid: . [ OK ]
[root@localhost ~]#
|
Note: I also suggest you to once restart the machine if possible.The suggestion is only for reconfirming that squid service can be restarted even after system reboot.
No comments:
Post a Comment