#DESC Squid - Web cache # # Author: Russell Coker # X-Debian-Packages: squid # ################################# # # Rules for the squid_t domain. # # squid_t is the domain the squid process runs in ifdef(`apache.te',` can_tcp_connect(squid_t, httpd_t) ', ` type http_cache_port_t, port_type; ') daemon_domain(squid, `, web_client_domain') type squid_conf_t, file_type, sysadmfile; allow { squid_t initrc_t } squid_conf_t:file r_file_perms; allow squid_t squid_conf_t:dir r_dir_perms; # var_log_squid_t is for /var/log/squid type var_log_squid_t, file_type, sysadmfile, logfile; # type for /var/cache/squid type squid_cache_t, file_type, sysadmfile; allow squid_t squid_t:capability { setgid setuid }; allow squid_t { etc_t etc_runtime_t }:file r_file_perms; allow squid_t etc_t:lnk_file read; allow squid_t self:unix_stream_socket create_socket_perms; allow squid_t self:unix_dgram_socket create_socket_perms; allow squid_t self:fifo_file rw_file_perms; allow squid_t { sysctl_t sysctl_kernel_t }:dir search; allow squid_t { sysctl_kernel_t }:file read; allow squid_t resolv_conf_t:file r_file_perms; allow squid_t devtty_t:chr_file rw_file_perms; allow squid_t { self proc_t }:file { read getattr }; # for when we use /var/spool/cache allow squid_t var_spool_t:dir search; # Grant permissions to create, access, and delete cache and log files. # No type transitions required, as the files inherit the parent directory type. allow squid_t squid_cache_t:dir create_dir_perms; allow squid_t squid_cache_t:{ file lnk_file } create_file_perms; allow squid_t var_log_t:dir r_dir_perms; allow squid_t var_log_squid_t:dir create_dir_perms; allow squid_t var_log_squid_t:file create_file_perms; ifdef(`logrotate.te', `domain_auto_trans(logrotate_t, squid_exec_t, squid_t)') ifdef(`crond.te', `domain_auto_trans(system_crond_t, squid_exec_t, squid_t)') # Use the network can_network(squid_t) can_tcp_connect(web_client_domain, squid_t) # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts) allow squid_t http_cache_port_t:tcp_socket name_bind; allow squid_t http_cache_port_t:udp_socket name_bind; # to allow running programs from /usr/lib/squid (IE unlinkd) # also allow exec()ing itself can_exec(squid_t, { lib_t squid_exec_t } ) allow squid_t { bin_t sbin_t }:dir search; dontaudit squid_t home_root_t:dir getattr; dontaudit squid_t security_t:dir { getattr };