]>
Commit | Line | Data |
---|---|---|
0f707d52 CP |
1 | ## <summary>Squid caching http proxy server</summary> |
2 | ||
3 | ######################################## | |
4 | ## <summary> | |
5 | ## Execute squid in the squid domain. | |
6 | ## </summary> | |
7 | ## <param name="domain"> | |
885b83ec | 8 | ## <summary> |
0f707d52 | 9 | ## The type of the process performing this action. |
885b83ec | 10 | ## </summary> |
0f707d52 CP |
11 | ## </param> |
12 | # | |
13 | interface(`squid_domtrans',` | |
14 | gen_require(` | |
15 | type squid_t, squid_exec_t; | |
0f707d52 CP |
16 | ') |
17 | ||
8021cb4f | 18 | corecmd_search_bin($1) |
0bfccda4 | 19 | domtrans_pattern($1, squid_exec_t, squid_t) |
0f707d52 CP |
20 | ') |
21 | ||
3392356f CP |
22 | ######################################## |
23 | ## <summary> | |
24 | ## Execute squid | |
25 | ## </summary> | |
26 | ## <param name="domain"> | |
27 | ## <summary> | |
28 | ## The type of the process performing this action. | |
29 | ## </summary> | |
30 | ## </param> | |
31 | # | |
32 | interface(`squid_exec',` | |
33 | gen_require(` | |
34 | type squid_exec_t; | |
35 | ') | |
36 | ||
37 | can_exec($1, squid_exec_t) | |
38 | ') | |
39 | ||
b129e200 | 40 | ######################################## |
a46b6054 CP |
41 | ## <summary> |
42 | ## Send generic signals to squid. | |
43 | ## </summary> | |
44 | ## <param name="domain"> | |
45 | ## <summary> | |
46 | ## Domain allowed access. | |
47 | ## </summary> | |
48 | ## </param> | |
49 | # | |
50 | interface(`squid_signal',` | |
51 | gen_require(` | |
52 | type squid_t; | |
53 | ') | |
54 | ||
55 | allow $1 squid_t:process signal; | |
56 | ') | |
57 | ||
58 | ######################################## | |
59 | ## <summary> | |
60 | ## Allow read and write squid | |
61 | ## unix domain stream sockets. | |
62 | ## </summary> | |
63 | ## <param name="domain"> | |
64 | ## <summary> | |
65 | ## Domain allowed access. | |
66 | ## </summary> | |
67 | ## </param> | |
68 | # | |
69 | interface(`squid_rw_stream_sockets',` | |
70 | gen_require(` | |
71 | type squid_t; | |
72 | ') | |
73 | ||
74 | allow $1 squid_t:unix_stream_socket { getattr read write }; | |
75 | ') | |
76 | ||
77 | ######################################## | |
b129e200 CP |
78 | ## <summary> |
79 | ## Do not audit attempts to search squid cache dirs | |
80 | ## </summary> | |
81 | ## <param name="domain"> | |
82 | ## <summary> | |
83 | ## Domain to not audit. | |
84 | ## </summary> | |
85 | ## </param> | |
86 | ## <rolecap/> | |
87 | # | |
88 | interface(`squid_dontaudit_search_cache',` | |
89 | gen_require(` | |
90 | type squid_cache_t; | |
91 | ') | |
92 | ||
93 | dontaudit $1 squid_cache_t:dir search_dir_perms; | |
94 | ') | |
95 | ||
0f707d52 CP |
96 | ######################################## |
97 | ## <summary> | |
98 | ## Read squid configuration file. | |
99 | ## </summary> | |
100 | ## <param name="domain"> | |
885b83ec | 101 | ## <summary> |
0f707d52 | 102 | ## Domain allowed access. |
885b83ec | 103 | ## </summary> |
0f707d52 | 104 | ## </param> |
bbcd3c97 | 105 | ## <rolecap/> |
0f707d52 CP |
106 | # |
107 | interface(`squid_read_config',` | |
108 | gen_require(` | |
109 | type squid_conf_t; | |
0f707d52 CP |
110 | ') |
111 | ||
112 | files_search_etc($1) | |
b129e200 | 113 | read_files_pattern($1, squid_conf_t, squid_conf_t) |
0f707d52 CP |
114 | ') |
115 | ||
67167371 CP |
116 | ######################################## |
117 | ## <summary> | |
118 | ## Append squid logs. | |
119 | ## </summary> | |
120 | ## <param name="domain"> | |
885b83ec | 121 | ## <summary> |
67167371 | 122 | ## Domain allowed access. |
885b83ec | 123 | ## </summary> |
67167371 | 124 | ## </param> |
bbcd3c97 | 125 | ## <rolecap/> |
67167371 CP |
126 | # |
127 | interface(`squid_read_log',` | |
128 | gen_require(` | |
129 | type squid_log_t; | |
130 | ') | |
131 | ||
132 | logging_search_logs($1) | |
0bfccda4 | 133 | read_files_pattern($1, squid_log_t, squid_log_t) |
67167371 CP |
134 | ') |
135 | ||
136 | ######################################## | |
137 | ## <summary> | |
138 | ## Append squid logs. | |
139 | ## </summary> | |
140 | ## <param name="domain"> | |
885b83ec | 141 | ## <summary> |
67167371 | 142 | ## Domain allowed access. |
885b83ec | 143 | ## </summary> |
67167371 CP |
144 | ## </param> |
145 | # | |
146 | interface(`squid_append_log',` | |
147 | gen_require(` | |
148 | type squid_log_t; | |
149 | ') | |
150 | ||
151 | logging_search_logs($1) | |
0bfccda4 | 152 | append_files_pattern($1, squid_log_t, squid_log_t) |
67167371 CP |
153 | ') |
154 | ||
155 | ######################################## | |
156 | ## <summary> | |
157 | ## Create, read, write, and delete | |
158 | ## squid logs. | |
159 | ## </summary> | |
160 | ## <param name="domain"> | |
885b83ec | 161 | ## <summary> |
67167371 | 162 | ## Domain allowed access. |
885b83ec | 163 | ## </summary> |
67167371 | 164 | ## </param> |
bbcd3c97 | 165 | ## <rolecap/> |
67167371 CP |
166 | # |
167 | interface(`squid_manage_logs',` | |
168 | gen_require(` | |
169 | type squid_log_t; | |
67167371 CP |
170 | ') |
171 | ||
172 | logging_search_logs($1) | |
0bfccda4 | 173 | manage_files_pattern($1, squid_log_t, squid_log_t) |
67167371 CP |
174 | ') |
175 | ||
0f707d52 CP |
176 | ######################################## |
177 | ## <summary> | |
33c7e6b4 | 178 | ## Use squid services by connecting over TCP. (Deprecated) |
0f707d52 CP |
179 | ## </summary> |
180 | ## <param name="domain"> | |
885b83ec | 181 | ## <summary> |
0f707d52 | 182 | ## Domain allowed access. |
885b83ec | 183 | ## </summary> |
0f707d52 CP |
184 | ## </param> |
185 | # | |
186 | interface(`squid_use',` | |
33c7e6b4 | 187 | refpolicywarn(`$0($*) has been deprecated.') |
0f707d52 | 188 | ') |
e87221ce CP |
189 | |
190 | ######################################## | |
191 | ## <summary> | |
192 | ## All of the rules required to administrate | |
193 | ## an squid environment | |
194 | ## </summary> | |
195 | ## <param name="domain"> | |
196 | ## <summary> | |
197 | ## Domain allowed access. | |
198 | ## </summary> | |
199 | ## </param> | |
200 | ## <param name="role"> | |
201 | ## <summary> | |
202 | ## The role to be allowed to manage the squid domain. | |
203 | ## </summary> | |
204 | ## </param> | |
205 | ## <rolecap/> | |
206 | # | |
207 | interface(`squid_admin',` | |
208 | gen_require(` | |
209 | type squid_t, squid_cache_t, squid_conf_t; | |
210 | type squid_log_t, squid_var_run_t; | |
211 | type squid_initrc_exec_t; | |
212 | ') | |
213 | ||
214 | allow $1 squid_t:process { ptrace signal_perms }; | |
215 | ps_process_pattern($1, squid_t) | |
2a98379a | 216 | |
e87221ce CP |
217 | init_labeled_script_domtrans($1, squid_initrc_exec_t) |
218 | domain_system_change_exemption($1) | |
219 | role_transition $2 squid_initrc_exec_t system_r; | |
220 | allow $2 system_r; | |
221 | ||
222 | files_list_var($1) | |
223 | admin_pattern($1, squid_cache_t) | |
224 | ||
225 | files_list_etc($1) | |
226 | admin_pattern($1, squid_conf_t) | |
227 | ||
228 | logging_list_logs($1) | |
229 | admin_pattern($1, squid_log_t) | |
230 | ||
231 | files_list_pids($1) | |
232 | admin_pattern($1, squid_var_run_t) | |
233 | ') |