add squid

refpolicy/Changelog

@@ -4,6 +4,7 @@
 	comsat
 	dbus
 	dhcpd
+	squid
 
 * Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
 - Add Makefile support for building loadable modules.

refpolicy/policy/modules/admin/logrotate.te

@@ -138,6 +138,11 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(logrotate_t)
 ')
 
+optional_policy(`squid.te',`
+	# cjp: why?
+	squid_domtrans(logrotate_t)
+')
+
 ifdef(`TODO',`
 
 #from privmail this needs more work:
@@ -155,14 +160,6 @@ allow logrotate_t domain:notdevfile_class_set r_file_perms;
 allow logrotate_t domain:dir r_dir_perms;
 allow logrotate_t exec_type:file getattr;
 
-#this should go to squid:
-optional_policy(`logrotate.te', `
-	allow squid_t { system_crond_t crond_t }:fd use;
-	allow squid_t crond_t:fifo_file { read write };
-	allow squid_t system_crond_t:fifo_file write;
-	allow squid_t self:capability kill;
-')
-
 # for /var/lib/logrotate.status and /var/lib/logcheck
 file_type_auto_trans(logrotate_t, var_lib_t, logrotate_var_lib_t, file)
 

refpolicy/policy/modules/kernel/bootloader.if

@@ -51,6 +51,24 @@ interface(`bootloader_run',`
 	allow bootloader_t $3:chr_file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get attributes
+##	of the /boot directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`bootloader_dontaudit_getattr_boot_dir',`
+	gen_require(`
+		type boot_t;
+		class dir getattr;
+	')
+
+	dontaudit $1 boot_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Search the /boot directory.

refpolicy/policy/modules/kernel/selinux.if

@@ -19,6 +19,24 @@ interface(`selinux_get_fs_mount',`
 	kernel_read_system_state($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the selinuxfs directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`selinux_dontaudit_getattr_dir',`
+	gen_require(`
+		type security_t;
+		class dir getattr;
+	')
+
+	dontaudit $1 security_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to search selinuxfs.

refpolicy/policy/modules/kernel/terminal.if

@@ -214,6 +214,24 @@ interface(`term_setattr_console',`
 	allow $1 console_device_t:chr_file setattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the /dev/pts directory.
+## </summary>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
+#
+interface(`term_dontaudit_getattr_pty_dir',`
+	gen_require(`
+		type devpts_t;
+		class dir getattr;
+	')
+
+	dontaudit $1 devpts_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read the /dev/pts directory to

refpolicy/policy/modules/services/cron.if

@@ -314,6 +314,24 @@ interface(`cron_system_entry',`
 	allow $1 crond_t:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Inherit and use a file descriptor
+##	from the cron daemon.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cron_use_fd',`
+	gen_require(`
+		type crond_t;
+		class fd use;
+	')
+
+	allow $1 crond_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to the cron daemon.
@@ -333,10 +351,10 @@ interface(`cron_sigchld',`
 
 ########################################
 ## <summary>
-##	Read a cron daemon unnamed pipe
+##	Read a cron daemon unnamed pipe.
 ## </summary>
 ## <param name="domain">
-##	The type of the process to performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`cron_read_pipe',`
@@ -348,6 +366,23 @@ interface(`cron_read_pipe',`
 	allow $1 crond_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read and write a cron daemon unnamed pipe.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cron_rw_pipe',`
+	gen_require(`
+		type crond_t;
+		class file { read write };
+	')
+
+	allow $1 crond_t:file { read write };
+')
+
 ########################################
 ## <summary>
 ##	Read and write the cron daemon log files.
@@ -384,6 +419,41 @@ interface(`cron_search_spool',`
 	allow $1 cron_spool_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Inherit and use a file descriptor
+##	from system cron jobs.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cron_use_system_job_fd',`
+	gen_require(`
+		type system_crond_t;
+		class fd use;
+	')
+
+	allow $1 system_crond_t:fd use;
+')
+
+########################################
+## <summary>
+##	Wrate a system cron job unnamed pipe.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cron_write_system_job_pipe',`
+	gen_require(`
+		type system_crond_t;
+		class file write;
+	')
+
+	allow $1 system_crond_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	Read temporary files from the system cron jobs.

refpolicy/policy/modules/services/cron.te

@@ -322,6 +322,11 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(system_crond_t)
 ')
 
+optional_policy(`squid.te',`
+	# cjp: why?
+	squid_domtrans(system_crond_t)
+')
+
 ifdef(`TODO',`
 dontaudit userdomain system_crond_t:fd use;
 

refpolicy/policy/modules/services/squid.fc

@@ -0,0 +1,14 @@
+
+/etc/squid(/.*)?		context_template(system_u:object_r:squid_conf_t,s0)
+
+/usr/sbin/squid		--	context_template(system_u:object_r:squid_exec_t,s0)
+
+/usr/share/squid(/.*)?		context_template(system_u:object_r:squid_conf_t,s0)
+
+/var/cache/squid(/.*)?		context_template(system_u:object_r:squid_cache_t,s0)
+
+/var/log/squid(/.*)?		context_template(system_u:object_r:squid_log_t,s0)
+
+/var/run/squid\.pid	--	context_template(system_u:object_r:squid_var_run_t,s0)
+
+/var/spool/squid(/.*)?		context_template(system_u:object_r:squid_cache_t,s0)

refpolicy/policy/modules/services/squid.if

@@ -0,0 +1,84 @@
+## <summary>Squid caching http proxy server</summary>
+
+########################################
+## <summary>
+##	Execute squid in the squid domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`squid_domtrans',`
+	gen_require(`
+		type squid_t, squid_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,squid_exec_t,squid_t)
+
+	allow $1 squid_t:fd use;
+	allow squid_t $1:fd use;
+	allow squid_t $1:fifo_file rw_file_perms;
+	allow squid_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Read squid configuration file.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`squid_read_config',`
+	gen_require(`
+		type squid_conf_t;
+		class file r_file_perms;
+	')
+
+	files_search_etc($1)
+	allow $1 squid_conf_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	squid logs.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`squid_manage_logs',`
+	gen_require(`
+		type squid_log_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	logging_search_logs($1)
+	allow $1 squid_log_t:dir rw_dir_perms;
+	allow $1 squid_log_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Use squid services by connecting over TCP.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`squid_use',`
+	gen_require(`
+		type squid_t;
+		class tcp_socket { connectto acceptfrom recvfrom };
+	')
+
+	allow $1 squid_t:tcp_socket { connectto recvfrom };
+	allow squid_t $1:tcp_socket { acceptfrom recvfrom };
+	kernel_tcp_recvfrom($1)
+')

refpolicy/policy/modules/services/squid.te

@@ -0,0 +1,166 @@
+
+policy_module(squid,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type squid_t;
+type squid_exec_t;
+init_daemon_domain(squid_t,squid_exec_t)
+
+# type for /var/cache/squid
+type squid_cache_t;
+files_type(squid_cache_t)
+
+type squid_conf_t;
+files_type(squid_conf_t)
+
+type squid_log_t;
+logging_log_file(squid_log_t)
+
+type squid_var_run_t;
+files_pid_file(squid_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow squid_t self:capability { setgid setuid };
+dontaudit squid_t self:capability sys_tty_config;
+allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow squid_t self:unix_stream_socket create_stream_socket_perms;
+allow squid_t self:unix_dgram_socket create_socket_perms;
+allow squid_t self:unix_dgram_socket sendto;
+allow squid_t self:unix_stream_socket connectto;
+allow squid_t self:fifo_file rw_file_perms;
+allow squid_t self:fd use;
+allow squid_t self:shm create_shm_perms;
+allow squid_t self:sem create_sem_perms;
+allow squid_t self:msgq create_msgq_perms;
+allow squid_t self:msg { send receive };
+
+# Grant permissions to create, access, and delete cache files.
+allow squid_t squid_cache_t:dir create_dir_perms;
+allow squid_t squid_cache_t:file create_file_perms;
+allow squid_t squid_cache_t:lnk_file create_lnk_perms;
+
+allow squid_t squid_conf_t:file r_file_perms;
+allow squid_t squid_conf_t:dir r_dir_perms;
+allow squid_t squid_conf_t:lnk_file read;
+
+can_exec(squid_t,squid_exec_t)
+
+allow squid_t squid_log_t:file create_file_perms;
+allow squid_t squid_log_t:dir rw_dir_perms;
+logging_create_log(squid_t,squid_log_t,{ file dir })
+
+allow squid_t squid_var_run_t:file create_file_perms;
+files_create_pid(squid_t,squid_var_run_t)
+
+kernel_read_kernel_sysctl(squid_t)
+kernel_read_system_state(squid_t)
+kernel_tcp_recvfrom(squid_t)
+
+bootloader_dontaudit_getattr_boot_dir(squid_t)
+
+corenet_tcp_sendrecv_all_if(squid_t)
+corenet_raw_sendrecv_all_if(squid_t)
+corenet_udp_sendrecv_all_if(squid_t)
+corenet_tcp_sendrecv_all_nodes(squid_t)
+corenet_udp_sendrecv_all_nodes(squid_t)
+corenet_raw_sendrecv_all_nodes(squid_t)
+corenet_tcp_sendrecv_all_ports(squid_t)
+corenet_udp_sendrecv_all_ports(squid_t)
+corenet_tcp_bind_all_nodes(squid_t)
+corenet_udp_bind_all_nodes(squid_t)
+corenet_tcp_bind_http_cache_port(squid_t)
+corenet_udp_bind_http_cache_port(squid_t)
+
+dev_read_sysfs(squid_t)
+dev_read_urand(squid_t)
+
+fs_getattr_all_fs(squid_t)
+fs_search_auto_mountpoints(squid_t)
+
+selinux_dontaudit_getattr_dir(squid_t)
+
+term_dontaudit_use_console(squid_t)
+term_dontaudit_getattr_pty_dir(squid_t)
+
+# to allow running programs from /usr/lib/squid (IE unlinkd)
+corecmd_exec_bin(squid_t)
+corecmd_exec_sbin(squid_t)
+corecmd_exec_shell(squid_t)
+
+domain_use_wide_inherit_fd(squid_t)
+
+files_read_etc_files(squid_t)
+files_read_etc_runtime_files(squid_t)
+files_read_usr_files(squid_t)
+files_search_spool(squid_t)
+files_dontaudit_getattr_tmp_dir(squid_t)
+files_getattr_home_dir(squid_t)
+
+init_use_fd(squid_t)
+init_use_script_pty(squid_t)
+
+libs_use_ld_so(squid_t)
+libs_use_shared_libs(squid_t)
+# to allow running programs from /usr/lib/squid (IE unlinkd)
+libs_exec_lib_files(squid_t)
+
+logging_send_syslog_msg(squid_t)
+
+miscfiles_read_localization(squid_t)
+
+userdom_use_unpriv_users_fd(squid_t)
+userdom_dontaudit_use_unpriv_user_fd(squid_t)
+userdom_dontaudit_search_sysadm_home_dir(squid_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_tty(squid_t)
+	term_dontaudit_use_generic_pty(squid_t)
+	files_dontaudit_read_root_file(squid_t)
+')
+
+optional_policy(`logrotate.te',`
+	allow squid_t self:capability kill;
+	cron_use_fd(squid_t)
+	cron_use_system_job_fd(squid_t)
+	cron_rw_pipe(squid_t)
+	cron_write_system_job_pipe(squid_t)
+')
+
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(squid_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(squid_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(squid_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(squid_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(squid_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(squid_t)
+')
+ifdef(`apache.te',`
+can_tcp_connect(squid_t, httpd_t)
+')
+#squid requires the following when run in diskd mode, the recommended setting
+allow squid_t tmpfs_t:file { read write };
+') dnl end TODO

refpolicy/policy/modules/system/files.if

@@ -1207,7 +1207,26 @@ interface(`files_manage_isid_type_chr_node',`
 
 ########################################
 ## <summary>
-##	Search home directories root.
+##	Do not audit attempts to get the
+##	attributes of the home directories root
+##	(/home).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_getattr_home_dir',`
+	gen_require(`
+		type home_root_t;
+		class dir search;
+	')
+
+	allow $1 home_root_t:dir search;
+')
+
+########################################
+## <summary>
+##	Search home directories root (/home).
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
@@ -1224,7 +1243,8 @@ interface(`files_search_home',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search home directories root.
+##	Do not audit attempts to search
+##	home directories root (/home).
 ## </summary>
 ## <param name="domain">
 ##	Domain to not audit.
@@ -1469,6 +1489,24 @@ interface(`files_read_world_readable_sockets',`
 	allow $1 readable_t:sock_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_dontaudit_getattr_tmp_dir',`
+	gen_require(`
+		type tmp_t;
+		class dir getattr;
+	')
+
+	dontaudit $1 tmp_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Search the tmp directory (/tmp).

refpolicy/policy/modules/system/init.te

@@ -466,6 +466,11 @@ optional_policy(`rpm.te',`
 	rpm_manage_db(initrc_t)
 ')
 
+optional_policy(`squid.te',`
+	squid_read_config(initrc_t)
+	squid_manage_logs(initrc_t)
+')
+
 optional_policy(`ssh.te',`
 	optional_policy(`inetd.te',`
 		tunable_policy(`run_ssh_inetd',`',`

refpolicy/policy/modules/system/userdomain.if

@@ -278,6 +278,10 @@ template(`base_user_template',`
 		files_search_var_lib($1_t)
 	')
 
+	optional_policy(`squid.te',`
+		squid_use($1_t)
+	')
+
 	optional_policy(`usermanage.te',`
 		usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 		usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
@@ -446,7 +450,7 @@ template(`unpriv_user_template', `
 	# Inherit rules for ordinary users.
 	base_user_template($1)
 
-	typeattribute $1_t unpriv_userdomain; #, web_client_domain
+	typeattribute $1_t unpriv_userdomain;
 	domain_wide_inherit_fd($1_t)
 
 	typeattribute $1_devpts_t user_ptynode;
@@ -673,7 +677,7 @@ template(`admin_user_template',`
 	# Inherit rules for ordinary users.
 	base_user_template($1)
 
-	typeattribute $1_t privhome; #, admin, web_client_domain
+	typeattribute $1_t privhome;
 	domain_obj_id_change_exempt($1_t)
 	role system_r types $1_t;