After installing the Squid Version 3.5.0 in CentOS 6.5. I got the issue,squid service failed to start/restart. Generally, after installing the package with by-default configuration,we can start/stop/restart the service without any problem.This time squid gave me trouble here.

I checked the /var/log/messages and there was no sufficient logs giving any hint. In other words,I have not found any sufficient information in message logs. And apart of this,no other logs were helping me here.

This time it was sure,this troubleshooting will take lot of time. And it has taken my 4-5 hours of whole day.

I tried this practical 3-4 times and finally came to decision to write with generic troubleshooting steps for this issue.

Lets have look on problem given below,before jumping to troubleshooting part
Here, SELINUX is in enforcing mode.And I just started the squid service after installation.And got the status FAILED

[root@localhost ~]# getenforce 
Enforcing
[root@localhost ~]#
[root@localhost ~]# /etc/init.d/squid start
Starting squid:                                            [FAILED]
[root@localhost ~]#

NOTE: In this practical, SELINUX always has Enforcing mode.We have not disable the SELINUX and disabling is not required.

Description Of Server :

Operating System : CentOS 6.5
Arch : x86_64
Package : Squid version 3.5.0

Troubleshooting steps for SELINUX for Squid version 3.5.0

Step 1 : Installing policycoreutils-python

Policycore-utils is a package utility,which helps to operate SELINUX system and policies.There are many commands comes when you install policycoreutils-python . For eg. semanage , audit2allow etc. (Reference, semanage command not found)

After installing policycoreutils-python it helped me a lot.Because now I also has /var/log/audit/audit.log in the system which can log the SELINUX related activity.

Install policycoreutils-python

yum install policycoreutils-python

Step 2 : Restart the Squid service

After installing the policycoreutils-python , restart the squid service . Squid service should be failed to restart and this is we want intentionally. The failed restart reason will be logged in /var/log/audit/audit.log and this is we require for our next step.

Have a look in /var/log/audit/audit.log file. And check logs related to squid. You can use tail command to see output from the end of the file.


tail -n 50 /var/log/audit/audit.log

In my server, the audit.log file shows given below information

See avc: denied { write } ,it means SELINUX is not allowing Squid to write.

type=AVC msg=audit(1394114838.911:45): avc: denied { write } for pid=1505 comm=”squid” name=”/” dev=tmpfs ino=5421 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1394114838.911:45): arch=c000003e syscall=2 success=no exit=-13 a0=7fff32db9a10 a1=a0242 a2=180 a3=7fff32db9790 items=0 ppid=1493 pid=1505 auid=0 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=pts0 ses=2 comm=”squid” exe=”/usr/sbin/squid” subj=unconfined_u:system_r:squid_t:s0 key=(null)

Step 3 :Use audit2allow

In this step,we will use audit2allow which helps to generate SELINUX policy allow rules from denied logs of operation. In other words, by using audit2allow command we will generate allow rule SELINUX policy from /var/log/audit/audit.log .

Use given below commands as it is,for using audit2allow

audit2allow -M MYPOLICY < /var/log/audit/audit.log

In current directory,it will create two files MYPOLICY.pp and MYPOLICY.te.
Read MYPOLICY.te file which has allow policy written in readable format.

cat MYPOLICY.te

After readingthe file MYPOLICY.te. If you agree with allow policy then install the newly generated module. It takes a few seconds of time to install.

semodule -i MYPOLICY.pp

Below given section is reference from my server.

[root@localhost ~]# audit2allow -M MYPOLICY < /var/log/audit/audit.log
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i MYPOLICY.pp

[root@localhost ~]# 
[root@localhost ~]# ls -l
total 28
-rw-------. 1 root root 1215 Mar  6 18:53 anaconda-ks.cfg
-rw-r--r--. 1 root root 8815 Mar  6 18:53 install.log
-rw-r--r--. 1 root root 3314 Mar  6 18:51 install.log.syslog
-rw-r--r--. 1 root root 1107 Mar  6 20:02 MYPOLICY.pp
-rw-r--r--. 1 root root  488 Mar  6 20:02 MYPOLICY.te
[root@localhost ~]# cat MYPOLICY.te 

module MYPOLICY 1.0;

require {
	type tmpfs_t;
	type squid_t;
	class dir { write add_name };
	class file create;
}

#============= squid_t ==============
#!!!! The source type 'squid_t' can write to a 'dir' of the following types:
# var_run_t, squid_log_t, var_log_t, pcscd_var_run_t, squid_var_run_t, squid_cache_t, cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t

allow squid_t tmpfs_t:dir { write add_name };
allow squid_t tmpfs_t:file create;
[root@localhost ~]# 
[root@localhost ~]#

Step 4: start/restart squid service

After successfully installing the SELINUX module. Start/Restart the squid service 2-3 times for recheck. I hope the service will be starting/restarting without any problem now

[root@localhost ~]# /etc/init.d/squid restart
Stopping squid:                                            [FAILED]
Starting squid: .                                          [  OK  ]
[root@localhost ~]#
[root@localhost ~]# /etc/init.d/squid restart
Stopping squid: ................                           [  OK  ]
Starting squid: .                                          [  OK  ]
[root@localhost ~]# 

Note: I also suggest you to once restart the machine if possible.The suggestion is only for reconfirming that squid service can be restarted even after system reboot.

Read Some More Articles

One Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.