How to fix: Squid cache_dir (13) Permission denied

Tags:

I was configuring a newly installed Squid cache on newly installed CentOS 5.2 to use a new partition for it's cache dir.

Squid version:

[root@localhost ~]# squid -v
Squid Cache: Version 2.6.STABLE6
configure options: '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu' '--target=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru' '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl' '--with-openssl=/usr/kerberos' '--enable-delay-pools' '--enable-linux-netfilter' '--with-pthreads' '--enable-ntlm-auth-helpers=SMB,fakeauth' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-auth=basic,digest,ntlm' '--enable-digest-auth-helpers=password' '--with-winbind-auth-challenge' '--enable-useragent-log' '--enable-referer-log' '--disable-dependency-tracking' '--enable-cachemgr-hostname=localhost' '--enable-underscores' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL' '--enable-cache-digests' '--enable-ident-lookups' '--with-large-files' '--enable-follow-x-forwarded-for' '--enable-wccpv2' '--enable-fd-config' '--with-maxfd=16384' 'CFLAGS=-fPIE -Os -g -pipe -fsigned-char' 'LDFLAGS=-pie' 'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu' 'target_alias=i386-redhat-linux-gnu'
[root@localhost ~]#

Added a new disk, partitioned and formatted as ext3.

Related entry in /etc/fstab:

/dev/sdb1               /squid                  ext3    user,defaults   0  0

Adding related entry in /etc/squid/squid.conf:

...
cache_dir ufs /squid/cache 900 16 256
...

Creating cache dir:

[root@localhost /]# squid -z -F
2010/06/01 17:44:52| Creating Swap Directories
[root@localhost /]# ls -o /squid/cache/
total 128
drwxr-x--- 258 squid 4096 Jun  1 17:44 00
drwxr-x--- 258 squid 4096 Jun  1 17:44 01
drwxr-x--- 258 squid 4096 Jun  1 17:44 02
drwxr-x--- 258 squid 4096 Jun  1 17:44 03
drwxr-x--- 258 squid 4096 Jun  1 17:44 04
drwxr-x--- 258 squid 4096 Jun  1 17:44 05
drwxr-x--- 258 squid 4096 Jun  1 17:44 06
drwxr-x--- 258 squid 4096 Jun  1 17:44 07
drwxr-x--- 258 squid 4096 Jun  1 17:44 08
drwxr-x--- 258 squid 4096 Jun  1 17:44 09
drwxr-x--- 258 squid 4096 Jun  1 17:44 0A
drwxr-x--- 258 squid 4096 Jun  1 17:44 0B
drwxr-x--- 258 squid 4096 Jun  1 17:44 0C
drwxr-x--- 258 squid 4096 Jun  1 17:44 0D
drwxr-x--- 258 squid 4096 Jun  1 17:44 0E
drwxr-x--- 258 squid 4096 Jun  1 17:44 0F
[root@localhost /]#

Run Squid:

[root@localhost /]# service squid start
Starting squid: /etc/init.d/squid: line 53:  2276 Aborted                 $SQUID $SQUID_OPTS >> /var/log/squid/squid.out 2>&1
                                                           [FAILED]

Related entries in /var/log/messages

Jun  1 17:47:54 localhost kernel: NET: Registered protocol family 10
Jun  1 17:47:54 localhost kernel: lo: Disabled Privacy Extensions
Jun  1 17:47:54 localhost kernel: IPv6 over IPv4 tunneling driver
Jun  1 17:47:54 localhost kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Jun  1 17:47:54 localhost kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Jun  1 17:47:54 localhost kernel: Netfilter messages via NETLINK v0.30.
Jun  1 17:47:54 localhost kernel: ip_conntrack version 2.4 (1024 buckets, 8192 max) - 228 bytes per conntrack
Jun  1 17:47:54 localhost kernel: eth0: link up
Jun  1 17:47:56 localhost kernel: audit(1275389276.752:4): avc:  denied  { search } for  pid=1776 comm="squid" name="/" dev=sdb1 ino=2 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
Jun  1 17:47:56 localhost squid: cache_dir /squid/cache: (13) Permission denied

In my case the culprit was SELinux. To disable SELinux:

nano /etc/selinux/config

Set SELINUX to disabled:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=disabled

Save and exit nano.

Apply the new SELinux state (without restarting the machine):

setenforce 0

Its also worth checking the owner of the cache_dir
Set the owner of cache_dir to squid:

chown -R squid:squid /squid/cache

Remove the contents of cache dir:

rm -fr /squid/cache/*

Re-create cache dir:

squid -z -F
2010/06/01 17:54:12| Creating Swap Directories

Start squid:

service squid start

Good luck!

Comments

Submitted by Keivan on Wed, 06/02/2010 - 21:16

It work fine for me
thanks a lot

Submitted by Nidhi on Fri, 06/04/2010 - 08:40

Perfect!!! Thank you very much!

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

If you enjoyed this post, make sure you subscribe to our RSS Feed! Or if you prefer, you can Follow us on Twitter instead.