[SOLVED] Help! squid, transmission, SELinux

[blnl]

Normal Operation: Transmission daemon is running on a dedicated server. Connecting to the transmission web interface from a remote machine: Entering the server IP followed by the transmission port number (i.e. http://192.168.1.220:9091) in the web browser -> a window pops up asking for the credentials -> entering my credentials -> transmission web interface opens in the web browser.

Problem Description: Can't open the transmission web interface from a remote machine behind squid proxy:

Read Error
The system returned: (107) Transport endpoint is not connected

Bypassing squid proxy enables me to open the transmission web interface. Also from a WinXP machine the transmission web interface is accessible.
Besides the squid error (above), SELinux alert appears too:


Can someone help me with this?
I'm not sure if the problem is in squid or SELinux configuration.

[meton_magis]

what distro are you running on?

I'm guessing there is a boolean in selinux you can check (or uncheck) to enable squid to connect to nonstandard ports. Also, the default squid config does not allow connections to unknown ports, you may need to change this. Is this a production server machine, or are you just dinking around on your desktop / spare computer?

I would suggest disabling selinux, trying it, and if it works, you have your problem, re-enable selinux, find the boolean to (un)check, and you should be good to go.

[blnl]

Distro = Fedora 12
This is not a production server, transmission is installed on a NAS, while squid controlls on other machines contolles internet access (kids must do their homework too).

Thanks for the sugestion, I'll try setting SELinux to permissive and see what happens.

the default squid config does not allow connections to unknown ports

Yes I'm using default squid.config + time ACL + alowed sites & forbiden sites. However, according to my configuration port 9091 should be allowed:

Code:

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

[blnl]

I tried disabling SELinux as follows:

Code:

[root@nc6000 boris]# echo 0 > /selinux/enforce
[root@nc6000 boris]# getenforce
Permissive
[root@nc6000 boris]# echo 1 > /selinux/enforce
[root@nc6000 boris]# getenforce
Enforcing

The problem disappears while in "Permissive" mode. (squid proxy is active during this experiment.)
In "Permissive" I can access the transmission web interface. As soon as I switch back to "Enforcing" mode the connection is broken, and the following message appears:

Meaning: SELinux is blocking the connection.

But then, while still in "Enforcing" mode, when I bypass the squid proxy the problem disappears as well. As soon as I reactivate the squid proxy the same message appears:

Meaning: squid is also blocking the connection.

Conclusion: transmission interface is blocked only when both SELinux and squid are active.
Which one is to blame?
I’m confident that my squid settings are all right. It is supported by the fact that squid functions properly when SELinux is in permissive mode. That means SELinux is guilty.

According to www, there are several options to try out:

1. turn off SELinux for Squid
   Code:

   setsebool -P squid_disable_trans 1

2. allow Squid to connect to any port
   Code:

   setsebool -P squid_connect_any 1

3. change SELinux policy for port 9091
   Code:

   semanage port -a -t http_port_t -p tcp 9091

[blnl]

The first option does not do anything on my system.

Code:

[root@nc6000 addressbook]# setsebool -P squid_disable_trans 1
libsemanage.dbase_llist_set: record not found in the database (No such file or directory).
libsemanage.dbase_llist_set: could not set record value (No such file or directory).
Could not change boolean squid_disable_trans
Could not change policy booleans

The other two options worked fine. I chose to change the port policy only. Probably this is better from the security point of view.
Now I can connect to transmission web interface while squid proxy is active.

[meton_magis]

glad to hear it. Selinux problems can be very difficult to pinpoint, but it has come a long way, and solutions tend to be much easier than they once were.