From d86c09846b11963e98dfe1a4a2a2b3c414f48e50 Mon Sep 17 00:00:00 2001
From: Jeremy Solt <jsolt@tresys.com>
Date: Fri, 7 May 2010 10:57:56 -0400
Subject: [PATCH] squid patch from Dan Walsh

Edits:
 - Added netport to corenetwork.te.in
---
 policy/modules/kernel/corenetwork.te.in |  1 +
 policy/modules/services/squid.te        | 21 ++++++++++++++++-----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index c13599da6..7af86cf44 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -144,6 +144,7 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63163,s0)
 network_port(mysqlmanagerd, tcp,2273,s0)
 network_port(nessus, tcp,1241,s0)
+network_port(netport, tcp,3129,s0, udp,3129,s0)
 network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
 network_port(nmbd, udp,137,s0, udp,138,s0)
 network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index e0c69f4be..96d8cd5dc 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -14,6 +14,13 @@ policy_module(squid, 1.9.0)
 ## </desc>
 gen_tunable(squid_connect_any, false)
 
+## <desc>
+## <p>
+## Allow squid to run as a transparent proxy (TPROXY)
+## </p>
+## </desc>
+gen_tunable(squid_use_tproxy, false)
+
 type squid_t;
 type squid_exec_t;
 init_daemon_domain(squid_t, squid_exec_t)
@@ -67,7 +74,9 @@ read_lnk_files_pattern(squid_t, squid_conf_t, squid_conf_t)
 
 can_exec(squid_t, squid_exec_t)
 
+manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
 manage_files_pattern(squid_t, squid_log_t, squid_log_t)
+manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
 logging_log_filetrans(squid_t, squid_log_t, { file dir })
 
 manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
@@ -118,6 +127,8 @@ dev_read_urand(squid_t)
 
 fs_getattr_all_fs(squid_t)
 fs_search_auto_mountpoints(squid_t)
+#squid requires the following when run in diskd mode, the recommended setting
+fs_rw_tmpfs_files(squid_t)
 fs_list_inotifyfs(squid_t)
 
 selinux_dontaudit_getattr_dir(squid_t)
@@ -157,6 +168,11 @@ tunable_policy(`squid_connect_any',`
 	corenet_sendrecv_all_packets(squid_t)
 ')
 
+tunable_policy(`squid_use_tproxy',`
+	allow squid_t self:capability net_admin;
+	corenet_tcp_bind_netport_port(squid_t)
+')
+
 optional_policy(`
 	apache_content_template(squid)
 
@@ -186,8 +202,3 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(squid_t)
 ')
-
-ifdef(`TODO',`
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO