• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
sharadchhetri

sharadchhetri

Tutorials On Linux, Unix & Open Source

  • Home
  • Linux Commands
  • Resources
    • Learn Linux
  • My WordPress plugins

SELINUX : squid service failed to start/restart

March 7, 2014 by Sharad Chhetri 1 Comment

After installing the Squid Version 3.5.0 in CentOS 6.5. I got the issue,squid service failed to start/restart. Generally, after installing the package with by-default configuration,we can start/stop/restart the service without any problem.This time squid gave me trouble here.

I checked the /var/log/messages and there was no sufficient logs giving any hint. In other words,I have not found any sufficient information in message logs. And apart of this,no other logs were helping me here.

This time it was sure,this troubleshooting will take lot of time. And it has taken my 4-5 hours of whole day.

I tried this practical 3-4 times and finally came to decision to write with generic troubleshooting steps for this issue.

Lets have look on problem given below,before jumping to troubleshooting part
Here, SELINUX is in enforcing mode.And I just started the squid service after installation.And got the status FAILED

[root@localhost ~]# getenforce 
Enforcing
[root@localhost ~]#
[root@localhost ~]# /etc/init.d/squid start
Starting squid:                                            [FAILED]
[root@localhost ~]#

NOTE: In this practical, SELINUX always has Enforcing mode.We have not disable the SELINUX and disabling is not required.

Description Of Server :

Operating System : CentOS 6.5
Arch : x86_64
Package : Squid version 3.5.0

Troubleshooting steps for SELINUX for Squid version 3.5.0

Step 1 : Installing policycoreutils-python

Policycore-utils is a package utility,which helps to operate SELINUX system and policies.There are many commands comes when you install policycoreutils-python . For eg. semanage , audit2allow etc. (Reference, semanage command not found)

After installing policycoreutils-python it helped me a lot.Because now I also has /var/log/audit/audit.log in the system which can log the SELINUX related activity.

Install policycoreutils-python

yum install policycoreutils-python

Step 2 : Restart the Squid service

After installing the policycoreutils-python , restart the squid service . Squid service should be failed to restart and this is we want intentionally. The failed restart reason will be logged in /var/log/audit/audit.log and this is we require for our next step.

Have a look in /var/log/audit/audit.log file. And check logs related to squid. You can use tail command to see output from the end of the file.


tail -n 50 /var/log/audit/audit.log

In my server, the audit.log file shows given below information

See avc: denied { write } ,it means SELINUX is not allowing Squid to write.

type=AVC msg=audit(1394114838.911:45): avc: denied { write } for pid=1505 comm=”squid” name=”/” dev=tmpfs ino=5421 scontext=unconfined_u:system_r:squid_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1394114838.911:45): arch=c000003e syscall=2 success=no exit=-13 a0=7fff32db9a10 a1=a0242 a2=180 a3=7fff32db9790 items=0 ppid=1493 pid=1505 auid=0 uid=23 gid=23 euid=23 suid=0 fsuid=23 egid=23 sgid=23 fsgid=23 tty=pts0 ses=2 comm=”squid” exe=”/usr/sbin/squid” subj=unconfined_u:system_r:squid_t:s0 key=(null)

Step 3 :Use audit2allow

In this step,we will use audit2allow which helps to generate SELINUX policy allow rules from denied logs of operation. In other words, by using audit2allow command we will generate allow rule SELINUX policy from /var/log/audit/audit.log .

Use given below commands as it is,for using audit2allow

audit2allow -M MYPOLICY < /var/log/audit/audit.log

In current directory,it will create two files MYPOLICY.pp and MYPOLICY.te.
Read MYPOLICY.te file which has allow policy written in readable format.

cat MYPOLICY.te

After readingthe file MYPOLICY.te. If you agree with allow policy then install the newly generated module. It takes a few seconds of time to install.

semodule -i MYPOLICY.pp

Below given section is reference from my server.

[root@localhost ~]# audit2allow -M MYPOLICY < /var/log/audit/audit.log
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i MYPOLICY.pp

[root@localhost ~]# 
[root@localhost ~]# ls -l
total 28
-rw-------. 1 root root 1215 Mar  6 18:53 anaconda-ks.cfg
-rw-r--r--. 1 root root 8815 Mar  6 18:53 install.log
-rw-r--r--. 1 root root 3314 Mar  6 18:51 install.log.syslog
-rw-r--r--. 1 root root 1107 Mar  6 20:02 MYPOLICY.pp
-rw-r--r--. 1 root root  488 Mar  6 20:02 MYPOLICY.te
[root@localhost ~]# cat MYPOLICY.te 

module MYPOLICY 1.0;

require {
	type tmpfs_t;
	type squid_t;
	class dir { write add_name };
	class file create;
}

#============= squid_t ==============
#!!!! The source type 'squid_t' can write to a 'dir' of the following types:
# var_run_t, squid_log_t, var_log_t, pcscd_var_run_t, squid_var_run_t, squid_cache_t, cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t

allow squid_t tmpfs_t:dir { write add_name };
allow squid_t tmpfs_t:file create;
[root@localhost ~]# 
[root@localhost ~]#

Step 4: start/restart squid service

After successfully installing the SELINUX module. Start/Restart the squid service 2-3 times for recheck. I hope the service will be starting/restarting without any problem now

[root@localhost ~]# /etc/init.d/squid restart
Stopping squid:                                            [FAILED]
Starting squid: .                                          [  OK  ]
[root@localhost ~]#
[root@localhost ~]# /etc/init.d/squid restart
Stopping squid: ................                           [  OK  ]
Starting squid: .                                          [  OK  ]
[root@localhost ~]# 

Note: I also suggest you to once restart the machine if possible.The suggestion is only for reconfirming that squid service can be restarted even after system reboot.

Share this:

  • Twitter
  • Facebook
  • More
  • Print
  • Email
  • LinkedIn
  • Reddit
  • Tumblr
  • Pinterest
  • Pocket
  • Telegram
  • WhatsApp
  • Mastodon

Related posts:

  1. Upgrading MySQL 5.1 to 5.6 service failed to start
  2. How to start / stop / restart / reload iptables on CentOS 7 / RHEL 7
  3. Install and configure transparent squid proxy server : RHEL/CentOS 6.x
  4. Squid proxy server to block websites listed in file
  5. How to Disable selinux in Red Hat or CentOS
  6. check_openerp nagios plugin for openerp service check
  7. Prevent starting service after package installation on Ubuntu / Debian
  8. How to change hostname in Ubuntu 12.04 and 12.10 without system restart
  9. CentOS 7 / RHEL 7 : change OpenSSH port number ( SELINUX enabled )
  10. error command ‘gcc’ failed with exit status 1 in Ubuntu

Filed Under: Linux, Server, squid Tagged With: selinux, squid

Reader Interactions

Comments

  1. Mystartx says

    March 23, 2016 at 12:37 am

    Great article
    I solve my problem in Centos 6.7
    Thank you

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Our Social Media Presence

  • Facebook
  • GitHub
  • Twitter

Linux Command

What is Linux Internal And External Command

Linux Basic Commands With Examples For Every Beginner

tr command to convert lines to space , tab and vertical tab

smbpasswd command not found on CentOS 7 and RHEL 7

Solution : semanage command not found

Unix / Linux : How to print duplicate lines from file

More Posts from this Category

You Might Like These Articles!

simplecodesyntax wordpress plugin

SimpleCodeSyntax : My Another WordPress Plugin

Install Nginx

How To Install Nginx On Ubuntu 22.04 LTS

Install Latest Git package in Ubuntu Operating System

How To Always Install Latest Git Package In Ubuntu Operating System

Bash script for installing VirtualBox on Ubuntu 22.04 LTS Desktop

Install VirtualBox On Ubuntu 22.04 LTS Desktop (Bash Script)

libfuse

dlopen(): error loading libfuse.so.2 – Got Error On Ubuntu

Failed to open/create the internal network

VirtualBox Error: Failed to open/create the internal network

Always Useful Tips And Tricks

curl command to check the http status

error could not configure a c compiler Linux

The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form

rsync all files,hidden files,symlinks,hardlinks to remotes Linux Server

fatal error: error writing to /tmp/ccwAjc9Z.s: No space left on device

How to empty Trash through command line in Ubuntu

How to change smtp port number 25 in postfix

Explore 90+ Article On "Linux Tips And Tricks"

Copyright © 2023 ยท
The material in this site cannot be republished either online or offline, without our permission.
Proudly Blogging From Bharat.

  • Contact
  • About Me
  • My WordPress plugins
  • Privacy Policy