* Not sure if I sent this patch before.
@ 2007-03-23 19:43 Daniel J Walsh
0 siblings, 0 replies; only message in thread
From: Daniel J Walsh @ 2007-03-23 19:43 UTC (permalink / raw)
To: Christopher J. PeBenito, SE Linux
[-- Attachment #1: Type: text/plain, Size: 100 bytes --]
Add http_squid_script_t policy, Also added new ports for squid to talk
to, sent in previous patch
[-- Attachment #2: squid.patch --]
[-- Type: text/x-patch, Size: 2647 bytes --]
--- nsaserefpolicy/policy/modules/services/squid.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/services/squid.fc 2007-03-22 15:06:59.000000000 -0400
@@ -12,3 +12,5 @@
/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
--- nsaserefpolicy/policy/modules/services/squid.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/services/squid.if 2007-03-22 15:06:59.000000000 -0400
@@ -36,7 +36,7 @@
')
files_search_etc($1)
- allow $1 squid_conf_t:file read_file_perms;
+ read_files_pattern($1, squid_conf_t, squid_conf_t)
')
########################################
@@ -112,3 +112,23 @@
interface(`squid_use',`
refpolicywarn(`$0($*) has been deprecated.')
')
+
+########################################
+## <summary>
+## dontaudit search squid cache dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`squid_dontaudit_search_squid_cache',`
+ gen_require(`
+ type squid_cache_t;
+ ')
+
+ dontaudit $1 squid_cache_t:dir search_dir_perms;
+')
+
--- nsaserefpolicy/policy/modules/services/squid.te 2007-03-20 23:38:14.000000000 -0400
+++ serefpolicy-2.5.10/policy/modules/services/squid.te 2007-03-22 15:06:59.000000000 -0400
@@ -81,6 +81,8 @@
corenet_tcp_bind_ftp_port(squid_t)
corenet_tcp_bind_gopher_port(squid_t)
corenet_udp_bind_gopher_port(squid_t)
+corenet_tcp_bind_squid_port(squid_t)
+corenet_udp_bind_squid_port(squid_t)
corenet_tcp_connect_ftp_port(squid_t)
corenet_tcp_connect_gopher_port(squid_t)
corenet_tcp_connect_http_port(squid_t)
@@ -90,6 +92,7 @@
corenet_sendrecv_gopher_client_packets(squid_t)
corenet_sendrecv_http_cache_server_packets(squid_t)
corenet_sendrecv_http_cache_client_packets(squid_t)
+corenet_sendrecv_squid_client_packets(squid_t)
dev_read_sysfs(squid_t)
dev_read_urand(squid_t)
@@ -174,3 +177,12 @@
#squid requires the following when run in diskd mode, the recommended setting
allow squid_t tmpfs_t:file { read write };
') dnl end TODO
+
+optional_policy(`
+ apache_content_template(squid)
+ corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
+ squid_read_config(httpd_squid_script_t)
+ allow httpd_squid_script_t self:tcp_socket create_socket_perms;
+ sysnet_read_config(httpd_squid_script_t)
+ corenet_non_ipsec_sendrecv(httpd_squid_script_t)
+')
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2007-03-23 19:43 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-23 19:43 Not sure if I sent this patch before Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.