add squid

This commit is contained in:
Chris PeBenito 2005-09-02 19:11:07 +00:00
parent 7c8fc35b14
commit 0f707d52ab
13 changed files with 452 additions and 14 deletions

View File

@ -4,6 +4,7 @@
comsat
dbus
dhcpd
squid
* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
- Add Makefile support for building loadable modules.

View File

@ -138,6 +138,11 @@ optional_policy(`nscd.te',`
nscd_use_socket(logrotate_t)
')
optional_policy(`squid.te',`
# cjp: why?
squid_domtrans(logrotate_t)
')
ifdef(`TODO',`
#from privmail this needs more work:
@ -155,14 +160,6 @@ allow logrotate_t domain:notdevfile_class_set r_file_perms;
allow logrotate_t domain:dir r_dir_perms;
allow logrotate_t exec_type:file getattr;
#this should go to squid:
optional_policy(`logrotate.te', `
allow squid_t { system_crond_t crond_t }:fd use;
allow squid_t crond_t:fifo_file { read write };
allow squid_t system_crond_t:fifo_file write;
allow squid_t self:capability kill;
')
# for /var/lib/logrotate.status and /var/lib/logcheck
file_type_auto_trans(logrotate_t, var_lib_t, logrotate_var_lib_t, file)

View File

@ -51,6 +51,24 @@ interface(`bootloader_run',`
allow bootloader_t $3:chr_file rw_file_perms;
')
########################################
## <summary>
## Do not audit attempts to get attributes
## of the /boot directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`bootloader_dontaudit_getattr_boot_dir',`
gen_require(`
type boot_t;
class dir getattr;
')
dontaudit $1 boot_t:dir getattr;
')
########################################
## <summary>
## Search the /boot directory.

View File

@ -19,6 +19,24 @@ interface(`selinux_get_fs_mount',`
kernel_read_system_state($1)
')
########################################
## <summary>
## Do not audit attempts to get the
## attributes of the selinuxfs directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`selinux_dontaudit_getattr_dir',`
gen_require(`
type security_t;
class dir getattr;
')
dontaudit $1 security_t:dir getattr;
')
########################################
## <summary>
## Do not audit attempts to search selinuxfs.

View File

@ -214,6 +214,24 @@ interface(`term_setattr_console',`
allow $1 console_device_t:chr_file setattr;
')
########################################
## <summary>
## Do not audit attempts to get the
## attributes of the /dev/pts directory.
## </summary>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`term_dontaudit_getattr_pty_dir',`
gen_require(`
type devpts_t;
class dir getattr;
')
dontaudit $1 devpts_t:dir getattr;
')
########################################
## <summary>
## Read the /dev/pts directory to

View File

@ -314,6 +314,24 @@ interface(`cron_system_entry',`
allow $1 crond_t:process sigchld;
')
########################################
## <summary>
## Inherit and use a file descriptor
## from the cron daemon.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`cron_use_fd',`
gen_require(`
type crond_t;
class fd use;
')
allow $1 crond_t:fd use;
')
########################################
## <summary>
## Send a SIGCHLD signal to the cron daemon.
@ -333,10 +351,10 @@ interface(`cron_sigchld',`
########################################
## <summary>
## Read a cron daemon unnamed pipe
## Read a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
## The type of the process to performing this action.
## Domain allowed access.
## </param>
#
interface(`cron_read_pipe',`
@ -348,6 +366,23 @@ interface(`cron_read_pipe',`
allow $1 crond_t:file r_file_perms;
')
########################################
## <summary>
## Read and write a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`cron_rw_pipe',`
gen_require(`
type crond_t;
class file { read write };
')
allow $1 crond_t:file { read write };
')
########################################
## <summary>
## Read and write the cron daemon log files.
@ -384,6 +419,41 @@ interface(`cron_search_spool',`
allow $1 cron_spool_t:dir search;
')
########################################
## <summary>
## Inherit and use a file descriptor
## from system cron jobs.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`cron_use_system_job_fd',`
gen_require(`
type system_crond_t;
class fd use;
')
allow $1 system_crond_t:fd use;
')
########################################
## <summary>
## Wrate a system cron job unnamed pipe.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`cron_write_system_job_pipe',`
gen_require(`
type system_crond_t;
class file write;
')
allow $1 system_crond_t:file write;
')
########################################
## <summary>
## Read temporary files from the system cron jobs.

View File

@ -322,6 +322,11 @@ optional_policy(`nscd.te',`
nscd_use_socket(system_crond_t)
')
optional_policy(`squid.te',`
# cjp: why?
squid_domtrans(system_crond_t)
')
ifdef(`TODO',`
dontaudit userdomain system_crond_t:fd use;

View File

@ -0,0 +1,14 @@
/etc/squid(/.*)? context_template(system_u:object_r:squid_conf_t,s0)
/usr/sbin/squid -- context_template(system_u:object_r:squid_exec_t,s0)
/usr/share/squid(/.*)? context_template(system_u:object_r:squid_conf_t,s0)
/var/cache/squid(/.*)? context_template(system_u:object_r:squid_cache_t,s0)
/var/log/squid(/.*)? context_template(system_u:object_r:squid_log_t,s0)
/var/run/squid\.pid -- context_template(system_u:object_r:squid_var_run_t,s0)
/var/spool/squid(/.*)? context_template(system_u:object_r:squid_cache_t,s0)

View File

@ -0,0 +1,84 @@
## <summary>Squid caching http proxy server</summary>
########################################
## <summary>
## Execute squid in the squid domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`squid_domtrans',`
gen_require(`
type squid_t, squid_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
domain_auto_trans($1,squid_exec_t,squid_t)
allow $1 squid_t:fd use;
allow squid_t $1:fd use;
allow squid_t $1:fifo_file rw_file_perms;
allow squid_t $1:process sigchld;
')
########################################
## <summary>
## Read squid configuration file.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`squid_read_config',`
gen_require(`
type squid_conf_t;
class file r_file_perms;
')
files_search_etc($1)
allow $1 squid_conf_t:file r_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete
## squid logs.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`squid_manage_logs',`
gen_require(`
type squid_log_t;
class dir rw_dir_perms;
class file create_file_perms;
')
logging_search_logs($1)
allow $1 squid_log_t:dir rw_dir_perms;
allow $1 squid_log_t:file create_file_perms;
')
########################################
## <summary>
## Use squid services by connecting over TCP.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`squid_use',`
gen_require(`
type squid_t;
class tcp_socket { connectto acceptfrom recvfrom };
')
allow $1 squid_t:tcp_socket { connectto recvfrom };
allow squid_t $1:tcp_socket { acceptfrom recvfrom };
kernel_tcp_recvfrom($1)
')

View File

@ -0,0 +1,166 @@
policy_module(squid,1.0)
########################################
#
# Declarations
#
type squid_t;
type squid_exec_t;
init_daemon_domain(squid_t,squid_exec_t)
# type for /var/cache/squid
type squid_cache_t;
files_type(squid_cache_t)
type squid_conf_t;
files_type(squid_conf_t)
type squid_log_t;
logging_log_file(squid_log_t)
type squid_var_run_t;
files_pid_file(squid_var_run_t)
########################################
#
# Local policy
#
allow squid_t self:capability { setgid setuid };
dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow squid_t self:unix_stream_socket create_stream_socket_perms;
allow squid_t self:unix_dgram_socket create_socket_perms;
allow squid_t self:unix_dgram_socket sendto;
allow squid_t self:unix_stream_socket connectto;
allow squid_t self:fifo_file rw_file_perms;
allow squid_t self:fd use;
allow squid_t self:shm create_shm_perms;
allow squid_t self:sem create_sem_perms;
allow squid_t self:msgq create_msgq_perms;
allow squid_t self:msg { send receive };
# Grant permissions to create, access, and delete cache files.
allow squid_t squid_cache_t:dir create_dir_perms;
allow squid_t squid_cache_t:file create_file_perms;
allow squid_t squid_cache_t:lnk_file create_lnk_perms;
allow squid_t squid_conf_t:file r_file_perms;
allow squid_t squid_conf_t:dir r_dir_perms;
allow squid_t squid_conf_t:lnk_file read;
can_exec(squid_t,squid_exec_t)
allow squid_t squid_log_t:file create_file_perms;
allow squid_t squid_log_t:dir rw_dir_perms;
logging_create_log(squid_t,squid_log_t,{ file dir })
allow squid_t squid_var_run_t:file create_file_perms;
files_create_pid(squid_t,squid_var_run_t)
kernel_read_kernel_sysctl(squid_t)
kernel_read_system_state(squid_t)
kernel_tcp_recvfrom(squid_t)
bootloader_dontaudit_getattr_boot_dir(squid_t)
corenet_tcp_sendrecv_all_if(squid_t)
corenet_raw_sendrecv_all_if(squid_t)
corenet_udp_sendrecv_all_if(squid_t)
corenet_tcp_sendrecv_all_nodes(squid_t)
corenet_udp_sendrecv_all_nodes(squid_t)
corenet_raw_sendrecv_all_nodes(squid_t)
corenet_tcp_sendrecv_all_ports(squid_t)
corenet_udp_sendrecv_all_ports(squid_t)
corenet_tcp_bind_all_nodes(squid_t)
corenet_udp_bind_all_nodes(squid_t)
corenet_tcp_bind_http_cache_port(squid_t)
corenet_udp_bind_http_cache_port(squid_t)
dev_read_sysfs(squid_t)
dev_read_urand(squid_t)
fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
selinux_dontaudit_getattr_dir(squid_t)
term_dontaudit_use_console(squid_t)
term_dontaudit_getattr_pty_dir(squid_t)
# to allow running programs from /usr/lib/squid (IE unlinkd)
corecmd_exec_bin(squid_t)
corecmd_exec_sbin(squid_t)
corecmd_exec_shell(squid_t)
domain_use_wide_inherit_fd(squid_t)
files_read_etc_files(squid_t)
files_read_etc_runtime_files(squid_t)
files_read_usr_files(squid_t)
files_search_spool(squid_t)
files_dontaudit_getattr_tmp_dir(squid_t)
files_getattr_home_dir(squid_t)
init_use_fd(squid_t)
init_use_script_pty(squid_t)
libs_use_ld_so(squid_t)
libs_use_shared_libs(squid_t)
# to allow running programs from /usr/lib/squid (IE unlinkd)
libs_exec_lib_files(squid_t)
logging_send_syslog_msg(squid_t)
miscfiles_read_localization(squid_t)
userdom_use_unpriv_users_fd(squid_t)
userdom_dontaudit_use_unpriv_user_fd(squid_t)
userdom_dontaudit_search_sysadm_home_dir(squid_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(squid_t)
term_dontaudit_use_generic_pty(squid_t)
files_dontaudit_read_root_file(squid_t)
')
optional_policy(`logrotate.te',`
allow squid_t self:capability kill;
cron_use_fd(squid_t)
cron_use_system_job_fd(squid_t)
cron_rw_pipe(squid_t)
cron_write_system_job_pipe(squid_t)
')
optional_policy(`mount.te',`
mount_send_nfs_client_request(squid_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(squid_t)
')
optional_policy(`nscd.te',`
nscd_use_socket(squid_t)
')
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(squid_t)
')
optional_policy(`udev.te', `
udev_read_db(squid_t)
')
ifdef(`TODO',`
optional_policy(`rhgb.te',`
rhgb_domain(squid_t)
')
ifdef(`apache.te',`
can_tcp_connect(squid_t, httpd_t)
')
#squid requires the following when run in diskd mode, the recommended setting
allow squid_t tmpfs_t:file { read write };
') dnl end TODO

View File

@ -1207,7 +1207,26 @@ interface(`files_manage_isid_type_chr_node',`
########################################
## <summary>
## Search home directories root.
## Do not audit attempts to get the
## attributes of the home directories root
## (/home).
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_getattr_home_dir',`
gen_require(`
type home_root_t;
class dir search;
')
allow $1 home_root_t:dir search;
')
########################################
## <summary>
## Search home directories root (/home).
## </summary>
## <param name="domain">
## The type of the process performing this action.
@ -1224,7 +1243,8 @@ interface(`files_search_home',`
########################################
## <summary>
## Do not audit attempts to search home directories root.
## Do not audit attempts to search
## home directories root (/home).
## </summary>
## <param name="domain">
## Domain to not audit.
@ -1469,6 +1489,24 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file r_file_perms;
')
########################################
## <summary>
## Do not audit attempts to get the
## attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_dontaudit_getattr_tmp_dir',`
gen_require(`
type tmp_t;
class dir getattr;
')
dontaudit $1 tmp_t:dir getattr;
')
########################################
## <summary>
## Search the tmp directory (/tmp).

View File

@ -466,6 +466,11 @@ optional_policy(`rpm.te',`
rpm_manage_db(initrc_t)
')
optional_policy(`squid.te',`
squid_read_config(initrc_t)
squid_manage_logs(initrc_t)
')
optional_policy(`ssh.te',`
optional_policy(`inetd.te',`
tunable_policy(`run_ssh_inetd',`',`

View File

@ -278,6 +278,10 @@ template(`base_user_template',`
files_search_var_lib($1_t)
')
optional_policy(`squid.te',`
squid_use($1_t)
')
optional_policy(`usermanage.te',`
usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
@ -446,7 +450,7 @@ template(`unpriv_user_template', `
# Inherit rules for ordinary users.
base_user_template($1)
typeattribute $1_t unpriv_userdomain; #, web_client_domain
typeattribute $1_t unpriv_userdomain;
domain_wide_inherit_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@ -673,7 +677,7 @@ template(`admin_user_template',`
# Inherit rules for ordinary users.
base_user_template($1)
typeattribute $1_t privhome; #, admin, web_client_domain
typeattribute $1_t privhome;
domain_obj_id_change_exempt($1_t)
role system_r types $1_t;