]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/services/squid.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
trunk: 5 patches from dan.
[people/stevee/selinux-policy.git] / policy / modules / services / squid.if
CommitLineData
0f707d52
CP		 1## <summary>Squid caching http proxy server</summary>
2
3########################################
4## <summary>
5## Execute squid in the squid domain.
6## </summary>
7## <param name="domain">
885b83ec 8## <summary>
0f707d52 9## The type of the process performing this action.
885b83ec 10## </summary>
0f707d52
CP		 11## </param>
12#
13interface(`squid_domtrans',`
14 gen_require(`
15 type squid_t, squid_exec_t;
0f707d52
CP		 16 ')
17
8021cb4f 18 corecmd_search_bin($1)
0bfccda4 19 domtrans_pattern($1, squid_exec_t, squid_t)
0f707d52
CP		 20')
21
3392356f
CP		 22########################################
23## <summary>
24## Execute squid
25## </summary>
26## <param name="domain">
27## <summary>
28## The type of the process performing this action.
29## </summary>
30## </param>
31#
32interface(`squid_exec',`
33 gen_require(`
34 type squid_exec_t;
35 ')
36
37 can_exec($1, squid_exec_t)
38')
39
b129e200 40########################################
a46b6054
CP		 41## <summary>
42## Send generic signals to squid.
43## </summary>
44## <param name="domain">
45## <summary>
46## Domain allowed access.
47## </summary>
48## </param>
49#
50interface(`squid_signal',`
51 gen_require(`
52 type squid_t;
53 ')
54
55 allow $1 squid_t:process signal;
56')
57
58########################################
59## <summary>
60## Allow read and write squid
61## unix domain stream sockets.
62## </summary>
63## <param name="domain">
64## <summary>
65## Domain allowed access.
66## </summary>
67## </param>
68#
69interface(`squid_rw_stream_sockets',`
70 gen_require(`
71 type squid_t;
72 ')
73
74 allow $1 squid_t:unix_stream_socket { getattr read write };
75')
76
77########################################
b129e200
CP		 78## <summary>
79## Do not audit attempts to search squid cache dirs
80## </summary>
81## <param name="domain">
82## <summary>
83## Domain to not audit.
84## </summary>
85## </param>
86## <rolecap/>
87#
88interface(`squid_dontaudit_search_cache',`
89 gen_require(`
90 type squid_cache_t;
91 ')
92
93 dontaudit $1 squid_cache_t:dir search_dir_perms;
94')
95
0f707d52
CP		 96########################################
97## <summary>
98## Read squid configuration file.
99## </summary>
100## <param name="domain">
885b83ec 101## <summary>
0f707d52 102## Domain allowed access.
885b83ec 103## </summary>
0f707d52 104## </param>
bbcd3c97 105## <rolecap/>
0f707d52
CP		 106#
107interface(`squid_read_config',`
108 gen_require(`
109 type squid_conf_t;
0f707d52
CP		 110 ')
111
112 files_search_etc($1)
b129e200 113 read_files_pattern($1, squid_conf_t, squid_conf_t)
0f707d52
CP		 114')
115
67167371
CP		 116########################################
117## <summary>
118## Append squid logs.
119## </summary>
120## <param name="domain">
885b83ec 121## <summary>
67167371 122## Domain allowed access.
885b83ec 123## </summary>
67167371 124## </param>
bbcd3c97 125## <rolecap/>
67167371
CP		 126#
127interface(`squid_read_log',`
128 gen_require(`
129 type squid_log_t;
130 ')
131
132 logging_search_logs($1)
0bfccda4 133 read_files_pattern($1, squid_log_t, squid_log_t)
67167371
CP		 134')
135
136########################################
137## <summary>
138## Append squid logs.
139## </summary>
140## <param name="domain">
885b83ec 141## <summary>
67167371 142## Domain allowed access.
885b83ec 143## </summary>
67167371
CP		 144## </param>
145#
146interface(`squid_append_log',`
147 gen_require(`
148 type squid_log_t;
149 ')
150
151 logging_search_logs($1)
0bfccda4 152 append_files_pattern($1, squid_log_t, squid_log_t)
67167371
CP		 153')
154
155########################################
156## <summary>
157## Create, read, write, and delete
158## squid logs.
159## </summary>
160## <param name="domain">
885b83ec 161## <summary>
67167371 162## Domain allowed access.
885b83ec 163## </summary>
67167371 164## </param>
bbcd3c97 165## <rolecap/>
67167371
CP		 166#
167interface(`squid_manage_logs',`
168 gen_require(`
169 type squid_log_t;
67167371
CP		 170 ')
171
172 logging_search_logs($1)
0bfccda4 173 manage_files_pattern($1, squid_log_t, squid_log_t)
67167371
CP		 174')
175
0f707d52
CP		 176########################################
177## <summary>
33c7e6b4 178## Use squid services by connecting over TCP. (Deprecated)
0f707d52
CP		 179## </summary>
180## <param name="domain">
885b83ec 181## <summary>
0f707d52 182## Domain allowed access.
885b83ec 183## </summary>
0f707d52
CP		 184## </param>
185#
186interface(`squid_use',`
33c7e6b4 187 refpolicywarn(`$0($*) has been deprecated.')
0f707d52 188')
e87221ce
CP		 189
190########################################
191## <summary>
192## All of the rules required to administrate
193## an squid environment
194## </summary>
195## <param name="domain">
196## <summary>
197## Domain allowed access.
198## </summary>
199## </param>
200## <param name="role">
201## <summary>
202## The role to be allowed to manage the squid domain.
203## </summary>
204## </param>
205## <rolecap/>
206#
207interface(`squid_admin',`
208 gen_require(`
209 type squid_t, squid_cache_t, squid_conf_t;
210 type squid_log_t, squid_var_run_t;
211 type squid_initrc_exec_t;
212 ')
213
214 allow $1 squid_t:process { ptrace signal_perms };
215 ps_process_pattern($1, squid_t)
2a98379a 216
e87221ce
CP		 217 init_labeled_script_domtrans($1, squid_initrc_exec_t)
218 domain_system_change_exemption($1)
219 role_transition $2 squid_initrc_exec_t system_r;
220 allow $2 system_r;
221
222 files_list_var($1)
223 admin_pattern($1, squid_cache_t)
224
225 files_list_etc($1)
226 admin_pattern($1, squid_conf_t)
227
228 logging_list_logs($1)
229 admin_pattern($1, squid_log_t)
230
231 files_list_pids($1)
232 admin_pattern($1, squid_var_run_t)
233')
The IPFire selinux policy.