[people/stevee/selinux-policy.git] / policy / modules / services / squid.te


policy_module(squid, 1.8.3)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow squid to connect to all ports, not just
## HTTP, FTP, and Gopher ports.
## </p>
## </desc>
gen_tunable(squid_connect_any, false)

type squid_t;
type squid_exec_t;
init_daemon_domain(squid_t, squid_exec_t)

# type for /var/cache/squid
type squid_cache_t;
files_type(squid_cache_t)

type squid_conf_t;
files_type(squid_conf_t)

type squid_initrc_exec_t;
init_script_file(squid_initrc_exec_t)

type squid_log_t;
logging_log_file(squid_log_t)

type squid_var_run_t;
files_pid_file(squid_var_run_t)

########################################
#
# Local policy
#

allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow squid_t self:fifo_file rw_fifo_file_perms;
allow squid_t self:sock_file read_sock_file_perms;
allow squid_t self:fd use;
allow squid_t self:shm create_shm_perms;
allow squid_t self:sem create_sem_perms;
allow squid_t self:msgq create_msgq_perms;
allow squid_t self:msg { send receive };
allow squid_t self:unix_stream_socket create_stream_socket_perms;
allow squid_t self:unix_dgram_socket create_socket_perms;
allow squid_t self:unix_dgram_socket sendto;
allow squid_t self:unix_stream_socket connectto;
allow squid_t self:tcp_socket create_stream_socket_perms;
allow squid_t self:udp_socket create_socket_perms;

# Grant permissions to create, access, and delete cache files.
manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)

allow squid_t squid_conf_t:dir list_dir_perms;
read_files_pattern(squid_t, squid_conf_t, squid_conf_t)
read_lnk_files_pattern(squid_t, squid_conf_t, squid_conf_t)

can_exec(squid_t, squid_exec_t)

manage_files_pattern(squid_t, squid_log_t, squid_log_t)
logging_log_filetrans(squid_t, squid_log_t, { file dir })

manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
files_pid_filetrans(squid_t, squid_var_run_t, file)

kernel_read_kernel_sysctls(squid_t)
kernel_read_system_state(squid_t)

files_dontaudit_getattr_boot_dirs(squid_t)

corenet_all_recvfrom_unlabeled(squid_t)
corenet_all_recvfrom_netlabel(squid_t)
corenet_tcp_sendrecv_generic_if(squid_t)
corenet_udp_sendrecv_generic_if(squid_t)
corenet_tcp_sendrecv_generic_node(squid_t)
corenet_udp_sendrecv_generic_node(squid_t)
corenet_tcp_sendrecv_all_ports(squid_t)
corenet_udp_sendrecv_all_ports(squid_t)
corenet_tcp_bind_generic_node(squid_t)
corenet_udp_bind_generic_node(squid_t)
corenet_tcp_bind_http_port(squid_t)
corenet_tcp_bind_http_cache_port(squid_t)
corenet_udp_bind_http_cache_port(squid_t)
corenet_tcp_bind_ftp_port(squid_t)
corenet_tcp_bind_gopher_port(squid_t)
corenet_udp_bind_gopher_port(squid_t)
corenet_tcp_bind_squid_port(squid_t)
corenet_udp_bind_squid_port(squid_t)
corenet_udp_bind_wccp_port(squid_t)
corenet_tcp_connect_ftp_port(squid_t)
corenet_tcp_connect_gopher_port(squid_t)
corenet_tcp_connect_http_port(squid_t)
corenet_tcp_connect_http_cache_port(squid_t)
corenet_tcp_connect_pgpkeyserver_port(squid_t)
corenet_sendrecv_ftp_client_packets(squid_t)
corenet_sendrecv_gopher_client_packets(squid_t)
corenet_sendrecv_http_client_packets(squid_t)
corenet_sendrecv_http_server_packets(squid_t)
corenet_sendrecv_http_cache_server_packets(squid_t)
corenet_sendrecv_http_cache_client_packets(squid_t)
corenet_sendrecv_pgpkeyserver_client_packets(squid_t)
corenet_sendrecv_squid_client_packets(squid_t)
corenet_sendrecv_squid_server_packets(squid_t)
corenet_sendrecv_wccp_server_packets(squid_t)

dev_read_sysfs(squid_t)
dev_read_urand(squid_t)

fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
fs_list_inotifyfs(squid_t)

selinux_dontaudit_getattr_dir(squid_t)

term_dontaudit_getattr_pty_dirs(squid_t)

# to allow running programs from /usr/lib/squid (IE unlinkd)
corecmd_exec_bin(squid_t)
corecmd_exec_shell(squid_t)

domain_use_interactive_fds(squid_t)

files_read_etc_files(squid_t)
files_read_etc_runtime_files(squid_t)
files_read_usr_files(squid_t)
files_search_spool(squid_t)
files_dontaudit_getattr_tmp_dirs(squid_t)
files_getattr_home_dir(squid_t)

auth_use_nsswitch(squid_t)
auth_domtrans_chk_passwd(squid_t)

# to allow running programs from /usr/lib/squid (IE unlinkd)
libs_exec_lib_files(squid_t)

logging_send_syslog_msg(squid_t)

miscfiles_read_certs(squid_t)
miscfiles_read_localization(squid_t)

userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_search_user_home_dirs(squid_t)

tunable_policy(`squid_connect_any',`
	corenet_tcp_connect_all_ports(squid_t)
	corenet_tcp_bind_all_ports(squid_t)
	corenet_sendrecv_all_packets(squid_t)
')

optional_policy(`
	apache_content_template(squid)

	allow httpd_squid_script_t self:tcp_socket create_socket_perms;

	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)

	sysnet_dns_name_resolve(httpd_squid_script_t)

	squid_read_config(httpd_squid_script_t)
')

optional_policy(`
	cron_system_entry(squid_t, squid_exec_t)
')

optional_policy(`
	samba_domtrans_winbind_helper(squid_t)
')

optional_policy(`
	seutil_sigchld_newrole(squid_t)
')

optional_policy(`
	udev_read_db(squid_t)
')

ifdef(`TODO',`
#squid requires the following when run in diskd mode, the recommended setting
allow squid_t tmpfs_t:file { read write };
') dnl end TODO
Commit	Line	Data
0f707d52	1
3392356f	2	policy_module(squid, 1.8.3)
0f707d52 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
56e1b3d2 CP	9	## <desc>
	10	## <p>
	11	## Allow squid to connect to all ports, not just
	12	## HTTP, FTP, and Gopher ports.
	13	## </p>
	14	## </desc>
0bfccda4	15	gen_tunable(squid_connect_any, false)
56e1b3d2	16
0f707d52 CP	17	type squid_t;
0f707d52 CP	18	type squid_exec_t;
0bfccda4	19	init_daemon_domain(squid_t, squid_exec_t)
0f707d52 CP	20
	21	# type for /var/cache/squid
	22	type squid_cache_t;
	23	files_type(squid_cache_t)
	24
	25	type squid_conf_t;
	26	files_type(squid_conf_t)
	27
48f64563 CP	28	type squid_initrc_exec_t;
	29	init_script_file(squid_initrc_exec_t)
	30
0f707d52 CP	31	type squid_log_t;
	32	logging_log_file(squid_log_t)
	33
	34	type squid_var_run_t;
	35	files_pid_file(squid_var_run_t)
	36
	37	########################################
	38	#
	39	# Local policy
	40	#
	41
a46b6054	42	allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
0f707d52	43	dontaudit squid_t self:capability sys_tty_config;
a5e2133b	44	allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
c0868a7a CP	45	allow squid_t self:fifo_file rw_fifo_file_perms;
c0868a7a CP	46	allow squid_t self:sock_file read_sock_file_perms;
0f707d52 CP	47	allow squid_t self:fd use;
	48	allow squid_t self:shm create_shm_perms;
	49	allow squid_t self:sem create_sem_perms;
	50	allow squid_t self:msgq create_msgq_perms;
	51	allow squid_t self:msg { send receive };
d1b9d922 CP	52	allow squid_t self:unix_stream_socket create_stream_socket_perms;
	53	allow squid_t self:unix_dgram_socket create_socket_perms;
	54	allow squid_t self:unix_dgram_socket sendto;
	55	allow squid_t self:unix_stream_socket connectto;
	56	allow squid_t self:tcp_socket create_stream_socket_perms;
	57	allow squid_t self:udp_socket create_socket_perms;
0f707d52 CP	58
0f707d52 CP	59	# Grant permissions to create, access, and delete cache files.
0bfccda4 CP	60	manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
	61	manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
	62	manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
0f707d52	63
c0868a7a	64	allow squid_t squid_conf_t:dir list_dir_perms;
0bfccda4 CP	65	read_files_pattern(squid_t, squid_conf_t, squid_conf_t)
0bfccda4 CP	66	read_lnk_files_pattern(squid_t, squid_conf_t, squid_conf_t)
0f707d52	67
0bfccda4	68	can_exec(squid_t, squid_exec_t)
0f707d52	69
0bfccda4 CP	70	manage_files_pattern(squid_t, squid_log_t, squid_log_t)
0bfccda4 CP	71	logging_log_filetrans(squid_t, squid_log_t, { file dir })
0f707d52	72
0bfccda4 CP	73	manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
0bfccda4 CP	74	files_pid_filetrans(squid_t, squid_var_run_t, file)
0f707d52	75
445522dc	76	kernel_read_kernel_sysctls(squid_t)
0f707d52	77	kernel_read_system_state(squid_t)
0f707d52	78
1c1ac67f	79	files_dontaudit_getattr_boot_dirs(squid_t)
0f707d52	80
19006686 CP	81	corenet_all_recvfrom_unlabeled(squid_t)
19006686 CP	82	corenet_all_recvfrom_netlabel(squid_t)
668b3093 CP	83	corenet_tcp_sendrecv_generic_if(squid_t)
668b3093 CP	84	corenet_udp_sendrecv_generic_if(squid_t)
c1262146 CP	85	corenet_tcp_sendrecv_generic_node(squid_t)
c1262146 CP	86	corenet_udp_sendrecv_generic_node(squid_t)
0f707d52 CP	87	corenet_tcp_sendrecv_all_ports(squid_t)
0f707d52 CP	88	corenet_udp_sendrecv_all_ports(squid_t)
c1262146 CP	89	corenet_tcp_bind_generic_node(squid_t)
c1262146 CP	90	corenet_udp_bind_generic_node(squid_t)
a46b6054	91	corenet_tcp_bind_http_port(squid_t)
0f707d52	92	corenet_tcp_bind_http_cache_port(squid_t)
46551033	93	corenet_udp_bind_http_cache_port(squid_t)
77f6e2cd	94	corenet_tcp_bind_ftp_port(squid_t)
77f6e2cd	95	corenet_tcp_bind_gopher_port(squid_t)
46551033	96	corenet_udp_bind_gopher_port(squid_t)
b129e200 CP	97	corenet_tcp_bind_squid_port(squid_t)
b129e200 CP	98	corenet_udp_bind_squid_port(squid_t)
a46b6054	99	corenet_udp_bind_wccp_port(squid_t)
0907bda1 CP	100	corenet_tcp_connect_ftp_port(squid_t)
	101	corenet_tcp_connect_gopher_port(squid_t)
	102	corenet_tcp_connect_http_port(squid_t)
b6a9bc35	103	corenet_tcp_connect_http_cache_port(squid_t)
a46b6054	104	corenet_tcp_connect_pgpkeyserver_port(squid_t)
b8373ee1 CP	105	corenet_sendrecv_ftp_client_packets(squid_t)
b8373ee1 CP	106	corenet_sendrecv_gopher_client_packets(squid_t)
a46b6054 CP	107	corenet_sendrecv_http_client_packets(squid_t)
a46b6054 CP	108	corenet_sendrecv_http_server_packets(squid_t)
b8373ee1 CP	109	corenet_sendrecv_http_cache_server_packets(squid_t)
b8373ee1 CP	110	corenet_sendrecv_http_cache_client_packets(squid_t)
a46b6054	111	corenet_sendrecv_pgpkeyserver_client_packets(squid_t)
b129e200 CP	112	corenet_sendrecv_squid_client_packets(squid_t)
b129e200 CP	113	corenet_sendrecv_squid_server_packets(squid_t)
a46b6054	114	corenet_sendrecv_wccp_server_packets(squid_t)
0f707d52 CP	115
	116	dev_read_sysfs(squid_t)
	117	dev_read_urand(squid_t)
	118
	119	fs_getattr_all_fs(squid_t)
	120	fs_search_auto_mountpoints(squid_t)
3392356f	121	fs_list_inotifyfs(squid_t)
0f707d52 CP	122
	123	selinux_dontaudit_getattr_dir(squid_t)
	124
1815bad1	125	term_dontaudit_getattr_pty_dirs(squid_t)
0f707d52 CP	126
	127	# to allow running programs from /usr/lib/squid (IE unlinkd)
	128	corecmd_exec_bin(squid_t)
0f707d52 CP	129	corecmd_exec_shell(squid_t)
0f707d52 CP	130
15722ec9	131	domain_use_interactive_fds(squid_t)
0f707d52 CP	132
	133	files_read_etc_files(squid_t)
	134	files_read_etc_runtime_files(squid_t)
	135	files_read_usr_files(squid_t)
	136	files_search_spool(squid_t)
9e04f5c5	137	files_dontaudit_getattr_tmp_dirs(squid_t)
0f707d52 CP	138	files_getattr_home_dir(squid_t)
0f707d52 CP	139
c0cf6e0a	140	auth_use_nsswitch(squid_t)
a46b6054	141	auth_domtrans_chk_passwd(squid_t)
c0cf6e0a	142
0f707d52 CP	143	# to allow running programs from /usr/lib/squid (IE unlinkd)
	144	libs_exec_lib_files(squid_t)
	145
	146	logging_send_syslog_msg(squid_t)
	147
e6a2eaff	148	miscfiles_read_certs(squid_t)
0f707d52 CP	149	miscfiles_read_localization(squid_t)
0f707d52 CP	150
103fe280	151	userdom_use_unpriv_users_fds(squid_t)
296273a7	152	userdom_dontaudit_search_user_home_dirs(squid_t)
0f707d52	153
0907bda1 CP	154	tunable_policy(`squid_connect_any',`
0907bda1 CP	155	corenet_tcp_connect_all_ports(squid_t)
e87221ce CP	156	corenet_tcp_bind_all_ports(squid_t)
e87221ce CP	157	corenet_sendrecv_all_packets(squid_t)
0907bda1 CP	158	')
0907bda1 CP	159
bb7170f6	160	optional_policy(`
a46b6054 CP	161	apache_content_template(squid)
	162
	163	allow httpd_squid_script_t self:tcp_socket create_socket_perms;
	164
	165	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
	166	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
	167	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
	168
	169	sysnet_dns_name_resolve(httpd_squid_script_t)
	170
	171	squid_read_config(httpd_squid_script_t)
	172	')
	173
	174	optional_policy(`
	175	cron_system_entry(squid_t, squid_exec_t)
0f707d52 CP	176	')
0f707d52 CP	177
bb7170f6	178	optional_policy(`
d1b9d922 CP	179	samba_domtrans_winbind_helper(squid_t)
	180	')
	181
bb7170f6	182	optional_policy(`
0f707d52 CP	183	seutil_sigchld_newrole(squid_t)
	184	')
	185
bb7170f6	186	optional_policy(`
0f707d52 CP	187	udev_read_db(squid_t)
	188	')
	189
	190	ifdef(`TODO',`
0f707d52 CP	191	#squid requires the following when run in diskd mode, the recommended setting
	192	allow squid_t tmpfs_t:file { read write };
	193	') dnl end TODO