1squid_selinux(8) SELinux Policy squid squid_selinux(8)
2
6 squid_selinux - Security Enhanced Linux Policy for the squid processes
7
9 Security-Enhanced Linux secures the squid processes via flexible manda‐
10 tory access control.
11 The squid processes execute with the squid_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep squid_t
19
23 The squid_t SELinux type can be entered via the squid_exec_t file type.
24 The default entrypoint paths for the squid_t domain are the following:
26 /usr/sbin/squid, /usr/libexec/squid/cache_swap.sh
28
30 SELinux defines process types (domains) for each process running on the
31 system
32 You can see the context of a process using the -Z option to ps
34 Policy governs the access confined processes have to files. SELinux
36 squid policy is very flexible allowing users to setup their squid pro‐
37 cesses in as secure a method as possible.
38 The following process types are defined for squid:
40 squid_t, squid_cron_t, squid_script_t
42 Note: semanage permissive -a squid_t can be used to make the process
44 type squid_t permissive. SELinux does not deny access to permissive
45 process types, but the AVC (SELinux denials) messages are still gener‐
46 ated.
47
50 SELinux policy is customizable based on least access required. squid
51 policy is extremely flexible and has several booleans that allow you to
52 manipulate the policy and run squid with the tightest access possible.
53 If you want to determine whether squid can connect to all TCP ports,
57 you must turn on the squid_connect_any boolean. Enabled by default.
58 setsebool -P squid_connect_any 1
60 If you want to determine whether squid can run as a transparent proxy,
64 you must turn on the squid_use_tproxy boolean. Disabled by default.
65 setsebool -P squid_use_tproxy 1
67 If you want to allow users to resolve user passwd entries directly from
71 ldap rather then using a sssd server, you must turn on the authlo‐
72 gin_nsswitch_use_ldap boolean. Disabled by default.
73 setsebool -P authlogin_nsswitch_use_ldap 1
75 If you want to allow all daemons to write corefiles to /, you must turn
79 on the daemons_dump_core boolean. Disabled by default.
80 setsebool -P daemons_dump_core 1
82 If you want to enable cluster mode for daemons, you must turn on the
86 daemons_enable_cluster_mode boolean. Enabled by default.
87 setsebool -P daemons_enable_cluster_mode 1
89 If you want to allow all daemons to use tcp wrappers, you must turn on
93 the daemons_use_tcp_wrapper boolean. Disabled by default.
94 setsebool -P daemons_use_tcp_wrapper 1
96 If you want to allow all daemons the ability to read/write terminals,
100 you must turn on the daemons_use_tty boolean. Disabled by default.
101 setsebool -P daemons_use_tty 1
103 If you want to deny any process from ptracing or debugging any other
107 processes, you must turn on the deny_ptrace boolean. Enabled by
108 default.
109 setsebool -P deny_ptrace 1
111 If you want to allow any process to mmap any file on system with
115 attribute file_type, you must turn on the domain_can_mmap_files bool‐
116 ean. Enabled by default.
117 setsebool -P domain_can_mmap_files 1
119 If you want to allow all domains write to kmsg_device, while kernel is
123 executed with systemd.log_target=kmsg parameter, you must turn on the
124 domain_can_write_kmsg boolean. Disabled by default.
125 setsebool -P domain_can_write_kmsg 1
127 If you want to allow all domains to use other domains file descriptors,
131 you must turn on the domain_fd_use boolean. Enabled by default.
132 setsebool -P domain_fd_use 1
134 If you want to allow all domains to have the kernel load modules, you
138 must turn on the domain_kernel_load_modules boolean. Disabled by
139 default.
140 setsebool -P domain_kernel_load_modules 1
142 If you want to allow all domains to execute in fips_mode, you must turn
146 on the fips_mode boolean. Enabled by default.
147 setsebool -P fips_mode 1
149 If you want to enable reading of urandom for all domains, you must turn
153 on the global_ssp boolean. Disabled by default.
154 setsebool -P global_ssp 1
156 If you want to allow confined applications to run with kerberos, you
160 must turn on the kerberos_enabled boolean. Enabled by default.
161 setsebool -P kerberos_enabled 1
163 If you want to allow system to run with NIS, you must turn on the
167 nis_enabled boolean. Disabled by default.
168 setsebool -P nis_enabled 1
170 If you want to allow confined applications to use nscd shared memory,
174 you must turn on the nscd_use_shm boolean. Disabled by default.
175 setsebool -P nscd_use_shm 1
177
181 SELinux defines port types to represent TCP and UDP ports.
182 You can see the types associated with a port by using the following
184 command:
185 semanage port -l
187 Policy governs the access confined processes have to these ports.
190 SELinux squid policy is very flexible allowing users to setup their
191 squid processes in as secure a method as possible.
192 The following port types are defined for squid:
194 squid_port_t
197 Default Defined Ports:
201 tcp 3128,3401,4827
202 udp 3401,4827
203
205 The SELinux process type squid_t can manage files labeled with the fol‐
206 lowing file types. The paths listed are the default paths for these
207 file types. Note the processes UID still need to have DAC permissions.
208 cluster_conf_t
210 /etc/cluster(/.*)?
212 cluster_var_lib_t
214 /var/lib/pcsd(/.*)?
216 /var/lib/cluster(/.*)?
217 /var/lib/openais(/.*)?
218 /var/lib/pengine(/.*)?
219 /var/lib/corosync(/.*)?
220 /usr/lib/heartbeat(/.*)?
221 /var/lib/heartbeat(/.*)?
222 /var/lib/pacemaker(/.*)?
223 cluster_var_run_t
225 /var/run/crm(/.*)?
227 /var/run/cman_.*
228 /var/run/rsctmp(/.*)?
229 /var/run/aisexec.*
230 /var/run/heartbeat(/.*)?
231 /var/run/corosync-qnetd(/.*)?
232 /var/run/corosync-qdevice(/.*)?
233 /var/run/cpglockd.pid
234 /var/run/corosync.pid
235 /var/run/rgmanager.pid
236 /var/run/cluster/rgmanager.sk
237 faillog_t
239 /var/log/btmp.*
241 /var/log/faillog.*
242 /var/log/tallylog.*
243 /var/run/faillock(/.*)?
244 krb5_host_rcache_t
246 /var/cache/krb5rcache(/.*)?
248 /var/tmp/nfs_0
249 /var/tmp/DNS_25
250 /var/tmp/host_0
251 /var/tmp/imap_0
252 /var/tmp/HTTP_23
253 /var/tmp/HTTP_48
254 /var/tmp/ldap_55
255 /var/tmp/ldap_487
256 /var/tmp/ldapmap1_0
257 root_t
259 /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
261 /
262 /initrd
263 security_t
265 /selinux
267 squid_cache_t
269 /var/squidGuard(/.*)?
271 /var/lib/ssl_db(/.*)?
272 /var/lightsquid(/.*)?
273 /var/cache/squid(/.*)?
274 /var/spool/squid(/.*)?
275 /etc/squid/ssl_db(/.*)?
276 squid_log_t
278 /var/log/squid(/.*)?
280 /var/log/squidGuard(/.*)?
281 squid_tmp_t
283 squid_tmpfs_t
286 squid_var_run_t
289 /var/run/squid.*
291
294 SELinux requires files to have an extended attribute to define the file
295 type.
296 You can see the context of a file using the -Z option to ls
298 Policy governs the access confined processes have to these files.
300 SELinux squid policy is very flexible allowing users to setup their
301 squid processes in as secure a method as possible.
302 EQUIVALENCE DIRECTORIES
304 squid policy stores data with multiple different file context types
307 under the /var/log/squid directory. If you would like to store the
308 data in a different directory you can use the semanage command to cre‐
309 ate an equivalence mapping. If you wanted to store this data under the
310 /srv dirctory you would execute the following command:
311 semanage fcontext -a -e /var/log/squid /srv/squid
313 restorecon -R -v /srv/squid
314 STANDARD FILE CONTEXT
316 SELinux defines the file context types for the squid, if you wanted to
318 store files with these types in a diffent paths, you need to execute
319 the semanage command to sepecify alternate labeling and then use
320 restorecon to put the labels on disk.
321 semanage fcontext -a -t squid_var_run_t '/srv/mysquid_content(/.*)?'
323 restorecon -R -v /srv/mysquid_content
324 Note: SELinux often uses regular expressions to specify labels that
326 match multiple files.
327 The following file types are defined for squid:
329 squid_cache_t
333 - Set files with the squid_cache_t type, if you want to store the files
335 under the /var/cache directory.
336 Paths:
339 /var/squidGuard(/.*)?, /var/lib/ssl_db(/.*)?, /var/light‐
340 squid(/.*)?, /var/cache/squid(/.*)?, /var/spool/squid(/.*)?,
341 /etc/squid/ssl_db(/.*)?
342 squid_conf_t
345 - Set files with the squid_conf_t type, if you want to treat the files
347 as squid configuration data, usually stored under the /etc directory.
348 Paths:
351 /etc/squid(/.*)?, /etc/lightsquid(/.*)?, /usr/share/squid(/.*)?
352 squid_content_t
355 - Set files with the squid_content_t type, if you want to treat the
357 files as squid content.
358 squid_cron_exec_t
362 - Set files with the squid_cron_exec_t type, if you want to transition
364 an executable to the squid_cron_t domain.
365 squid_exec_t
369 - Set files with the squid_exec_t type, if you want to transition an
371 executable to the squid_t domain.
372 Paths:
375 /usr/sbin/squid, /usr/libexec/squid/cache_swap.sh
376 squid_htaccess_t
379 - Set files with the squid_htaccess_t type, if you want to treat the
381 file as a squid access file.
382 squid_initrc_exec_t
386 - Set files with the squid_initrc_exec_t type, if you want to transi‐
388 tion an executable to the squid_initrc_t domain.
389 squid_log_t
393 - Set files with the squid_log_t type, if you want to treat the data as
395 squid log data, usually stored under the /var/log directory.
396 Paths:
399 /var/log/squid(/.*)?, /var/log/squidGuard(/.*)?
400 squid_ra_content_t
403 - Set files with the squid_ra_content_t type, if you want to treat the
405 files as squid read/append content.
406 squid_rw_content_t
410 - Set files with the squid_rw_content_t type, if you want to treat the
412 files as squid read/write content.
413 squid_script_exec_t
417 - Set files with the squid_script_exec_t type, if you want to transi‐
419 tion an executable to the squid_script_t domain.
420 Paths:
423 /usr/share/lightsquid/cgi(/.*)?, /usr/lib/squid/cachemgr.cgi
424 squid_tmp_t
427 - Set files with the squid_tmp_t type, if you want to store squid tem‐
429 porary files in the /tmp directories.
430 squid_tmpfs_t
434 - Set files with the squid_tmpfs_t type, if you want to store squid
436 files on a tmpfs file system.
437 squid_var_run_t
441 - Set files with the squid_var_run_t type, if you want to store the
443 squid files under the /run or /var/run directory.
444 Note: File context can be temporarily modified with the chcon command.
448 If you want to permanently change the file context you need to use the
449 semanage fcontext command. This will modify the SELinux labeling data‐
450 base. You will need to use restorecon to apply the labels.
451
454 semanage fcontext can also be used to manipulate default file context
455 mappings.
456 semanage permissive can also be used to manipulate whether or not a
458 process type is permissive.
459 semanage module can also be used to enable/disable/install/remove pol‐
461 icy modules.
462 semanage port can also be used to manipulate the port definitions
464 semanage boolean can also be used to manipulate the booleans
466 system-config-selinux is a GUI tool available to customize SELinux pol‐
469 icy settings.
470
473 This manual page was auto-generated using sepolicy manpage .
474
477 selinux(8), squid(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
478 , setsebool(8), squid_cron_selinux(8), squid_script_selinux(8)
479squid 19-04-25 squid_selinux(8)