From 0f707d52ab80469d36049b825b5151a99c927bdb Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 2 Sep 2005 19:11:07 +0000
Subject: [PATCH] add squid

---
 refpolicy/Changelog                           |   1 +
 refpolicy/policy/modules/admin/logrotate.te   |  13 +-
 refpolicy/policy/modules/kernel/bootloader.if |  18 ++
 refpolicy/policy/modules/kernel/selinux.if    |  18 ++
 refpolicy/policy/modules/kernel/terminal.if   |  18 ++
 refpolicy/policy/modules/services/cron.if     |  74 +++++++-
 refpolicy/policy/modules/services/cron.te     |   5 +
 refpolicy/policy/modules/services/squid.fc    |  14 ++
 refpolicy/policy/modules/services/squid.if    |  84 +++++++++
 refpolicy/policy/modules/services/squid.te    | 166 ++++++++++++++++++
 refpolicy/policy/modules/system/files.if      |  42 ++++-
 refpolicy/policy/modules/system/init.te       |   5 +
 refpolicy/policy/modules/system/userdomain.if |   8 +-
 13 files changed, 452 insertions(+), 14 deletions(-)
 create mode 100644 refpolicy/policy/modules/services/squid.fc
 create mode 100644 refpolicy/policy/modules/services/squid.if
 create mode 100644 refpolicy/policy/modules/services/squid.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 6f9abafb..cb547a7a 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -4,6 +4,7 @@
 	comsat
 	dbus
 	dhcpd
+	squid
 
 * Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
 - Add Makefile support for building loadable modules.
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 911bca8f..d52097b8 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -138,6 +138,11 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(logrotate_t)
 ')
 
+optional_policy(`squid.te',`
+	# cjp: why?
+	squid_domtrans(logrotate_t)
+')
+
 ifdef(`TODO',`
 
 #from privmail this needs more work:
@@ -155,14 +160,6 @@ allow logrotate_t domain:notdevfile_class_set r_file_perms;
 allow logrotate_t domain:dir r_dir_perms;
 allow logrotate_t exec_type:file getattr;
 
-#this should go to squid:
-optional_policy(`logrotate.te', `
-	allow squid_t { system_crond_t crond_t }:fd use;
-	allow squid_t crond_t:fifo_file { read write };
-	allow squid_t system_crond_t:fifo_file write;
-	allow squid_t self:capability kill;
-')
-
 # for /var/lib/logrotate.status and /var/lib/logcheck
 file_type_auto_trans(logrotate_t, var_lib_t, logrotate_var_lib_t, file)
 
diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if
index 2e8def07..472a313d 100644
--- a/refpolicy/policy/modules/kernel/bootloader.if
+++ b/refpolicy/policy/modules/kernel/bootloader.if
@@ -51,6 +51,24 @@ interface(`bootloader_run',`
 	allow bootloader_t $3:chr_file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get attributes
+##	of the /boot directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`bootloader_dontaudit_getattr_boot_dir',`
+	gen_require(`
+		type boot_t;
+		class dir getattr;
+	')
+
+	dontaudit $1 boot_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Search the /boot directory.
diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if
index 837a94aa..6840d4bb 100644
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@@ -19,6 +19,24 @@ interface(`selinux_get_fs_mount',`
 	kernel_read_system_state($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the selinuxfs directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`selinux_dontaudit_getattr_dir',`
+	gen_require(`
+		type security_t;
+		class dir getattr;
+	')
+
+	dontaudit $1 security_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to search selinuxfs.
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index c183b0bf..2ba6b927 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -214,6 +214,24 @@ interface(`term_setattr_console',`
 	allow $1 console_device_t:chr_file setattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the /dev/pts directory.
+## </summary>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
+#
+interface(`term_dontaudit_getattr_pty_dir',`
+	gen_require(`
+		type devpts_t;
+		class dir getattr;
+	')
+
+	dontaudit $1 devpts_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Read the /dev/pts directory to
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index ec5f5aea..e418325f 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -314,6 +314,24 @@ interface(`cron_system_entry',`
 	allow $1 crond_t:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Inherit and use a file descriptor
+##	from the cron daemon.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cron_use_fd',`
+	gen_require(`
+		type crond_t;
+		class fd use;
+	')
+
+	allow $1 crond_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to the cron daemon.
@@ -333,10 +351,10 @@ interface(`cron_sigchld',`
 
 ########################################
 ## <summary>
-##	Read a cron daemon unnamed pipe
+##	Read a cron daemon unnamed pipe.
 ## </summary>
 ## <param name="domain">
-##	The type of the process to performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`cron_read_pipe',`
@@ -348,6 +366,23 @@ interface(`cron_read_pipe',`
 	allow $1 crond_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read and write a cron daemon unnamed pipe.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cron_rw_pipe',`
+	gen_require(`
+		type crond_t;
+		class file { read write };
+	')
+
+	allow $1 crond_t:file { read write };
+')
+
 ########################################
 ## <summary>
 ##	Read and write the cron daemon log files.
@@ -384,6 +419,41 @@ interface(`cron_search_spool',`
 	allow $1 cron_spool_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Inherit and use a file descriptor
+##	from system cron jobs.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cron_use_system_job_fd',`
+	gen_require(`
+		type system_crond_t;
+		class fd use;
+	')
+
+	allow $1 system_crond_t:fd use;
+')
+
+########################################
+## <summary>
+##	Wrate a system cron job unnamed pipe.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cron_write_system_job_pipe',`
+	gen_require(`
+		type system_crond_t;
+		class file write;
+	')
+
+	allow $1 system_crond_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	Read temporary files from the system cron jobs.
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index cba03eaf..d0ddc63b 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -322,6 +322,11 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(system_crond_t)
 ')
 
+optional_policy(`squid.te',`
+	# cjp: why?
+	squid_domtrans(system_crond_t)
+')
+
 ifdef(`TODO',`
 dontaudit userdomain system_crond_t:fd use;
 
diff --git a/refpolicy/policy/modules/services/squid.fc b/refpolicy/policy/modules/services/squid.fc
new file mode 100644
index 00000000..944b7e63
--- /dev/null
+++ b/refpolicy/policy/modules/services/squid.fc
@@ -0,0 +1,14 @@
+
+/etc/squid(/.*)?		context_template(system_u:object_r:squid_conf_t,s0)
+
+/usr/sbin/squid		--	context_template(system_u:object_r:squid_exec_t,s0)
+
+/usr/share/squid(/.*)?		context_template(system_u:object_r:squid_conf_t,s0)
+
+/var/cache/squid(/.*)?		context_template(system_u:object_r:squid_cache_t,s0)
+
+/var/log/squid(/.*)?		context_template(system_u:object_r:squid_log_t,s0)
+
+/var/run/squid\.pid	--	context_template(system_u:object_r:squid_var_run_t,s0)
+
+/var/spool/squid(/.*)?		context_template(system_u:object_r:squid_cache_t,s0)
diff --git a/refpolicy/policy/modules/services/squid.if b/refpolicy/policy/modules/services/squid.if
new file mode 100644
index 00000000..a5bdc54b
--- /dev/null
+++ b/refpolicy/policy/modules/services/squid.if
@@ -0,0 +1,84 @@
+## <summary>Squid caching http proxy server</summary>
+
+########################################
+## <summary>
+##	Execute squid in the squid domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`squid_domtrans',`
+	gen_require(`
+		type squid_t, squid_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,squid_exec_t,squid_t)
+
+	allow $1 squid_t:fd use;
+	allow squid_t $1:fd use;
+	allow squid_t $1:fifo_file rw_file_perms;
+	allow squid_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Read squid configuration file.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`squid_read_config',`
+	gen_require(`
+		type squid_conf_t;
+		class file r_file_perms;
+	')
+
+	files_search_etc($1)
+	allow $1 squid_conf_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	squid logs.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`squid_manage_logs',`
+	gen_require(`
+		type squid_log_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	logging_search_logs($1)
+	allow $1 squid_log_t:dir rw_dir_perms;
+	allow $1 squid_log_t:file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Use squid services by connecting over TCP.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`squid_use',`
+	gen_require(`
+		type squid_t;
+		class tcp_socket { connectto acceptfrom recvfrom };
+	')
+
+	allow $1 squid_t:tcp_socket { connectto recvfrom };
+	allow squid_t $1:tcp_socket { acceptfrom recvfrom };
+	kernel_tcp_recvfrom($1)
+')
diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te
new file mode 100644
index 00000000..ddba18a9
--- /dev/null
+++ b/refpolicy/policy/modules/services/squid.te
@@ -0,0 +1,166 @@
+
+policy_module(squid,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type squid_t;
+type squid_exec_t;
+init_daemon_domain(squid_t,squid_exec_t)
+
+# type for /var/cache/squid
+type squid_cache_t;
+files_type(squid_cache_t)
+
+type squid_conf_t;
+files_type(squid_conf_t)
+
+type squid_log_t;
+logging_log_file(squid_log_t)
+
+type squid_var_run_t;
+files_pid_file(squid_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow squid_t self:capability { setgid setuid };
+dontaudit squid_t self:capability sys_tty_config;
+allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow squid_t self:unix_stream_socket create_stream_socket_perms;
+allow squid_t self:unix_dgram_socket create_socket_perms;
+allow squid_t self:unix_dgram_socket sendto;
+allow squid_t self:unix_stream_socket connectto;
+allow squid_t self:fifo_file rw_file_perms;
+allow squid_t self:fd use;
+allow squid_t self:shm create_shm_perms;
+allow squid_t self:sem create_sem_perms;
+allow squid_t self:msgq create_msgq_perms;
+allow squid_t self:msg { send receive };
+
+# Grant permissions to create, access, and delete cache files.
+allow squid_t squid_cache_t:dir create_dir_perms;
+allow squid_t squid_cache_t:file create_file_perms;
+allow squid_t squid_cache_t:lnk_file create_lnk_perms;
+
+allow squid_t squid_conf_t:file r_file_perms;
+allow squid_t squid_conf_t:dir r_dir_perms;
+allow squid_t squid_conf_t:lnk_file read;
+
+can_exec(squid_t,squid_exec_t)
+
+allow squid_t squid_log_t:file create_file_perms;
+allow squid_t squid_log_t:dir rw_dir_perms;
+logging_create_log(squid_t,squid_log_t,{ file dir })
+
+allow squid_t squid_var_run_t:file create_file_perms;
+files_create_pid(squid_t,squid_var_run_t)
+
+kernel_read_kernel_sysctl(squid_t)
+kernel_read_system_state(squid_t)
+kernel_tcp_recvfrom(squid_t)
+
+bootloader_dontaudit_getattr_boot_dir(squid_t)
+
+corenet_tcp_sendrecv_all_if(squid_t)
+corenet_raw_sendrecv_all_if(squid_t)
+corenet_udp_sendrecv_all_if(squid_t)
+corenet_tcp_sendrecv_all_nodes(squid_t)
+corenet_udp_sendrecv_all_nodes(squid_t)
+corenet_raw_sendrecv_all_nodes(squid_t)
+corenet_tcp_sendrecv_all_ports(squid_t)
+corenet_udp_sendrecv_all_ports(squid_t)
+corenet_tcp_bind_all_nodes(squid_t)
+corenet_udp_bind_all_nodes(squid_t)
+corenet_tcp_bind_http_cache_port(squid_t)
+corenet_udp_bind_http_cache_port(squid_t)
+
+dev_read_sysfs(squid_t)
+dev_read_urand(squid_t)
+
+fs_getattr_all_fs(squid_t)
+fs_search_auto_mountpoints(squid_t)
+
+selinux_dontaudit_getattr_dir(squid_t)
+
+term_dontaudit_use_console(squid_t)
+term_dontaudit_getattr_pty_dir(squid_t)
+
+# to allow running programs from /usr/lib/squid (IE unlinkd)
+corecmd_exec_bin(squid_t)
+corecmd_exec_sbin(squid_t)
+corecmd_exec_shell(squid_t)
+
+domain_use_wide_inherit_fd(squid_t)
+
+files_read_etc_files(squid_t)
+files_read_etc_runtime_files(squid_t)
+files_read_usr_files(squid_t)
+files_search_spool(squid_t)
+files_dontaudit_getattr_tmp_dir(squid_t)
+files_getattr_home_dir(squid_t)
+
+init_use_fd(squid_t)
+init_use_script_pty(squid_t)
+
+libs_use_ld_so(squid_t)
+libs_use_shared_libs(squid_t)
+# to allow running programs from /usr/lib/squid (IE unlinkd)
+libs_exec_lib_files(squid_t)
+
+logging_send_syslog_msg(squid_t)
+
+miscfiles_read_localization(squid_t)
+
+userdom_use_unpriv_users_fd(squid_t)
+userdom_dontaudit_use_unpriv_user_fd(squid_t)
+userdom_dontaudit_search_sysadm_home_dir(squid_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_tty(squid_t)
+	term_dontaudit_use_generic_pty(squid_t)
+	files_dontaudit_read_root_file(squid_t)
+')
+
+optional_policy(`logrotate.te',`
+	allow squid_t self:capability kill;
+	cron_use_fd(squid_t)
+	cron_use_system_job_fd(squid_t)
+	cron_rw_pipe(squid_t)
+	cron_write_system_job_pipe(squid_t)
+')
+
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(squid_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(squid_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(squid_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(squid_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(squid_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(squid_t)
+')
+ifdef(`apache.te',`
+can_tcp_connect(squid_t, httpd_t)
+')
+#squid requires the following when run in diskd mode, the recommended setting
+allow squid_t tmpfs_t:file { read write };
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 0d1e406b..bf0e5b4c 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1207,7 +1207,26 @@ interface(`files_manage_isid_type_chr_node',`
 
 ########################################
 ## <summary>
-##	Search home directories root.
+##	Do not audit attempts to get the
+##	attributes of the home directories root
+##	(/home).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_getattr_home_dir',`
+	gen_require(`
+		type home_root_t;
+		class dir search;
+	')
+
+	allow $1 home_root_t:dir search;
+')
+
+########################################
+## <summary>
+##	Search home directories root (/home).
 ## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
@@ -1224,7 +1243,8 @@ interface(`files_search_home',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to search home directories root.
+##	Do not audit attempts to search
+##	home directories root (/home).
 ## </summary>
 ## <param name="domain">
 ##	Domain to not audit.
@@ -1469,6 +1489,24 @@ interface(`files_read_world_readable_sockets',`
 	allow $1 readable_t:sock_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_dontaudit_getattr_tmp_dir',`
+	gen_require(`
+		type tmp_t;
+		class dir getattr;
+	')
+
+	dontaudit $1 tmp_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Search the tmp directory (/tmp).
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index c5d37a52..a55cd76c 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -466,6 +466,11 @@ optional_policy(`rpm.te',`
 	rpm_manage_db(initrc_t)
 ')
 
+optional_policy(`squid.te',`
+	squid_read_config(initrc_t)
+	squid_manage_logs(initrc_t)
+')
+
 optional_policy(`ssh.te',`
 	optional_policy(`inetd.te',`
 		tunable_policy(`run_ssh_inetd',`',`
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 3c42fed1..4615eef7 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -278,6 +278,10 @@ template(`base_user_template',`
 		files_search_var_lib($1_t)
 	')
 
+	optional_policy(`squid.te',`
+		squid_use($1_t)
+	')
+
 	optional_policy(`usermanage.te',`
 		usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 		usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
@@ -446,7 +450,7 @@ template(`unpriv_user_template', `
 	# Inherit rules for ordinary users.
 	base_user_template($1)
 
-	typeattribute $1_t unpriv_userdomain; #, web_client_domain
+	typeattribute $1_t unpriv_userdomain;
 	domain_wide_inherit_fd($1_t)
 
 	typeattribute $1_devpts_t user_ptynode;
@@ -673,7 +677,7 @@ template(`admin_user_template',`
 	# Inherit rules for ordinary users.
 	base_user_template($1)
 
-	typeattribute $1_t privhome; #, admin, web_client_domain
+	typeattribute $1_t privhome;
 	domain_obj_id_change_exempt($1_t)
 	role system_r types $1_t;