## Squid caching http proxy server. ######################################## ## ## Execute squid in the squid domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`squid_domtrans',` gen_require(` type squid_t, squid_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, squid_exec_t, squid_t) ') ######################################## ## ## Execute squid in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`squid_exec',` gen_require(` type squid_exec_t; ') corecmd_search_bin($1) can_exec($1, squid_exec_t) ') ######################################## ## ## Send generic signals to squid. ## ## ## ## Domain allowed access. ## ## # interface(`squid_signal',` gen_require(` type squid_t; ') allow $1 squid_t:process signal; ') ######################################## ## ## Read and write squid unix ## domain stream sockets. ## ## ## ## Domain allowed access. ## ## # interface(`squid_rw_stream_sockets',` gen_require(` type squid_t; ') allow $1 squid_t:unix_stream_socket { getattr read write }; ') ######################################## ## ## Do not audit attempts to search ## squid cache directories. ## ## ## ## Domain to not audit. ## ## ## # interface(`squid_dontaudit_search_cache',` gen_require(` type squid_cache_t; ') dontaudit $1 squid_cache_t:dir search_dir_perms; ') ######################################## ## ## Read squid configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`squid_read_config',` gen_require(` type squid_conf_t; ') files_search_etc($1) read_files_pattern($1, squid_conf_t, squid_conf_t) ') ######################################## ## ## Read squid log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`squid_read_log',` gen_require(` type squid_log_t; ') logging_search_logs($1) read_files_pattern($1, squid_log_t, squid_log_t) ') ######################################## ## ## Append squid log files. ## ## ## ## Domain allowed access. ## ## # interface(`squid_append_log',` gen_require(` type squid_log_t; ') logging_search_logs($1) append_files_pattern($1, squid_log_t, squid_log_t) ') ######################################## ## ## Create, read, write, and delete ## squid log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`squid_manage_logs',` gen_require(` type squid_log_t; ') logging_search_logs($1) manage_files_pattern($1, squid_log_t, squid_log_t) ') ######################################## ## ## dontaudit statting tmpfs files ## ## ## ## Domain to not be audited ## ## ## # interface(`squid_dontaudit_read_tmpfs_files',` gen_require(` type squid_tmpfs_t; ') dontaudit $1 squid_tmpfs_t:file getattr; ') ######################################## ## ## All of the rules required to ## administrate an squid environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`squid_admin',` gen_require(` type squid_t, squid_cache_t, squid_conf_t; type squid_log_t, squid_runtime_t, squid_tmpfs_t; type squid_initrc_exec_t, squid_tmp_t; ') allow $1 squid_t:process { ptrace signal_perms }; ps_process_pattern($1, squid_t) init_startstop_service($1, $2, squid_t, squid_initrc_exec_t) files_list_var($1) admin_pattern($1, squid_cache_t) files_list_etc($1) admin_pattern($1, squid_conf_t) logging_list_logs($1) admin_pattern($1, squid_log_t) files_list_runtime($1) admin_pattern($1, squid_runtime_t) fs_list_tmpfs($1) admin_pattern($1, squid_tmpfs_t) files_list_tmp($1) admin_pattern($1, squid_tmp_t) ')