diff options
Diffstat (limited to 'policy/modules/services/squid.if')
| -rw-r--r-- | policy/modules/services/squid.if | 243 |
1 files changed, 243 insertions, 0 deletions
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if new file mode 100644 index 000000000..2443afbde --- /dev/null +++ b/policy/modules/services/squid.if @@ -0,0 +1,243 @@ +## <summary>Squid caching http proxy server.</summary> + +######################################## +## <summary> +## Execute squid in the squid domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`squid_domtrans',` + gen_require(` + type squid_t, squid_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, squid_exec_t, squid_t) +') + +######################################## +## <summary> +## Execute squid in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`squid_exec',` + gen_require(` + type squid_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, squid_exec_t) +') + +######################################## +## <summary> +## Send generic signals to squid. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`squid_signal',` + gen_require(` + type squid_t; + ') + + allow $1 squid_t:process signal; +') + +######################################## +## <summary> +## Read and write squid unix +## domain stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`squid_rw_stream_sockets',` + gen_require(` + type squid_t; + ') + + allow $1 squid_t:unix_stream_socket { getattr read write }; +') + +######################################## +## <summary> +## Do not audit attempts to search +## squid cache directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_dontaudit_search_cache',` + gen_require(` + type squid_cache_t; + ') + + dontaudit $1 squid_cache_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read squid configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_read_config',` + gen_require(` + type squid_conf_t; + ') + + files_search_etc($1) + read_files_pattern($1, squid_conf_t, squid_conf_t) +') + +######################################## +## <summary> +## Read squid log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_read_log',` + gen_require(` + type squid_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, squid_log_t, squid_log_t) +') + +######################################## +## <summary> +## Append squid log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`squid_append_log',` + gen_require(` + type squid_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, squid_log_t, squid_log_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## squid log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_manage_logs',` + gen_require(` + type squid_log_t; + ') + + logging_search_logs($1) + manage_files_pattern($1, squid_log_t, squid_log_t) +') + +######################################## +## <summary> +## dontaudit statting tmpfs files +## </summary> +## <param name="domain"> +## <summary> +## Domain to not be audited +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_dontaudit_read_tmpfs_files',` + gen_require(` + type squid_tmpfs_t; + ') + + dontaudit $1 squid_tmpfs_t:file getattr; +') + +######################################## +## <summary> +## All of the rules required to +## administrate an squid environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`squid_admin',` + gen_require(` + type squid_t, squid_cache_t, squid_conf_t; + type squid_log_t, squid_var_run_t, squid_tmpfs_t; + type squid_initrc_exec_t, squid_tmp_t; + ') + + allow $1 squid_t:process { ptrace signal_perms }; + ps_process_pattern($1, squid_t) + + init_startstop_service($1, $2, squid_t, squid_initrc_exec_t) + + files_list_var($1) + admin_pattern($1, squid_cache_t) + + files_list_etc($1) + admin_pattern($1, squid_conf_t) + + logging_list_logs($1) + admin_pattern($1, squid_log_t) + + files_list_pids($1) + admin_pattern($1, squid_var_run_t) + + fs_list_tmpfs($1) + admin_pattern($1, squid_tmpfs_t) + + files_list_tmp($1) + admin_pattern($1, squid_tmp_t) +') |