Posted on  by 

How to fix: Squid cache_dir (13) Permission denied

Filed under  UncategorizedTags ,
0

I was configuring a newly installed Squid cache on newly installed CentOS 5.2 to use a new partition for it’s cache dir.

Squid version:
[root@localhost ~]# squid -v
Squid Cache: Version 2.6.STABLE6
configure options: '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu' '--target=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru' '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl' '--with-openssl=/usr/kerberos' '--enable-delay-pools' '--enable-linux-netfilter' '--with-pthreads' '--enable-ntlm-auth-helpers=SMB,fakeauth' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-auth=basic,digest,ntlm' '--enable-digest-auth-helpers=password' '--with-winbind-auth-challenge' '--enable-useragent-log' '--enable-referer-log' '--disable-dependency-tracking' '--enable-cachemgr-hostname=localhost' '--enable-underscores' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL' '--enable-cache-digests' '--enable-ident-lookups' '--with-large-files' '--enable-follow-x-forwarded-for' '--enable-wccpv2' '--enable-fd-config' '--with-maxfd=16384' 'CFLAGS=-fPIE -Os -g -pipe -fsigned-char' 'LDFLAGS=-pie' 'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu' 'target_alias=i386-redhat-linux-gnu'
[root@localhost ~]#

Added a new disk, partitioned and formatted as ext3.

Related entry in /etc/fstab:
/dev/sdb1 /squid ext3 user,defaults 0 0

Adding related entry in /etc/squid/squid.conf:
...
cache_dir ufs /squid/cache 900 16 256
...

Creating cache dir:
[root@localhost /]# squid -z -F
2010/06/01 17:44:52| Creating Swap Directories
[root@localhost /]# ls -o /squid/cache/
total 128
drwxr-x--- 258 squid 4096 Jun 1 17:44 00
drwxr-x--- 258 squid 4096 Jun 1 17:44 01
drwxr-x--- 258 squid 4096 Jun 1 17:44 02
drwxr-x--- 258 squid 4096 Jun 1 17:44 03
drwxr-x--- 258 squid 4096 Jun 1 17:44 04
drwxr-x--- 258 squid 4096 Jun 1 17:44 05
drwxr-x--- 258 squid 4096 Jun 1 17:44 06
drwxr-x--- 258 squid 4096 Jun 1 17:44 07
drwxr-x--- 258 squid 4096 Jun 1 17:44 08
drwxr-x--- 258 squid 4096 Jun 1 17:44 09
drwxr-x--- 258 squid 4096 Jun 1 17:44 0A
drwxr-x--- 258 squid 4096 Jun 1 17:44 0B
drwxr-x--- 258 squid 4096 Jun 1 17:44 0C
drwxr-x--- 258 squid 4096 Jun 1 17:44 0D
drwxr-x--- 258 squid 4096 Jun 1 17:44 0E
drwxr-x--- 258 squid 4096 Jun 1 17:44 0F
[root@localhost /]#

Run Squid:
[root@localhost /]# service squid start
Starting squid: /etc/init.d/squid: line 53: 2276 Aborted $SQUID $SQUID_OPTS >> /var/log/squid/squid.out 2>&1
[FAILED]

Related entries in /var/log/messages
Jun 1 17:47:54 localhost kernel: NET: Registered protocol family 10
Jun 1 17:47:54 localhost kernel: lo: Disabled Privacy Extensions
Jun 1 17:47:54 localhost kernel: IPv6 over IPv4 tunneling driver
Jun 1 17:47:54 localhost kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Jun 1 17:47:54 localhost kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Jun 1 17:47:54 localhost kernel: Netfilter messages via NETLINK v0.30.
Jun 1 17:47:54 localhost kernel: ip_conntrack version 2.4 (1024 buckets, 8192 max) - 228 bytes per conntrack
Jun 1 17:47:54 localhost kernel: eth0: link up
Jun 1 17:47:56 localhost kernel: audit(1275389276.752:4): avc: denied { search } for pid=1776 comm="squid" name="/" dev=sdb1 ino=2 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
Jun 1 17:47:56 localhost squid: cache_dir /squid/cache: (13) Permission denied

In my case the culprit was SELinux. To disable SELinux:
nano /etc/selinux/config

Set SELINUX to disabled:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled

Save and exit nano.

Apply the new SELinux state (without restarting the machine):
setenforce 0

Its also worth checking the owner of the cache_dir
Set the owner of cache_dir to squid:
chown -R squid:squid /squid/cache

Remove the contents of cache dir:
rm -fr /squid/cache/*

Re-create cache dir:
squid -z -F
2010/06/01 17:54:12| Creating Swap Directories

Start squid:
service squid start

Good luck!

Tagged with 
About sepedatua
I am nothing special, of this I am sure. I am a common man with common thoughts and I’ve led a common life. There are no monuments dedicated to me and my name will soon be forgotten, but I’ve loved another with all my heart and soul, and to me, this has always been enough.

This site uses Akismet to reduce spam. Learn how your comment data is processed.