selinux-policy/strict/domains/program/squid.te

77 lines
2.4 KiB
Plaintext
Raw Normal View History

2005-04-29 17:45:15 +00:00
#DESC Squid - Web cache
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: squid
#
#################################
#
# Rules for the squid_t domain.
#
# squid_t is the domain the squid process runs in
ifdef(`apache.te',`
can_tcp_connect(squid_t, httpd_t)
')
daemon_domain(squid, `, web_client_domain, nscd_client_domain')
type squid_conf_t, file_type, sysadmfile;
general_domain_access(squid_t)
allow { squid_t initrc_t } squid_conf_t:file r_file_perms;
allow squid_t squid_conf_t:dir r_dir_perms;
allow squid_t squid_conf_t:lnk_file read;
logdir_domain(squid)
rw_dir_create_file(initrc_t, squid_log_t)
allow squid_t usr_t:file { getattr read };
# type for /var/cache/squid
type squid_cache_t, file_type, sysadmfile;
allow squid_t self:capability { setgid setuid net_bind_service };
allow squid_t { etc_t etc_runtime_t }:file r_file_perms;
allow squid_t etc_t:lnk_file read;
allow squid_t self:unix_stream_socket create_socket_perms;
allow squid_t self:unix_dgram_socket create_socket_perms;
allow squid_t self:fifo_file rw_file_perms;
read_sysctl(squid_t)
allow squid_t devtty_t:chr_file rw_file_perms;
allow squid_t { self proc_t }:file { read getattr };
# for when we use /var/spool/cache
allow squid_t var_spool_t:dir search;
# Grant permissions to create, access, and delete cache files.
# No type transitions required, as the files inherit the parent directory type.
create_dir_file(squid_t, squid_cache_t)
ifdef(`logrotate.te',
`domain_auto_trans(logrotate_t, squid_exec_t, squid_t)')
ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)')
# Use the network
can_network(squid_t)
can_ypbind(squid_t)
can_tcp_connect(web_client_domain, squid_t)
# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
allow squid_t http_cache_port_t:tcp_socket name_bind;
allow squid_t http_cache_port_t:udp_socket name_bind;
# to allow running programs from /usr/lib/squid (IE unlinkd)
# also allow exec()ing itself
can_exec(squid_t, { lib_t squid_exec_t bin_t sbin_t shell_exec_t } )
allow squid_t { bin_t sbin_t }:dir search;
allow squid_t { bin_t sbin_t }:lnk_file read;
dontaudit squid_t { boot_t tmp_t home_root_t security_t devpts_t }:dir getattr;
ifdef(`targeted_policy', `
dontaudit squid_t tty_device_t:chr_file { read write };
')
allow squid_t urandom_device_t:chr_file { getattr read };
#squid requires the following when run in diskd mode, the recommended setting
allow squid_t tmpfs_t:file { read write };