add squid
This commit is contained in:
parent
7c8fc35b14
commit
0f707d52ab
@ -4,6 +4,7 @@
|
||||
comsat
|
||||
dbus
|
||||
dhcpd
|
||||
squid
|
||||
|
||||
* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
|
||||
- Add Makefile support for building loadable modules.
|
||||
|
@ -138,6 +138,11 @@ optional_policy(`nscd.te',`
|
||||
nscd_use_socket(logrotate_t)
|
||||
')
|
||||
|
||||
optional_policy(`squid.te',`
|
||||
# cjp: why?
|
||||
squid_domtrans(logrotate_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
#from privmail this needs more work:
|
||||
@ -155,14 +160,6 @@ allow logrotate_t domain:notdevfile_class_set r_file_perms;
|
||||
allow logrotate_t domain:dir r_dir_perms;
|
||||
allow logrotate_t exec_type:file getattr;
|
||||
|
||||
#this should go to squid:
|
||||
optional_policy(`logrotate.te', `
|
||||
allow squid_t { system_crond_t crond_t }:fd use;
|
||||
allow squid_t crond_t:fifo_file { read write };
|
||||
allow squid_t system_crond_t:fifo_file write;
|
||||
allow squid_t self:capability kill;
|
||||
')
|
||||
|
||||
# for /var/lib/logrotate.status and /var/lib/logcheck
|
||||
file_type_auto_trans(logrotate_t, var_lib_t, logrotate_var_lib_t, file)
|
||||
|
||||
|
@ -51,6 +51,24 @@ interface(`bootloader_run',`
|
||||
allow bootloader_t $3:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get attributes
|
||||
## of the /boot directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_dontaudit_getattr_boot_dir',`
|
||||
gen_require(`
|
||||
type boot_t;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 boot_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the /boot directory.
|
||||
|
@ -19,6 +19,24 @@ interface(`selinux_get_fs_mount',`
|
||||
kernel_read_system_state($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the
|
||||
## attributes of the selinuxfs directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_dontaudit_getattr_dir',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 security_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search selinuxfs.
|
||||
|
@ -214,6 +214,24 @@ interface(`term_setattr_console',`
|
||||
allow $1 console_device_t:chr_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the
|
||||
## attributes of the /dev/pts directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_dontaudit_getattr_pty_dir',`
|
||||
gen_require(`
|
||||
type devpts_t;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 devpts_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the /dev/pts directory to
|
||||
|
@ -314,6 +314,24 @@ interface(`cron_system_entry',`
|
||||
allow $1 crond_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Inherit and use a file descriptor
|
||||
## from the cron daemon.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cron_use_fd',`
|
||||
gen_require(`
|
||||
type crond_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
allow $1 crond_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a SIGCHLD signal to the cron daemon.
|
||||
@ -333,10 +351,10 @@ interface(`cron_sigchld',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read a cron daemon unnamed pipe
|
||||
## Read a cron daemon unnamed pipe.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process to performing this action.
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cron_read_pipe',`
|
||||
@ -348,6 +366,23 @@ interface(`cron_read_pipe',`
|
||||
allow $1 crond_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write a cron daemon unnamed pipe.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cron_rw_pipe',`
|
||||
gen_require(`
|
||||
type crond_t;
|
||||
class file { read write };
|
||||
')
|
||||
|
||||
allow $1 crond_t:file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write the cron daemon log files.
|
||||
@ -384,6 +419,41 @@ interface(`cron_search_spool',`
|
||||
allow $1 cron_spool_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Inherit and use a file descriptor
|
||||
## from system cron jobs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cron_use_system_job_fd',`
|
||||
gen_require(`
|
||||
type system_crond_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
allow $1 system_crond_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Wrate a system cron job unnamed pipe.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`cron_write_system_job_pipe',`
|
||||
gen_require(`
|
||||
type system_crond_t;
|
||||
class file write;
|
||||
')
|
||||
|
||||
allow $1 system_crond_t:file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read temporary files from the system cron jobs.
|
||||
|
@ -322,6 +322,11 @@ optional_policy(`nscd.te',`
|
||||
nscd_use_socket(system_crond_t)
|
||||
')
|
||||
|
||||
optional_policy(`squid.te',`
|
||||
# cjp: why?
|
||||
squid_domtrans(system_crond_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
dontaudit userdomain system_crond_t:fd use;
|
||||
|
||||
|
14
refpolicy/policy/modules/services/squid.fc
Normal file
14
refpolicy/policy/modules/services/squid.fc
Normal file
@ -0,0 +1,14 @@
|
||||
|
||||
/etc/squid(/.*)? context_template(system_u:object_r:squid_conf_t,s0)
|
||||
|
||||
/usr/sbin/squid -- context_template(system_u:object_r:squid_exec_t,s0)
|
||||
|
||||
/usr/share/squid(/.*)? context_template(system_u:object_r:squid_conf_t,s0)
|
||||
|
||||
/var/cache/squid(/.*)? context_template(system_u:object_r:squid_cache_t,s0)
|
||||
|
||||
/var/log/squid(/.*)? context_template(system_u:object_r:squid_log_t,s0)
|
||||
|
||||
/var/run/squid\.pid -- context_template(system_u:object_r:squid_var_run_t,s0)
|
||||
|
||||
/var/spool/squid(/.*)? context_template(system_u:object_r:squid_cache_t,s0)
|
84
refpolicy/policy/modules/services/squid.if
Normal file
84
refpolicy/policy/modules/services/squid.if
Normal file
@ -0,0 +1,84 @@
|
||||
## <summary>Squid caching http proxy server</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute squid in the squid domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`squid_domtrans',`
|
||||
gen_require(`
|
||||
type squid_t, squid_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
domain_auto_trans($1,squid_exec_t,squid_t)
|
||||
|
||||
allow $1 squid_t:fd use;
|
||||
allow squid_t $1:fd use;
|
||||
allow squid_t $1:fifo_file rw_file_perms;
|
||||
allow squid_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read squid configuration file.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`squid_read_config',`
|
||||
gen_require(`
|
||||
type squid_conf_t;
|
||||
class file r_file_perms;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 squid_conf_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## squid logs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`squid_manage_logs',`
|
||||
gen_require(`
|
||||
type squid_log_t;
|
||||
class dir rw_dir_perms;
|
||||
class file create_file_perms;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 squid_log_t:dir rw_dir_perms;
|
||||
allow $1 squid_log_t:file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use squid services by connecting over TCP.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`squid_use',`
|
||||
gen_require(`
|
||||
type squid_t;
|
||||
class tcp_socket { connectto acceptfrom recvfrom };
|
||||
')
|
||||
|
||||
allow $1 squid_t:tcp_socket { connectto recvfrom };
|
||||
allow squid_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
')
|
166
refpolicy/policy/modules/services/squid.te
Normal file
166
refpolicy/policy/modules/services/squid.te
Normal file
@ -0,0 +1,166 @@
|
||||
|
||||
policy_module(squid,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type squid_t;
|
||||
type squid_exec_t;
|
||||
init_daemon_domain(squid_t,squid_exec_t)
|
||||
|
||||
# type for /var/cache/squid
|
||||
type squid_cache_t;
|
||||
files_type(squid_cache_t)
|
||||
|
||||
type squid_conf_t;
|
||||
files_type(squid_conf_t)
|
||||
|
||||
type squid_log_t;
|
||||
logging_log_file(squid_log_t)
|
||||
|
||||
type squid_var_run_t;
|
||||
files_pid_file(squid_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow squid_t self:capability { setgid setuid };
|
||||
dontaudit squid_t self:capability sys_tty_config;
|
||||
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow squid_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow squid_t self:unix_dgram_socket create_socket_perms;
|
||||
allow squid_t self:unix_dgram_socket sendto;
|
||||
allow squid_t self:unix_stream_socket connectto;
|
||||
allow squid_t self:fifo_file rw_file_perms;
|
||||
allow squid_t self:fd use;
|
||||
allow squid_t self:shm create_shm_perms;
|
||||
allow squid_t self:sem create_sem_perms;
|
||||
allow squid_t self:msgq create_msgq_perms;
|
||||
allow squid_t self:msg { send receive };
|
||||
|
||||
# Grant permissions to create, access, and delete cache files.
|
||||
allow squid_t squid_cache_t:dir create_dir_perms;
|
||||
allow squid_t squid_cache_t:file create_file_perms;
|
||||
allow squid_t squid_cache_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow squid_t squid_conf_t:file r_file_perms;
|
||||
allow squid_t squid_conf_t:dir r_dir_perms;
|
||||
allow squid_t squid_conf_t:lnk_file read;
|
||||
|
||||
can_exec(squid_t,squid_exec_t)
|
||||
|
||||
allow squid_t squid_log_t:file create_file_perms;
|
||||
allow squid_t squid_log_t:dir rw_dir_perms;
|
||||
logging_create_log(squid_t,squid_log_t,{ file dir })
|
||||
|
||||
allow squid_t squid_var_run_t:file create_file_perms;
|
||||
files_create_pid(squid_t,squid_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(squid_t)
|
||||
kernel_read_system_state(squid_t)
|
||||
kernel_tcp_recvfrom(squid_t)
|
||||
|
||||
bootloader_dontaudit_getattr_boot_dir(squid_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(squid_t)
|
||||
corenet_raw_sendrecv_all_if(squid_t)
|
||||
corenet_udp_sendrecv_all_if(squid_t)
|
||||
corenet_tcp_sendrecv_all_nodes(squid_t)
|
||||
corenet_udp_sendrecv_all_nodes(squid_t)
|
||||
corenet_raw_sendrecv_all_nodes(squid_t)
|
||||
corenet_tcp_sendrecv_all_ports(squid_t)
|
||||
corenet_udp_sendrecv_all_ports(squid_t)
|
||||
corenet_tcp_bind_all_nodes(squid_t)
|
||||
corenet_udp_bind_all_nodes(squid_t)
|
||||
corenet_tcp_bind_http_cache_port(squid_t)
|
||||
corenet_udp_bind_http_cache_port(squid_t)
|
||||
|
||||
dev_read_sysfs(squid_t)
|
||||
dev_read_urand(squid_t)
|
||||
|
||||
fs_getattr_all_fs(squid_t)
|
||||
fs_search_auto_mountpoints(squid_t)
|
||||
|
||||
selinux_dontaudit_getattr_dir(squid_t)
|
||||
|
||||
term_dontaudit_use_console(squid_t)
|
||||
term_dontaudit_getattr_pty_dir(squid_t)
|
||||
|
||||
# to allow running programs from /usr/lib/squid (IE unlinkd)
|
||||
corecmd_exec_bin(squid_t)
|
||||
corecmd_exec_sbin(squid_t)
|
||||
corecmd_exec_shell(squid_t)
|
||||
|
||||
domain_use_wide_inherit_fd(squid_t)
|
||||
|
||||
files_read_etc_files(squid_t)
|
||||
files_read_etc_runtime_files(squid_t)
|
||||
files_read_usr_files(squid_t)
|
||||
files_search_spool(squid_t)
|
||||
files_dontaudit_getattr_tmp_dir(squid_t)
|
||||
files_getattr_home_dir(squid_t)
|
||||
|
||||
init_use_fd(squid_t)
|
||||
init_use_script_pty(squid_t)
|
||||
|
||||
libs_use_ld_so(squid_t)
|
||||
libs_use_shared_libs(squid_t)
|
||||
# to allow running programs from /usr/lib/squid (IE unlinkd)
|
||||
libs_exec_lib_files(squid_t)
|
||||
|
||||
logging_send_syslog_msg(squid_t)
|
||||
|
||||
miscfiles_read_localization(squid_t)
|
||||
|
||||
userdom_use_unpriv_users_fd(squid_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(squid_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(squid_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(squid_t)
|
||||
term_dontaudit_use_generic_pty(squid_t)
|
||||
files_dontaudit_read_root_file(squid_t)
|
||||
')
|
||||
|
||||
optional_policy(`logrotate.te',`
|
||||
allow squid_t self:capability kill;
|
||||
cron_use_fd(squid_t)
|
||||
cron_use_system_job_fd(squid_t)
|
||||
cron_rw_pipe(squid_t)
|
||||
cron_write_system_job_pipe(squid_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(squid_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(squid_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(squid_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(squid_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(squid_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(squid_t)
|
||||
')
|
||||
ifdef(`apache.te',`
|
||||
can_tcp_connect(squid_t, httpd_t)
|
||||
')
|
||||
#squid requires the following when run in diskd mode, the recommended setting
|
||||
allow squid_t tmpfs_t:file { read write };
|
||||
') dnl end TODO
|
@ -1207,7 +1207,26 @@ interface(`files_manage_isid_type_chr_node',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search home directories root.
|
||||
## Do not audit attempts to get the
|
||||
## attributes of the home directories root
|
||||
## (/home).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_getattr_home_dir',`
|
||||
gen_require(`
|
||||
type home_root_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
allow $1 home_root_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search home directories root (/home).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
@ -1224,7 +1243,8 @@ interface(`files_search_home',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search home directories root.
|
||||
## Do not audit attempts to search
|
||||
## home directories root (/home).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
@ -1469,6 +1489,24 @@ interface(`files_read_world_readable_sockets',`
|
||||
allow $1 readable_t:sock_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the
|
||||
## attributes of the tmp directory (/tmp).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_getattr_tmp_dir',`
|
||||
gen_require(`
|
||||
type tmp_t;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 tmp_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the tmp directory (/tmp).
|
||||
|
@ -466,6 +466,11 @@ optional_policy(`rpm.te',`
|
||||
rpm_manage_db(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`squid.te',`
|
||||
squid_read_config(initrc_t)
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`ssh.te',`
|
||||
optional_policy(`inetd.te',`
|
||||
tunable_policy(`run_ssh_inetd',`',`
|
||||
|
@ -278,6 +278,10 @@ template(`base_user_template',`
|
||||
files_search_var_lib($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`squid.te',`
|
||||
squid_use($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`usermanage.te',`
|
||||
usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||
usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||
@ -446,7 +450,7 @@ template(`unpriv_user_template', `
|
||||
# Inherit rules for ordinary users.
|
||||
base_user_template($1)
|
||||
|
||||
typeattribute $1_t unpriv_userdomain; #, web_client_domain
|
||||
typeattribute $1_t unpriv_userdomain;
|
||||
domain_wide_inherit_fd($1_t)
|
||||
|
||||
typeattribute $1_devpts_t user_ptynode;
|
||||
@ -673,7 +677,7 @@ template(`admin_user_template',`
|
||||
# Inherit rules for ordinary users.
|
||||
base_user_template($1)
|
||||
|
||||
typeattribute $1_t privhome; #, admin, web_client_domain
|
||||
typeattribute $1_t privhome;
|
||||
domain_obj_id_change_exempt($1_t)
|
||||
role system_r types $1_t;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user