]>
Commit | Line | Data |
---|---|---|
0f707d52 | 1 | |
3392356f | 2 | policy_module(squid, 1.8.3) |
0f707d52 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
56e1b3d2 CP |
9 | ## <desc> |
10 | ## <p> | |
11 | ## Allow squid to connect to all ports, not just | |
12 | ## HTTP, FTP, and Gopher ports. | |
13 | ## </p> | |
14 | ## </desc> | |
0bfccda4 | 15 | gen_tunable(squid_connect_any, false) |
56e1b3d2 | 16 | |
0f707d52 CP |
17 | type squid_t; |
18 | type squid_exec_t; | |
0bfccda4 | 19 | init_daemon_domain(squid_t, squid_exec_t) |
0f707d52 CP |
20 | |
21 | # type for /var/cache/squid | |
22 | type squid_cache_t; | |
23 | files_type(squid_cache_t) | |
24 | ||
25 | type squid_conf_t; | |
26 | files_type(squid_conf_t) | |
27 | ||
48f64563 CP |
28 | type squid_initrc_exec_t; |
29 | init_script_file(squid_initrc_exec_t) | |
30 | ||
0f707d52 CP |
31 | type squid_log_t; |
32 | logging_log_file(squid_log_t) | |
33 | ||
34 | type squid_var_run_t; | |
35 | files_pid_file(squid_var_run_t) | |
36 | ||
37 | ######################################## | |
38 | # | |
39 | # Local policy | |
40 | # | |
41 | ||
a46b6054 | 42 | allow squid_t self:capability { setgid kill setuid dac_override sys_resource }; |
0f707d52 | 43 | dontaudit squid_t self:capability sys_tty_config; |
a5e2133b | 44 | allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; |
c0868a7a CP |
45 | allow squid_t self:fifo_file rw_fifo_file_perms; |
46 | allow squid_t self:sock_file read_sock_file_perms; | |
0f707d52 CP |
47 | allow squid_t self:fd use; |
48 | allow squid_t self:shm create_shm_perms; | |
49 | allow squid_t self:sem create_sem_perms; | |
50 | allow squid_t self:msgq create_msgq_perms; | |
51 | allow squid_t self:msg { send receive }; | |
d1b9d922 CP |
52 | allow squid_t self:unix_stream_socket create_stream_socket_perms; |
53 | allow squid_t self:unix_dgram_socket create_socket_perms; | |
54 | allow squid_t self:unix_dgram_socket sendto; | |
55 | allow squid_t self:unix_stream_socket connectto; | |
56 | allow squid_t self:tcp_socket create_stream_socket_perms; | |
57 | allow squid_t self:udp_socket create_socket_perms; | |
0f707d52 CP |
58 | |
59 | # Grant permissions to create, access, and delete cache files. | |
0bfccda4 CP |
60 | manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) |
61 | manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) | |
62 | manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t) | |
0f707d52 | 63 | |
c0868a7a | 64 | allow squid_t squid_conf_t:dir list_dir_perms; |
0bfccda4 CP |
65 | read_files_pattern(squid_t, squid_conf_t, squid_conf_t) |
66 | read_lnk_files_pattern(squid_t, squid_conf_t, squid_conf_t) | |
0f707d52 | 67 | |
0bfccda4 | 68 | can_exec(squid_t, squid_exec_t) |
0f707d52 | 69 | |
0bfccda4 CP |
70 | manage_files_pattern(squid_t, squid_log_t, squid_log_t) |
71 | logging_log_filetrans(squid_t, squid_log_t, { file dir }) | |
0f707d52 | 72 | |
0bfccda4 CP |
73 | manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t) |
74 | files_pid_filetrans(squid_t, squid_var_run_t, file) | |
0f707d52 | 75 | |
445522dc | 76 | kernel_read_kernel_sysctls(squid_t) |
0f707d52 | 77 | kernel_read_system_state(squid_t) |
0f707d52 | 78 | |
1c1ac67f | 79 | files_dontaudit_getattr_boot_dirs(squid_t) |
0f707d52 | 80 | |
19006686 CP |
81 | corenet_all_recvfrom_unlabeled(squid_t) |
82 | corenet_all_recvfrom_netlabel(squid_t) | |
668b3093 CP |
83 | corenet_tcp_sendrecv_generic_if(squid_t) |
84 | corenet_udp_sendrecv_generic_if(squid_t) | |
c1262146 CP |
85 | corenet_tcp_sendrecv_generic_node(squid_t) |
86 | corenet_udp_sendrecv_generic_node(squid_t) | |
0f707d52 CP |
87 | corenet_tcp_sendrecv_all_ports(squid_t) |
88 | corenet_udp_sendrecv_all_ports(squid_t) | |
c1262146 CP |
89 | corenet_tcp_bind_generic_node(squid_t) |
90 | corenet_udp_bind_generic_node(squid_t) | |
a46b6054 | 91 | corenet_tcp_bind_http_port(squid_t) |
0f707d52 | 92 | corenet_tcp_bind_http_cache_port(squid_t) |
46551033 | 93 | corenet_udp_bind_http_cache_port(squid_t) |
77f6e2cd | 94 | corenet_tcp_bind_ftp_port(squid_t) |
77f6e2cd | 95 | corenet_tcp_bind_gopher_port(squid_t) |
46551033 | 96 | corenet_udp_bind_gopher_port(squid_t) |
b129e200 CP |
97 | corenet_tcp_bind_squid_port(squid_t) |
98 | corenet_udp_bind_squid_port(squid_t) | |
a46b6054 | 99 | corenet_udp_bind_wccp_port(squid_t) |
0907bda1 CP |
100 | corenet_tcp_connect_ftp_port(squid_t) |
101 | corenet_tcp_connect_gopher_port(squid_t) | |
102 | corenet_tcp_connect_http_port(squid_t) | |
b6a9bc35 | 103 | corenet_tcp_connect_http_cache_port(squid_t) |
a46b6054 | 104 | corenet_tcp_connect_pgpkeyserver_port(squid_t) |
b8373ee1 CP |
105 | corenet_sendrecv_ftp_client_packets(squid_t) |
106 | corenet_sendrecv_gopher_client_packets(squid_t) | |
a46b6054 CP |
107 | corenet_sendrecv_http_client_packets(squid_t) |
108 | corenet_sendrecv_http_server_packets(squid_t) | |
b8373ee1 CP |
109 | corenet_sendrecv_http_cache_server_packets(squid_t) |
110 | corenet_sendrecv_http_cache_client_packets(squid_t) | |
a46b6054 | 111 | corenet_sendrecv_pgpkeyserver_client_packets(squid_t) |
b129e200 CP |
112 | corenet_sendrecv_squid_client_packets(squid_t) |
113 | corenet_sendrecv_squid_server_packets(squid_t) | |
a46b6054 | 114 | corenet_sendrecv_wccp_server_packets(squid_t) |
0f707d52 CP |
115 | |
116 | dev_read_sysfs(squid_t) | |
117 | dev_read_urand(squid_t) | |
118 | ||
119 | fs_getattr_all_fs(squid_t) | |
120 | fs_search_auto_mountpoints(squid_t) | |
3392356f | 121 | fs_list_inotifyfs(squid_t) |
0f707d52 CP |
122 | |
123 | selinux_dontaudit_getattr_dir(squid_t) | |
124 | ||
1815bad1 | 125 | term_dontaudit_getattr_pty_dirs(squid_t) |
0f707d52 CP |
126 | |
127 | # to allow running programs from /usr/lib/squid (IE unlinkd) | |
128 | corecmd_exec_bin(squid_t) | |
0f707d52 CP |
129 | corecmd_exec_shell(squid_t) |
130 | ||
15722ec9 | 131 | domain_use_interactive_fds(squid_t) |
0f707d52 CP |
132 | |
133 | files_read_etc_files(squid_t) | |
134 | files_read_etc_runtime_files(squid_t) | |
135 | files_read_usr_files(squid_t) | |
136 | files_search_spool(squid_t) | |
9e04f5c5 | 137 | files_dontaudit_getattr_tmp_dirs(squid_t) |
0f707d52 CP |
138 | files_getattr_home_dir(squid_t) |
139 | ||
c0cf6e0a | 140 | auth_use_nsswitch(squid_t) |
a46b6054 | 141 | auth_domtrans_chk_passwd(squid_t) |
c0cf6e0a | 142 | |
0f707d52 CP |
143 | # to allow running programs from /usr/lib/squid (IE unlinkd) |
144 | libs_exec_lib_files(squid_t) | |
145 | ||
146 | logging_send_syslog_msg(squid_t) | |
147 | ||
e6a2eaff | 148 | miscfiles_read_certs(squid_t) |
0f707d52 CP |
149 | miscfiles_read_localization(squid_t) |
150 | ||
103fe280 | 151 | userdom_use_unpriv_users_fds(squid_t) |
296273a7 | 152 | userdom_dontaudit_search_user_home_dirs(squid_t) |
0f707d52 | 153 | |
0907bda1 CP |
154 | tunable_policy(`squid_connect_any',` |
155 | corenet_tcp_connect_all_ports(squid_t) | |
e87221ce CP |
156 | corenet_tcp_bind_all_ports(squid_t) |
157 | corenet_sendrecv_all_packets(squid_t) | |
0907bda1 CP |
158 | ') |
159 | ||
bb7170f6 | 160 | optional_policy(` |
a46b6054 CP |
161 | apache_content_template(squid) |
162 | ||
163 | allow httpd_squid_script_t self:tcp_socket create_socket_perms; | |
164 | ||
165 | corenet_all_recvfrom_unlabeled(httpd_squid_script_t) | |
166 | corenet_all_recvfrom_netlabel(httpd_squid_script_t) | |
167 | corenet_tcp_connect_http_cache_port(httpd_squid_script_t) | |
168 | ||
169 | sysnet_dns_name_resolve(httpd_squid_script_t) | |
170 | ||
171 | squid_read_config(httpd_squid_script_t) | |
172 | ') | |
173 | ||
174 | optional_policy(` | |
175 | cron_system_entry(squid_t, squid_exec_t) | |
0f707d52 CP |
176 | ') |
177 | ||
bb7170f6 | 178 | optional_policy(` |
d1b9d922 CP |
179 | samba_domtrans_winbind_helper(squid_t) |
180 | ') | |
181 | ||
bb7170f6 | 182 | optional_policy(` |
0f707d52 CP |
183 | seutil_sigchld_newrole(squid_t) |
184 | ') | |
185 | ||
bb7170f6 | 186 | optional_policy(` |
0f707d52 CP |
187 | udev_read_db(squid_t) |
188 | ') | |
189 | ||
190 | ifdef(`TODO',` | |
0f707d52 CP |
191 | #squid requires the following when run in diskd mode, the recommended setting |
192 | allow squid_t tmpfs_t:file { read write }; | |
193 | ') dnl end TODO |