[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Mon, 29 Oct 2012 14:56:23
Message-Id:	`1351522114.1d2680217915270bbf33c024eae6c519fd40be98.SwifT@gentoo`

1

commit:     1d2680217915270bbf33c024eae6c519fd40be98

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Mon Oct 29 08:58:21 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Mon Oct 29 14:48:34 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d268021

7

8

Changes to the squid policy module

9

10

Ported from Fedora with changes

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/squid.fc |    9 ++-

16

 policy/modules/contrib/squid.if |   36 ++++++----

17

 policy/modules/contrib/squid.te |  140 +++++++++++++++++++++++----------------

18

 3 files changed, 114 insertions(+), 71 deletions(-)

19

20

diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc

21

index fe232c8..0a8b0f7 100644

22

--- a/policy/modules/contrib/squid.fc

23

+++ b/policy/modules/contrib/squid.fc

24

@@ -1,13 +1,20 @@

25

-/etc/rc\.d/init\.d/squid	--	gen_context(system_u:object_r:squid_initrc_exec_t,s0)

26

 /etc/squid(/.*)?	gen_context(system_u:object_r:squid_conf_t,s0)

27

28

+/etc/rc\.d/init\.d/squid	--	gen_context(system_u:object_r:squid_initrc_exec_t,s0)

29

+

30

 /usr/lib/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)

31

+

32

 /usr/sbin/squid	--	gen_context(system_u:object_r:squid_exec_t,s0)

33

+

34

 /usr/share/squid(/.*)?	gen_context(system_u:object_r:squid_conf_t,s0)

35

36

 /var/cache/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)

37

+

38

 /var/log/squid(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)

39

 /var/log/squidGuard(/.*)?	gen_context(system_u:object_r:squid_log_t,s0)

40

+

41

 /var/run/squid\.pid	--	gen_context(system_u:object_r:squid_var_run_t,s0)

42

+

43

 /var/spool/squid(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)

44

+

45

 /var/squidGuard(/.*)?	gen_context(system_u:object_r:squid_cache_t,s0)

46

47

diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if

48

index d2496bd..5e1f053 100644

49

--- a/policy/modules/contrib/squid.if

50

+++ b/policy/modules/contrib/squid.if

51

@@ -1,4 +1,4 @@

52

-## <summary>Squid caching http proxy server</summary>

53

+## <summary>Squid caching http proxy server.</summary>

54

55

 ########################################

56

 ## <summary>

57

@@ -21,7 +21,7 @@ interface(`squid_domtrans',`

58

59

 ########################################

60

 ## <summary>

61

-##	Execute squid 

62

+##	Execute squid in the caller domain.

63

 ## </summary>

64

 ## <param name="domain">

65

 ##	<summary>

66

@@ -34,6 +34,7 @@ interface(`squid_exec',`

67

 		type squid_exec_t;

68

')

69

70

+	corecmd_search_bin($1)

71

 	can_exec($1, squid_exec_t)

72

')

73

74

@@ -57,8 +58,8 @@ interface(`squid_signal',`

75

76

 ########################################

77

 ## <summary>

78

-##	Allow read and write squid

79

-##	unix domain stream sockets.

80

+##	Read and write squid unix

81

+##	domain stream sockets.

82

 ## </summary>

83

 ## <param name="domain">

84

 ##	<summary>

85

@@ -76,7 +77,8 @@ interface(`squid_rw_stream_sockets',`

86

87

 ########################################

88

 ## <summary>

89

-##	Do not audit attempts to search squid cache dirs

90

+##	Do not audit attempts to search

91

+##	squid cache directories.

92

 ## </summary>

93

 ## <param name="domain">

94

 ##	<summary>

95

@@ -95,7 +97,7 @@ interface(`squid_dontaudit_search_cache',`

96

97

 ########################################

98

 ## <summary>

99

-##	Read squid configuration file.

100

+##	Read squid configuration files.

101

 ## </summary>

102

 ## <param name="domain">

103

 ##	<summary>

104

@@ -115,7 +117,7 @@ interface(`squid_read_config',`

105

106

 ########################################

107

 ## <summary>

108

-##	Append squid logs.

109

+##	Read squid log files.

110

 ## </summary>

111

 ## <param name="domain">

112

 ##	<summary>

113

@@ -135,7 +137,7 @@ interface(`squid_read_log',`

114

115

 ########################################

116

 ## <summary>

117

-##	Append squid logs.

118

+##	Append squid log files.

119

 ## </summary>

120

 ## <param name="domain">

121

 ##	<summary>

122

@@ -155,7 +157,7 @@ interface(`squid_append_log',`

123

 ########################################

124

 ## <summary>

125

 ##	Create, read, write, and delete

126

-##	squid logs.

127

+##	squid log files.

128

 ## </summary>

129

 ## <param name="domain">

130

 ##	<summary>

131

@@ -189,8 +191,8 @@ interface(`squid_use',`

132

133

 ########################################

134

 ## <summary>

135

-##	All of the rules required to administrate 

136

-##	an squid environment

137

+##	All of the rules required to

138

+##	administrate an squid environment.

139

 ## </summary>

140

 ## <param name="domain">

141

 ##	<summary>

142

@@ -199,7 +201,7 @@ interface(`squid_use',`

143

 ## </param>

144

 ## <param name="role">

145

 ##	<summary>

146

-##	The role to be allowed to manage the squid domain.

147

+##	Role allowed access.

148

 ##	</summary>

149

 ## </param>

150

 ## <rolecap/>

151

@@ -207,8 +209,8 @@ interface(`squid_use',`

152

 interface(`squid_admin',`

153

 	gen_require(`

154

 		type squid_t, squid_cache_t, squid_conf_t;

155

-		type squid_log_t, squid_var_run_t;

156

-		type squid_initrc_exec_t;

157

+		type squid_log_t, squid_var_run_t, squid_tmpfs_t;

158

+		type squid_initrc_exec_t, squid_tmp_t;

159

')

160

161

 	allow $1 squid_t:process { ptrace signal_perms };

162

@@ -230,4 +232,10 @@ interface(`squid_admin',`

163

164

 	files_list_pids($1)

165

 	admin_pattern($1, squid_var_run_t)

166

+

167

+	fs_list_tmpfs($1)

168

+	admin_pattern($1, squid_tmpfs_t)

169

+

170

+	files_list_tmp($1)

171

+	admin_pattern($1, squid_tmp_t)

172

')

173

174

diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te

175

index c38de7a..da2ffc9 100644

176

--- a/policy/modules/contrib/squid.te

177

+++ b/policy/modules/contrib/squid.te

178

@@ -1,4 +1,4 @@

179

-policy_module(squid, 1.11.0)

180

+policy_module(squid, 1.11.1)

181

182

 ########################################

183

#

184

@@ -6,17 +6,18 @@ policy_module(squid, 1.11.0)

185

#

186

187

 ## <desc>

188

-## <p>

189

-## Allow squid to connect to all ports, not just

190

-## HTTP, FTP, and Gopher ports.

191

-## </p>

192

+##	<p>

193

+##	Determine whether squid can

194

+##	connect to all TCP ports.

195

+##	</p>

196

 ## </desc>

197

 gen_tunable(squid_connect_any, false)

198

199

 ## <desc>

200

-## <p>

201

-## Allow squid to run as a transparent proxy (TPROXY)

202

-## </p>

203

+##	<p>

204

+##	Determine whether squid can run

205

+##	as a transparent proxy.

206

+##	</p>

207

 ## </desc>

208

 gen_tunable(squid_use_tproxy, false)

209

210

@@ -24,7 +25,6 @@ type squid_t;

211

 type squid_exec_t;

212

 init_daemon_domain(squid_t, squid_exec_t)

213

214

-# type for /var/cache/squid

215

 type squid_cache_t;

216

 files_type(squid_cache_t)

217

218

@@ -37,6 +37,9 @@ init_script_file(squid_initrc_exec_t)

219

 type squid_log_t;

220

 logging_log_file(squid_log_t)

221

222

+type squid_tmp_t;

223

+files_tmp_file(squid_tmp_t)

224

+

225

 type squid_tmpfs_t;

226

 files_tmpfs_file(squid_tmpfs_t)

227

228

@@ -52,46 +55,46 @@ allow squid_t self:capability { setgid kill setuid dac_override sys_resource };

229

 dontaudit squid_t self:capability sys_tty_config;

230

 allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };

231

 allow squid_t self:fifo_file rw_fifo_file_perms;

232

-allow squid_t self:sock_file read_sock_file_perms;

233

 allow squid_t self:fd use;

234

 allow squid_t self:shm create_shm_perms;

235

 allow squid_t self:sem create_sem_perms;

236

 allow squid_t self:msgq create_msgq_perms;

237

 allow squid_t self:msg { send receive };

238

-allow squid_t self:unix_stream_socket create_stream_socket_perms;

239

-allow squid_t self:unix_dgram_socket create_socket_perms;

240

 allow squid_t self:unix_dgram_socket sendto;

241

-allow squid_t self:unix_stream_socket connectto;

242

-allow squid_t self:tcp_socket create_stream_socket_perms;

243

-allow squid_t self:udp_socket create_socket_perms;

244

+allow squid_t self:unix_stream_socket { accept connectto listen };

245

+allow squid_t self:tcp_socket { accept listen };

246

247

-# Grant permissions to create, access, and delete cache files.

248

 manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)

249

 manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)

250

 manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)

251

+files_var_filetrans(squid_t, squid_cache_t, dir, "squid")

252

253

 allow squid_t squid_conf_t:dir list_dir_perms;

254

-read_files_pattern(squid_t, squid_conf_t, squid_conf_t)

255

-read_lnk_files_pattern(squid_t, squid_conf_t, squid_conf_t)

256

-

257

-can_exec(squid_t, squid_exec_t)

258

+allow squid_t squid_conf_t:file read_file_perms;

259

+allow squid_t squid_conf_t:lnk_file read_lnk_file_perms;

260

261

 manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)

262

-manage_files_pattern(squid_t, squid_log_t, squid_log_t)

263

+append_files_pattern(squid_t, squid_log_t, squid_log_t)

264

+create_files_pattern(squid_t, squid_log_t, squid_log_t)

265

+setattr_files_pattern(squid_t, squid_log_t, squid_log_t)

266

 manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)

267

 logging_log_filetrans(squid_t, squid_log_t, { file dir })

268

269

-#squid requires the following when run in diskd mode, the recommended setting

270

+manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)

271

+manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)

272

+files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })

273

+

274

 manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)

275

 fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)

276

277

 manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)

278

 files_pid_filetrans(squid_t, squid_var_run_t, file)

279

280

+can_exec(squid_t, squid_exec_t)

281

+

282

 kernel_read_kernel_sysctls(squid_t)

283

 kernel_read_system_state(squid_t)

284

-

285

-files_dontaudit_getattr_boot_dirs(squid_t)

286

+kernel_read_network_state(squid_t)

287

288

 corenet_all_recvfrom_unlabeled(squid_t)

289

 corenet_all_recvfrom_netlabel(squid_t)

290

@@ -99,63 +102,77 @@ corenet_tcp_sendrecv_generic_if(squid_t)

291

 corenet_udp_sendrecv_generic_if(squid_t)

292

 corenet_tcp_sendrecv_generic_node(squid_t)

293

 corenet_udp_sendrecv_generic_node(squid_t)

294

-corenet_tcp_sendrecv_all_ports(squid_t)

295

-corenet_udp_sendrecv_all_ports(squid_t)

296

 corenet_tcp_bind_generic_node(squid_t)

297

 corenet_udp_bind_generic_node(squid_t)

298

+

299

+corenet_sendrecv_http_client_packets(squid_t)

300

+corenet_tcp_connect_http_port(squid_t)

301

+corenet_sendrecv_http_server_packets(squid_t)

302

 corenet_tcp_bind_http_port(squid_t)

303

+corenet_tcp_sendrecv_http_port(squid_t)

304

+

305

+corenet_sendrecv_http_cache_client_packets(squid_t)

306

+corenet_tcp_connect_http_cache_port(squid_t)

307

+corenet_sendrecv_http_cache_server_packets(squid_t)

308

 corenet_tcp_bind_http_cache_port(squid_t)

309

 corenet_udp_bind_http_cache_port(squid_t)

310

+corenet_tcp_sendrecv_http_cache_port(squid_t)

311

+corenet_udp_sendrecv_http_cache_port(squid_t)

312

+

313

+corenet_sendrecv_ftp_client_packets(squid_t)

314

+corenet_tcp_connect_ftp_port(squid_t)

315

+corenet_sendrecv_ftp_server_packets(squid_t)

316

 corenet_tcp_bind_ftp_port(squid_t)

317

+corenet_tcp_sendrecv_ftp_port(squid_t)

318

+

319

+corenet_sendrecv_gopher_client_packets(squid_t)

320

+corenet_tcp_connect_gopher_port(squid_t)

321

+corenet_sendrecv_gopher_server_packets(squid_t)

322

 corenet_tcp_bind_gopher_port(squid_t)

323

 corenet_udp_bind_gopher_port(squid_t)

324

+corenet_tcp_sendrecv_gopher_port(squid_t)

325

+corenet_udp_sendrecv_gopher_port(squid_t)

326

+

327

+corenet_sendrecv_squid_server_packets(squid_t)

328

 corenet_tcp_bind_squid_port(squid_t)

329

 corenet_udp_bind_squid_port(squid_t)

330

-corenet_udp_bind_wccp_port(squid_t)

331

-corenet_tcp_connect_ftp_port(squid_t)

332

-corenet_tcp_connect_gopher_port(squid_t)

333

-corenet_tcp_connect_http_port(squid_t)

334

-corenet_tcp_connect_http_cache_port(squid_t)

335

-corenet_tcp_connect_pgpkeyserver_port(squid_t)

336

-corenet_sendrecv_ftp_client_packets(squid_t)

337

-corenet_sendrecv_gopher_client_packets(squid_t)

338

-corenet_sendrecv_http_client_packets(squid_t)

339

-corenet_sendrecv_http_server_packets(squid_t)

340

-corenet_sendrecv_http_cache_server_packets(squid_t)

341

-corenet_sendrecv_http_cache_client_packets(squid_t)

342

-corenet_sendrecv_pgpkeyserver_client_packets(squid_t)

343

-corenet_sendrecv_squid_client_packets(squid_t)

344

-corenet_sendrecv_squid_server_packets(squid_t)

345

-corenet_sendrecv_wccp_server_packets(squid_t)

346

+corenet_tcp_sendrecv_squid_port(squid_t)

347

+corenet_udp_sendrecv_squid_port(squid_t)

348

349

-dev_read_sysfs(squid_t)

350

-dev_read_urand(squid_t)

351

-

352

-fs_getattr_all_fs(squid_t)

353

-fs_search_auto_mountpoints(squid_t)

354

-fs_list_inotifyfs(squid_t)

355

-

356

-selinux_dontaudit_getattr_dir(squid_t)

357

+corenet_sendrecv_wccp_server_packets(squid_t)

358

+corenet_udp_bind_wccp_port(squid_t)

359

+corenet_udp_sendrecv_wccp_port(squid_t)

360

361

-term_dontaudit_getattr_pty_dirs(squid_t)

362

+corenet_sendrecv_pgpkeyserver_client_packets(squid_t)

363

+corenet_tcp_connect_pgpkeyserver_port(squid_t)

364

+corenet_tcp_sendrecv_pgpkeyserver_port(squid_t)

365

366

-# to allow running programs from /usr/lib/squid (IE unlinkd)

367

 corecmd_exec_bin(squid_t)

368

 corecmd_exec_shell(squid_t)

369

370

+dev_read_sysfs(squid_t)

371

+dev_read_urand(squid_t)

372

+

373

 domain_use_interactive_fds(squid_t)

374

375

-files_read_etc_files(squid_t)

376

 files_read_etc_runtime_files(squid_t)

377

 files_read_usr_files(squid_t)

378

 files_search_spool(squid_t)

379

 files_dontaudit_getattr_tmp_dirs(squid_t)

380

 files_getattr_home_dir(squid_t)

381

+files_dontaudit_getattr_boot_dirs(squid_t)

382

+

383

+fs_getattr_all_fs(squid_t)

384

+fs_search_auto_mountpoints(squid_t)

385

+fs_list_inotifyfs(squid_t)

386

+

387

+selinux_dontaudit_getattr_dir(squid_t)

388

+

389

+term_dontaudit_getattr_pty_dirs(squid_t)

390

391

 auth_use_nsswitch(squid_t)

392

 auth_domtrans_chk_passwd(squid_t)

393

394

-# to allow running programs from /usr/lib/squid (IE unlinkd)

395

 libs_exec_lib_files(squid_t)

396

397

 logging_send_syslog_msg(squid_t)

398

@@ -170,21 +187,27 @@ tunable_policy(`squid_connect_any',`

399

 	corenet_tcp_connect_all_ports(squid_t)

400

 	corenet_tcp_bind_all_ports(squid_t)

401

 	corenet_sendrecv_all_packets(squid_t)

402

+	corenet_tcp_sendrecv_all_ports(squid_t)

403

')

404

405

 tunable_policy(`squid_use_tproxy',`

406

 	allow squid_t self:capability net_admin;

407

+	corenet_sendrecv_netport_server_packets(squid_t)

408

 	corenet_tcp_bind_netport_port(squid_t)

409

+	corenet_tcp_sendrecv_netport_port(squid_t)

410

')

411

412

 optional_policy(`

413

 	apache_content_template(squid)

414

415

-	allow httpd_squid_script_t self:tcp_socket create_socket_perms;

416

-

417

 	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)

418

 	corenet_all_recvfrom_netlabel(httpd_squid_script_t)

419

+	corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)

420

+	corenet_tcp_sendrecv_generic_node(httpd_squid_script_t)

421

+

422

+	corenet_sendrecv_http_cache_client_packets(httpd_squid_script_t)

423

 	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)

424

+	corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)

425

426

 	sysnet_dns_name_resolve(httpd_squid_script_t)

427

428

@@ -196,6 +219,11 @@ optional_policy(`

429

')

430

431

 optional_policy(`

432

+	kerberos_manage_host_rcache(squid_t)

433

+	kerberos_tmp_filetrans_host_rcache(squid_t, file, "host_0")

434

+')

435

+

436

+optional_policy(`

437

 	samba_domtrans_winbind_helper(squid_t)

438

')

1	commit: 1d2680217915270bbf33c024eae6c519fd40be98
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Mon Oct 29 08:58:21 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Mon Oct 29 14:48:34 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d268021
7
8	Changes to the squid policy module
9
10	Ported from Fedora with changes
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/squid.fc \| 9 ++-
16	policy/modules/contrib/squid.if \| 36 ++++++----
17	policy/modules/contrib/squid.te \| 140 +++++++++++++++++++++++----------------
18	3 files changed, 114 insertions(+), 71 deletions(-)
19
20	diff --git a/policy/modules/contrib/squid.fc b/policy/modules/contrib/squid.fc
21	index fe232c8..0a8b0f7 100644
22	--- a/policy/modules/contrib/squid.fc
23	+++ b/policy/modules/contrib/squid.fc
24	@@ -1,13 +1,20 @@
25	-/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
26	/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
27
28	+/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
29	+
30	/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
31	+
32	/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
33	+
34	/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
35
36	/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
37	+
38	/var/log/squid(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
39	/var/log/squidGuard(/.*)? gen_context(system_u:object_r:squid_log_t,s0)
40	+
41	/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
42	+
43	/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
44	+
45	/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
46
47	diff --git a/policy/modules/contrib/squid.if b/policy/modules/contrib/squid.if
48	index d2496bd..5e1f053 100644
49	--- a/policy/modules/contrib/squid.if
50	+++ b/policy/modules/contrib/squid.if
51	@@ -1,4 +1,4 @@
52	-## <summary>Squid caching http proxy server</summary>
53	+## <summary>Squid caching http proxy server.</summary>
54
55	########################################
56	## <summary>
57	@@ -21,7 +21,7 @@ interface(`squid_domtrans',`
58
59	########################################
60	## <summary>
61	-## Execute squid
62	+## Execute squid in the caller domain.
63	## </summary>
64	## <param name="domain">
65	## <summary>
66	@@ -34,6 +34,7 @@ interface(`squid_exec',`
67	type squid_exec_t;
68	')
69
70	+ corecmd_search_bin($1)
71	can_exec($1, squid_exec_t)
72	')
73
74	@@ -57,8 +58,8 @@ interface(`squid_signal',`
75
76	########################################
77	## <summary>
78	-## Allow read and write squid
79	-## unix domain stream sockets.
80	+## Read and write squid unix
81	+## domain stream sockets.
82	## </summary>
83	## <param name="domain">
84	## <summary>
85	@@ -76,7 +77,8 @@ interface(`squid_rw_stream_sockets',`
86
87	########################################
88	## <summary>
89	-## Do not audit attempts to search squid cache dirs
90	+## Do not audit attempts to search
91	+## squid cache directories.
92	## </summary>
93	## <param name="domain">
94	## <summary>
95	@@ -95,7 +97,7 @@ interface(`squid_dontaudit_search_cache',`
96
97	########################################
98	## <summary>
99	-## Read squid configuration file.
100	+## Read squid configuration files.
101	## </summary>
102	## <param name="domain">
103	## <summary>
104	@@ -115,7 +117,7 @@ interface(`squid_read_config',`
105
106	########################################
107	## <summary>
108	-## Append squid logs.
109	+## Read squid log files.
110	## </summary>
111	## <param name="domain">
112	## <summary>
113	@@ -135,7 +137,7 @@ interface(`squid_read_log',`
114
115	########################################
116	## <summary>
117	-## Append squid logs.
118	+## Append squid log files.
119	## </summary>
120	## <param name="domain">
121	## <summary>
122	@@ -155,7 +157,7 @@ interface(`squid_append_log',`
123	########################################
124	## <summary>
125	## Create, read, write, and delete
126	-## squid logs.
127	+## squid log files.
128	## </summary>
129	## <param name="domain">
130	## <summary>
131	@@ -189,8 +191,8 @@ interface(`squid_use',`
132
133	########################################
134	## <summary>
135	-## All of the rules required to administrate
136	-## an squid environment
137	+## All of the rules required to
138	+## administrate an squid environment.
139	## </summary>
140	## <param name="domain">
141	## <summary>
142	@@ -199,7 +201,7 @@ interface(`squid_use',`
143	## </param>
144	## <param name="role">
145	## <summary>
146	-## The role to be allowed to manage the squid domain.
147	+## Role allowed access.
148	## </summary>
149	## </param>
150	## <rolecap/>
151	@@ -207,8 +209,8 @@ interface(`squid_use',`
152	interface(`squid_admin',`
153	gen_require(`
154	type squid_t, squid_cache_t, squid_conf_t;
155	- type squid_log_t, squid_var_run_t;
156	- type squid_initrc_exec_t;
157	+ type squid_log_t, squid_var_run_t, squid_tmpfs_t;
158	+ type squid_initrc_exec_t, squid_tmp_t;
159	')
160
161	allow $1 squid_t:process { ptrace signal_perms };
162	@@ -230,4 +232,10 @@ interface(`squid_admin',`
163
164	files_list_pids($1)
165	admin_pattern($1, squid_var_run_t)
166	+
167	+ fs_list_tmpfs($1)
168	+ admin_pattern($1, squid_tmpfs_t)
169	+
170	+ files_list_tmp($1)
171	+ admin_pattern($1, squid_tmp_t)
172	')
173
174	diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
175	index c38de7a..da2ffc9 100644
176	--- a/policy/modules/contrib/squid.te
177	+++ b/policy/modules/contrib/squid.te
178	@@ -1,4 +1,4 @@
179	-policy_module(squid, 1.11.0)
180	+policy_module(squid, 1.11.1)
181
182	########################################
183	#
184	@@ -6,17 +6,18 @@ policy_module(squid, 1.11.0)
185	#
186
187	## <desc>
188	-## <p>
189	-## Allow squid to connect to all ports, not just
190	-## HTTP, FTP, and Gopher ports.
191	-## </p>
192	+## <p>
193	+## Determine whether squid can
194	+## connect to all TCP ports.
195	+## </p>
196	## </desc>
197	gen_tunable(squid_connect_any, false)
198
199	## <desc>
200	-## <p>
201	-## Allow squid to run as a transparent proxy (TPROXY)
202	-## </p>
203	+## <p>
204	+## Determine whether squid can run
205	+## as a transparent proxy.
206	+## </p>
207	## </desc>
208	gen_tunable(squid_use_tproxy, false)
209
210	@@ -24,7 +25,6 @@ type squid_t;
211	type squid_exec_t;
212	init_daemon_domain(squid_t, squid_exec_t)
213
214	-# type for /var/cache/squid
215	type squid_cache_t;
216	files_type(squid_cache_t)
217
218	@@ -37,6 +37,9 @@ init_script_file(squid_initrc_exec_t)
219	type squid_log_t;
220	logging_log_file(squid_log_t)
221
222	+type squid_tmp_t;
223	+files_tmp_file(squid_tmp_t)
224	+
225	type squid_tmpfs_t;
226	files_tmpfs_file(squid_tmpfs_t)
227
228	@@ -52,46 +55,46 @@ allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
229	dontaudit squid_t self:capability sys_tty_config;
230	allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
231	allow squid_t self:fifo_file rw_fifo_file_perms;
232	-allow squid_t self:sock_file read_sock_file_perms;
233	allow squid_t self:fd use;
234	allow squid_t self:shm create_shm_perms;
235	allow squid_t self:sem create_sem_perms;
236	allow squid_t self:msgq create_msgq_perms;
237	allow squid_t self:msg { send receive };
238	-allow squid_t self:unix_stream_socket create_stream_socket_perms;
239	-allow squid_t self:unix_dgram_socket create_socket_perms;
240	allow squid_t self:unix_dgram_socket sendto;
241	-allow squid_t self:unix_stream_socket connectto;
242	-allow squid_t self:tcp_socket create_stream_socket_perms;
243	-allow squid_t self:udp_socket create_socket_perms;
244	+allow squid_t self:unix_stream_socket { accept connectto listen };
245	+allow squid_t self:tcp_socket { accept listen };
246
247	-# Grant permissions to create, access, and delete cache files.
248	manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
249	manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
250	manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
251	+files_var_filetrans(squid_t, squid_cache_t, dir, "squid")
252
253	allow squid_t squid_conf_t:dir list_dir_perms;
254	-read_files_pattern(squid_t, squid_conf_t, squid_conf_t)
255	-read_lnk_files_pattern(squid_t, squid_conf_t, squid_conf_t)
256	-
257	-can_exec(squid_t, squid_exec_t)
258	+allow squid_t squid_conf_t:file read_file_perms;
259	+allow squid_t squid_conf_t:lnk_file read_lnk_file_perms;
260
261	manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
262	-manage_files_pattern(squid_t, squid_log_t, squid_log_t)
263	+append_files_pattern(squid_t, squid_log_t, squid_log_t)
264	+create_files_pattern(squid_t, squid_log_t, squid_log_t)
265	+setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
266	manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
267	logging_log_filetrans(squid_t, squid_log_t, { file dir })
268
269	-#squid requires the following when run in diskd mode, the recommended setting
270	+manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
271	+manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
272	+files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
273	+
274	manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
275	fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
276
277	manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
278	files_pid_filetrans(squid_t, squid_var_run_t, file)
279
280	+can_exec(squid_t, squid_exec_t)
281	+
282	kernel_read_kernel_sysctls(squid_t)
283	kernel_read_system_state(squid_t)
284	-
285	-files_dontaudit_getattr_boot_dirs(squid_t)
286	+kernel_read_network_state(squid_t)
287
288	corenet_all_recvfrom_unlabeled(squid_t)
289	corenet_all_recvfrom_netlabel(squid_t)
290	@@ -99,63 +102,77 @@ corenet_tcp_sendrecv_generic_if(squid_t)
291	corenet_udp_sendrecv_generic_if(squid_t)
292	corenet_tcp_sendrecv_generic_node(squid_t)
293	corenet_udp_sendrecv_generic_node(squid_t)
294	-corenet_tcp_sendrecv_all_ports(squid_t)
295	-corenet_udp_sendrecv_all_ports(squid_t)
296	corenet_tcp_bind_generic_node(squid_t)
297	corenet_udp_bind_generic_node(squid_t)
298	+
299	+corenet_sendrecv_http_client_packets(squid_t)
300	+corenet_tcp_connect_http_port(squid_t)
301	+corenet_sendrecv_http_server_packets(squid_t)
302	corenet_tcp_bind_http_port(squid_t)
303	+corenet_tcp_sendrecv_http_port(squid_t)
304	+
305	+corenet_sendrecv_http_cache_client_packets(squid_t)
306	+corenet_tcp_connect_http_cache_port(squid_t)
307	+corenet_sendrecv_http_cache_server_packets(squid_t)
308	corenet_tcp_bind_http_cache_port(squid_t)
309	corenet_udp_bind_http_cache_port(squid_t)
310	+corenet_tcp_sendrecv_http_cache_port(squid_t)
311	+corenet_udp_sendrecv_http_cache_port(squid_t)
312	+
313	+corenet_sendrecv_ftp_client_packets(squid_t)
314	+corenet_tcp_connect_ftp_port(squid_t)
315	+corenet_sendrecv_ftp_server_packets(squid_t)
316	corenet_tcp_bind_ftp_port(squid_t)
317	+corenet_tcp_sendrecv_ftp_port(squid_t)
318	+
319	+corenet_sendrecv_gopher_client_packets(squid_t)
320	+corenet_tcp_connect_gopher_port(squid_t)
321	+corenet_sendrecv_gopher_server_packets(squid_t)
322	corenet_tcp_bind_gopher_port(squid_t)
323	corenet_udp_bind_gopher_port(squid_t)
324	+corenet_tcp_sendrecv_gopher_port(squid_t)
325	+corenet_udp_sendrecv_gopher_port(squid_t)
326	+
327	+corenet_sendrecv_squid_server_packets(squid_t)
328	corenet_tcp_bind_squid_port(squid_t)
329	corenet_udp_bind_squid_port(squid_t)
330	-corenet_udp_bind_wccp_port(squid_t)
331	-corenet_tcp_connect_ftp_port(squid_t)
332	-corenet_tcp_connect_gopher_port(squid_t)
333	-corenet_tcp_connect_http_port(squid_t)
334	-corenet_tcp_connect_http_cache_port(squid_t)
335	-corenet_tcp_connect_pgpkeyserver_port(squid_t)
336	-corenet_sendrecv_ftp_client_packets(squid_t)
337	-corenet_sendrecv_gopher_client_packets(squid_t)
338	-corenet_sendrecv_http_client_packets(squid_t)
339	-corenet_sendrecv_http_server_packets(squid_t)
340	-corenet_sendrecv_http_cache_server_packets(squid_t)
341	-corenet_sendrecv_http_cache_client_packets(squid_t)
342	-corenet_sendrecv_pgpkeyserver_client_packets(squid_t)
343	-corenet_sendrecv_squid_client_packets(squid_t)
344	-corenet_sendrecv_squid_server_packets(squid_t)
345	-corenet_sendrecv_wccp_server_packets(squid_t)
346	+corenet_tcp_sendrecv_squid_port(squid_t)
347	+corenet_udp_sendrecv_squid_port(squid_t)
348
349	-dev_read_sysfs(squid_t)
350	-dev_read_urand(squid_t)
351	-
352	-fs_getattr_all_fs(squid_t)
353	-fs_search_auto_mountpoints(squid_t)
354	-fs_list_inotifyfs(squid_t)
355	-
356	-selinux_dontaudit_getattr_dir(squid_t)
357	+corenet_sendrecv_wccp_server_packets(squid_t)
358	+corenet_udp_bind_wccp_port(squid_t)
359	+corenet_udp_sendrecv_wccp_port(squid_t)
360
361	-term_dontaudit_getattr_pty_dirs(squid_t)
362	+corenet_sendrecv_pgpkeyserver_client_packets(squid_t)
363	+corenet_tcp_connect_pgpkeyserver_port(squid_t)
364	+corenet_tcp_sendrecv_pgpkeyserver_port(squid_t)
365
366	-# to allow running programs from /usr/lib/squid (IE unlinkd)
367	corecmd_exec_bin(squid_t)
368	corecmd_exec_shell(squid_t)
369
370	+dev_read_sysfs(squid_t)
371	+dev_read_urand(squid_t)
372	+
373	domain_use_interactive_fds(squid_t)
374
375	-files_read_etc_files(squid_t)
376	files_read_etc_runtime_files(squid_t)
377	files_read_usr_files(squid_t)
378	files_search_spool(squid_t)
379	files_dontaudit_getattr_tmp_dirs(squid_t)
380	files_getattr_home_dir(squid_t)
381	+files_dontaudit_getattr_boot_dirs(squid_t)
382	+
383	+fs_getattr_all_fs(squid_t)
384	+fs_search_auto_mountpoints(squid_t)
385	+fs_list_inotifyfs(squid_t)
386	+
387	+selinux_dontaudit_getattr_dir(squid_t)
388	+
389	+term_dontaudit_getattr_pty_dirs(squid_t)
390
391	auth_use_nsswitch(squid_t)
392	auth_domtrans_chk_passwd(squid_t)
393
394	-# to allow running programs from /usr/lib/squid (IE unlinkd)
395	libs_exec_lib_files(squid_t)
396
397	logging_send_syslog_msg(squid_t)
398	@@ -170,21 +187,27 @@ tunable_policy(`squid_connect_any',`
399	corenet_tcp_connect_all_ports(squid_t)
400	corenet_tcp_bind_all_ports(squid_t)
401	corenet_sendrecv_all_packets(squid_t)
402	+ corenet_tcp_sendrecv_all_ports(squid_t)
403	')
404
405	tunable_policy(`squid_use_tproxy',`
406	allow squid_t self:capability net_admin;
407	+ corenet_sendrecv_netport_server_packets(squid_t)
408	corenet_tcp_bind_netport_port(squid_t)
409	+ corenet_tcp_sendrecv_netport_port(squid_t)
410	')
411
412	optional_policy(`
413	apache_content_template(squid)
414
415	- allow httpd_squid_script_t self:tcp_socket create_socket_perms;
416	-
417	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
418	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
419	+ corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
420	+ corenet_tcp_sendrecv_generic_node(httpd_squid_script_t)
421	+
422	+ corenet_sendrecv_http_cache_client_packets(httpd_squid_script_t)
423	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
424	+ corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
425
426	sysnet_dns_name_resolve(httpd_squid_script_t)
427
428	@@ -196,6 +219,11 @@ optional_policy(`
429	')
430
431	optional_policy(`
432	+ kerberos_manage_host_rcache(squid_t)
433	+ kerberos_tmp_filetrans_host_rcache(squid_t, file, "host_0")
434	+')
435	+
436	+optional_policy(`
437	samba_domtrans_winbind_helper(squid_t)
438	')

Gentoo Archives: gentoo-commits