trunk: squid update from dan.

2008-09-15 13:31:28 +00:00 · 2008-09-15 13:31:28 +00:00 · a46b60549a
commit a46b60549a
parent 21ea2b1884
4 changed files with 70 additions and 14 deletions
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@ -1,5 +1,5 @@

-policy_module(corenetwork, 1.2.18)
+policy_module(corenetwork, 1.2.19)

 ########################################
 #
@ -135,6 +135,7 @@ network_port(openvpn, tcp,1194,s0, udp,1194,s0)
 network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
 network_port(postfix_policyd, tcp,10031,s0)
+network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postgresql, tcp,5432,s0)
--- a/policy/modules/services/squid.fc
+++ b/policy/modules/services/squid.fc
@ -1,14 +1,12 @@
-
+/etc/rc.d/init.d/squid	--	gen_context(system_u:object_r:squid_script_exec_t,s0)
 /etc/squid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)

+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
 /usr/sbin/squid		--	gen_context(system_u:object_r:squid_exec_t,s0)
-
 /usr/share/squid(/.*)?		gen_context(system_u:object_r:squid_conf_t,s0)

 /var/cache/squid(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
-
 /var/log/squid(/.*)?		gen_context(system_u:object_r:squid_log_t,s0)
-
 /var/run/squid\.pid	--	gen_context(system_u:object_r:squid_var_run_t,s0)
-
 /var/spool/squid(/.*)?		gen_context(system_u:object_r:squid_cache_t,s0)
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@ -19,6 +19,43 @@ interface(`squid_domtrans',`
 	domtrans_pattern($1, squid_exec_t, squid_t)
 ')

+########################################
+## <summary>
+##	Send generic signals to squid.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`squid_signal',`
+	gen_require(`
+		type squid_t;
+	')
+
+	allow $1 squid_t:process signal;
+')
+
+########################################
+## <summary>
+##	Allow read and write squid
+##	unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`squid_rw_stream_sockets',`
+	gen_require(`
+		type squid_t;
+	')
+
+	allow $1 squid_t:unix_stream_socket { getattr read write };
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to search squid cache dirs
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@ -1,5 +1,5 @@

-policy_module(squid, 1.6.0)
+policy_module(squid, 1.6.1)

 ########################################
 #
@ -28,6 +28,9 @@ files_type(squid_conf_t)
 type squid_log_t;
 logging_log_file(squid_log_t)

+type squid_script_exec_t;
+init_script_file(squid_script_exec_t)
+
 type squid_var_run_t;
 files_pid_file(squid_var_run_t)

@ -36,7 +39,7 @@ files_pid_file(squid_var_run_t)
 # Local policy
 #

-allow squid_t self:capability { setgid setuid dac_override sys_resource };
+allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
 dontaudit squid_t self:capability sys_tty_config;
 allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
 allow squid_t self:fifo_file rw_fifo_file_perms;
@ -85,6 +88,7 @@ corenet_tcp_sendrecv_all_ports(squid_t)
 corenet_udp_sendrecv_all_ports(squid_t)
 corenet_tcp_bind_all_nodes(squid_t)
 corenet_udp_bind_all_nodes(squid_t)
+corenet_tcp_bind_http_port(squid_t)
 corenet_tcp_bind_http_cache_port(squid_t)
 corenet_udp_bind_http_cache_port(squid_t)
 corenet_tcp_bind_ftp_port(squid_t)
@ -92,17 +96,22 @@ corenet_tcp_bind_gopher_port(squid_t)
 corenet_udp_bind_gopher_port(squid_t)
 corenet_tcp_bind_squid_port(squid_t)
 corenet_udp_bind_squid_port(squid_t)
+corenet_udp_bind_wccp_port(squid_t)
 corenet_tcp_connect_ftp_port(squid_t)
 corenet_tcp_connect_gopher_port(squid_t)
 corenet_tcp_connect_http_port(squid_t)
 corenet_tcp_connect_http_cache_port(squid_t)
-corenet_sendrecv_http_client_packets(squid_t)
+corenet_tcp_connect_pgpkeyserver_port(squid_t)
 corenet_sendrecv_ftp_client_packets(squid_t)
 corenet_sendrecv_gopher_client_packets(squid_t)
+corenet_sendrecv_http_client_packets(squid_t)
+corenet_sendrecv_http_server_packets(squid_t)
 corenet_sendrecv_http_cache_server_packets(squid_t)
 corenet_sendrecv_http_cache_client_packets(squid_t)
+corenet_sendrecv_pgpkeyserver_client_packets(squid_t)
 corenet_sendrecv_squid_client_packets(squid_t)
 corenet_sendrecv_squid_server_packets(squid_t)
+corenet_sendrecv_wccp_server_packets(squid_t)

 dev_read_sysfs(squid_t)
 dev_read_urand(squid_t)
@ -128,6 +137,7 @@ files_dontaudit_getattr_tmp_dirs(squid_t)
 files_getattr_home_dir(squid_t)

 auth_use_nsswitch(squid_t)
+auth_domtrans_chk_passwd(squid_t)

 libs_use_ld_so(squid_t)
 libs_use_shared_libs(squid_t)
@ -149,11 +159,21 @@ tunable_policy(`squid_connect_any',`
 ')

 optional_policy(`
-	allow squid_t self:capability kill;
-	cron_use_fds(squid_t)
-	cron_use_system_job_fds(squid_t)
-	cron_rw_pipes(squid_t)
-	cron_write_system_job_pipes(squid_t)
+	apache_content_template(squid)
+
+	allow httpd_squid_script_t self:tcp_socket create_socket_perms;
+
+	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
+
+	sysnet_dns_name_resolve(httpd_squid_script_t)
+
+	squid_read_config(httpd_squid_script_t)
+')
+
+optional_policy(`
+	cron_system_entry(squid_t, squid_exec_t)
 ')

 optional_policy(`