[selinux-policy: 2678/3172] squid patch from Dan Walsh
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:58:09 UTC 2010
commit d86c09846b11963e98dfe1a4a2a2b3c414f48e50
Author: Jeremy Solt <jsolt at tresys.com>
Date: Fri May 7 10:57:56 2010 -0400
squid patch from Dan Walsh
Edits:
- Added netport to corenetwork.te.in
policy/modules/kernel/corenetwork.te.in | 1 +
policy/modules/services/squid.te | 21 ++++++++++++++++-----
2 files changed, 17 insertions(+), 5 deletions(-)
---
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index c13599d..7af86cf 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -144,6 +144,7 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63163,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
+network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index e0c69f4..96d8cd5 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -14,6 +14,13 @@ policy_module(squid, 1.9.0)
## </desc>
gen_tunable(squid_connect_any, false)
+## <desc>
+## <p>
+## Allow squid to run as a transparent proxy (TPROXY)
+## </p>
+## </desc>
+gen_tunable(squid_use_tproxy, false)
+
type squid_t;
type squid_exec_t;
init_daemon_domain(squid_t, squid_exec_t)
@@ -67,7 +74,9 @@ read_lnk_files_pattern(squid_t, squid_conf_t, squid_conf_t)
can_exec(squid_t, squid_exec_t)
+manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
manage_files_pattern(squid_t, squid_log_t, squid_log_t)
+manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
logging_log_filetrans(squid_t, squid_log_t, { file dir })
manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
@@ -118,6 +127,8 @@ dev_read_urand(squid_t)
fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
+#squid requires the following when run in diskd mode, the recommended setting
+fs_rw_tmpfs_files(squid_t)
fs_list_inotifyfs(squid_t)
selinux_dontaudit_getattr_dir(squid_t)
@@ -157,6 +168,11 @@ tunable_policy(`squid_connect_any',`
corenet_sendrecv_all_packets(squid_t)
')
+tunable_policy(`squid_use_tproxy',`
+ allow squid_t self:capability net_admin;
+ corenet_tcp_bind_netport_port(squid_t)
+')
+
optional_policy(`
apache_content_template(squid)
@@ -186,8 +202,3 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
-
-ifdef(`TODO',`
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
More information about the scm-commits
mailing list