1squid_selinux(8) SELinux Policy squid squid_selinux(8)
2
3
4
6 squid_selinux - Security Enhanced Linux Policy for the squid processes
7
9 Security-Enhanced Linux secures the squid processes via flexible manda‐
10 tory access control.
11
12 The squid processes execute with the squid_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep squid_t
19
20
21
23 The squid_t SELinux type can be entered via the squid_exec_t file type.
24
25 The default entrypoint paths for the squid_t domain are the following:
26
27 /usr/sbin/squid, /usr/libexec/squid/cache_swap.sh
28
30 SELinux defines process types (domains) for each process running on the
31 system
32
33 You can see the context of a process using the -Z option to ps
34
35 Policy governs the access confined processes have to files. SELinux
36 squid policy is very flexible allowing users to setup their squid pro‐
37 cesses in as secure a method as possible.
38
39 The following process types are defined for squid:
40
41 squid_t, squid_cron_t, squid_script_t
42
43 Note: semanage permissive -a squid_t can be used to make the process
44 type squid_t permissive. SELinux does not deny access to permissive
45 process types, but the AVC (SELinux denials) messages are still gener‐
46 ated.
47
48
50 SELinux policy is customizable based on least access required. squid
51 policy is extremely flexible and has several booleans that allow you to
52 manipulate the policy and run squid with the tightest access possible.
53
54
55
56 If you want to determine whether squid can connect to all TCP ports,
57 you must turn on the squid_connect_any boolean. Enabled by default.
58
59 setsebool -P squid_connect_any 1
60
61
62
63 If you want to determine whether squid can run as a transparent proxy,
64 you must turn on the squid_use_tproxy boolean. Disabled by default.
65
66 setsebool -P squid_use_tproxy 1
67
68
69
70 If you want to allow all domains to execute in fips_mode, you must turn
71 on the fips_mode boolean. Enabled by default.
72
73 setsebool -P fips_mode 1
74
75
76
77 If you want to allow confined applications to run with kerberos, you
78 must turn on the kerberos_enabled boolean. Enabled by default.
79
80 setsebool -P kerberos_enabled 1
81
82
83
85 SELinux defines port types to represent TCP and UDP ports.
86
87 You can see the types associated with a port by using the following
88 command:
89
90 semanage port -l
91
92
93 Policy governs the access confined processes have to these ports.
94 SELinux squid policy is very flexible allowing users to setup their
95 squid processes in as secure a method as possible.
96
97 The following port types are defined for squid:
98
99
100 squid_port_t
101
102
103
104 Default Defined Ports:
105 tcp 3128,3401,4827
106 udp 3401,4827
107
109 The SELinux process type squid_t can manage files labeled with the fol‐
110 lowing file types. The paths listed are the default paths for these
111 file types. Note the processes UID still need to have DAC permissions.
112
113 cluster_conf_t
114
115 /etc/cluster(/.*)?
116
117 cluster_var_lib_t
118
119 /var/lib/pcsd(/.*)?
120 /var/lib/cluster(/.*)?
121 /var/lib/openais(/.*)?
122 /var/lib/pengine(/.*)?
123 /var/lib/corosync(/.*)?
124 /usr/lib/heartbeat(/.*)?
125 /var/lib/heartbeat(/.*)?
126 /var/lib/pacemaker(/.*)?
127
128 cluster_var_run_t
129
130 /var/run/crm(/.*)?
131 /var/run/cman_.*
132 /var/run/rsctmp(/.*)?
133 /var/run/aisexec.*
134 /var/run/heartbeat(/.*)?
135 /var/run/pcsd-ruby.socket
136 /var/run/corosync-qnetd(/.*)?
137 /var/run/corosync-qdevice(/.*)?
138 /var/run/corosync.pid
139 /var/run/cpglockd.pid
140 /var/run/rgmanager.pid
141 /var/run/cluster/rgmanager.sk
142
143 faillog_t
144
145 /var/log/btmp.*
146 /var/log/faillog.*
147 /var/log/tallylog.*
148 /var/run/faillock(/.*)?
149
150 krb5_host_rcache_t
151
152 /var/tmp/krb5_0.rcache2
153 /var/cache/krb5rcache(/.*)?
154 /var/tmp/nfs_0
155 /var/tmp/DNS_25
156 /var/tmp/host_0
157 /var/tmp/imap_0
158 /var/tmp/HTTP_23
159 /var/tmp/HTTP_48
160 /var/tmp/ldap_55
161 /var/tmp/ldap_487
162 /var/tmp/ldapmap1_0
163
164 root_t
165
166 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
167 /
168 /initrd
169
170 security_t
171
172 /selinux
173
174 squid_cache_t
175
176 /var/lib/ssl_db(/.*)?
177 /var/lightsquid(/.*)?
178 /var/squidGuard(/.*)?
179 /var/cache/squid(/.*)?
180 /var/spool/squid(/.*)?
181 /etc/squid/ssl_db(/.*)?
182
183 squid_log_t
184
185 /var/log/squid(/.*)?
186 /var/log/squidGuard(/.*)?
187
188 squid_tmp_t
189
190
191 squid_tmpfs_t
192
193 /dev/shm/squid-*
194
195 squid_var_run_t
196
197 /var/run/squid.*
198
199
201 SELinux requires files to have an extended attribute to define the file
202 type.
203
204 You can see the context of a file using the -Z option to ls
205
206 Policy governs the access confined processes have to these files.
207 SELinux squid policy is very flexible allowing users to setup their
208 squid processes in as secure a method as possible.
209
210 EQUIVALENCE DIRECTORIES
211
212
213 squid policy stores data with multiple different file context types un‐
214 der the /var/log/squid directory. If you would like to store the data
215 in a different directory you can use the semanage command to create an
216 equivalence mapping. If you wanted to store this data under the /srv
217 directory you would execute the following command:
218
219 semanage fcontext -a -e /var/log/squid /srv/squid
220 restorecon -R -v /srv/squid
221
222 STANDARD FILE CONTEXT
223
224 SELinux defines the file context types for the squid, if you wanted to
225 store files with these types in a diffent paths, you need to execute
226 the semanage command to specify alternate labeling and then use re‐
227 storecon to put the labels on disk.
228
229 semanage fcontext -a -t squid_ra_content_t '/srv/mysquid_content(/.*)?'
230 restorecon -R -v /srv/mysquid_content
231
232 Note: SELinux often uses regular expressions to specify labels that
233 match multiple files.
234
235 The following file types are defined for squid:
236
237
238
239 squid_cache_t
240
241 - Set files with the squid_cache_t type, if you want to store the files
242 under the /var/cache directory.
243
244
245 Paths:
246 /var/lib/ssl_db(/.*)?, /var/lightsquid(/.*)?, /var/squid‐
247 Guard(/.*)?, /var/cache/squid(/.*)?, /var/spool/squid(/.*)?,
248 /etc/squid/ssl_db(/.*)?
249
250
251 squid_conf_t
252
253 - Set files with the squid_conf_t type, if you want to treat the files
254 as squid configuration data, usually stored under the /etc directory.
255
256
257 Paths:
258 /etc/squid(/.*)?, /etc/lightsquid(/.*)?, /usr/share/squid(/.*)?
259
260
261 squid_content_t
262
263 - Set files with the squid_content_t type, if you want to treat the
264 files as squid content.
265
266
267
268 squid_cron_exec_t
269
270 - Set files with the squid_cron_exec_t type, if you want to transition
271 an executable to the squid_cron_t domain.
272
273
274
275 squid_exec_t
276
277 - Set files with the squid_exec_t type, if you want to transition an
278 executable to the squid_t domain.
279
280
281 Paths:
282 /usr/sbin/squid, /usr/libexec/squid/cache_swap.sh
283
284
285 squid_htaccess_t
286
287 - Set files with the squid_htaccess_t type, if you want to treat the
288 file as a squid access file.
289
290
291
292 squid_initrc_exec_t
293
294 - Set files with the squid_initrc_exec_t type, if you want to transi‐
295 tion an executable to the squid_initrc_t domain.
296
297
298
299 squid_log_t
300
301 - Set files with the squid_log_t type, if you want to treat the data as
302 squid log data, usually stored under the /var/log directory.
303
304
305 Paths:
306 /var/log/squid(/.*)?, /var/log/squidGuard(/.*)?
307
308
309 squid_ra_content_t
310
311 - Set files with the squid_ra_content_t type, if you want to treat the
312 files as squid read/append content.
313
314
315
316 squid_rw_content_t
317
318 - Set files with the squid_rw_content_t type, if you want to treat the
319 files as squid read/write content.
320
321
322
323 squid_script_exec_t
324
325 - Set files with the squid_script_exec_t type, if you want to transi‐
326 tion an executable to the squid_script_t domain.
327
328
329 Paths:
330 /usr/share/lightsquid/cgi(/.*)?, /usr/lib/squid/cachemgr.cgi
331
332
333 squid_tmp_t
334
335 - Set files with the squid_tmp_t type, if you want to store squid tem‐
336 porary files in the /tmp directories.
337
338
339
340 squid_tmpfs_t
341
342 - Set files with the squid_tmpfs_t type, if you want to store squid
343 files on a tmpfs file system.
344
345
346
347 squid_var_run_t
348
349 - Set files with the squid_var_run_t type, if you want to store the
350 squid files under the /run or /var/run directory.
351
352
353
354 Note: File context can be temporarily modified with the chcon command.
355 If you want to permanently change the file context you need to use the
356 semanage fcontext command. This will modify the SELinux labeling data‐
357 base. You will need to use restorecon to apply the labels.
358
359
361 semanage fcontext can also be used to manipulate default file context
362 mappings.
363
364 semanage permissive can also be used to manipulate whether or not a
365 process type is permissive.
366
367 semanage module can also be used to enable/disable/install/remove pol‐
368 icy modules.
369
370 semanage port can also be used to manipulate the port definitions
371
372 semanage boolean can also be used to manipulate the booleans
373
374
375 system-config-selinux is a GUI tool available to customize SELinux pol‐
376 icy settings.
377
378
380 This manual page was auto-generated using sepolicy manpage .
381
382
384 selinux(8), squid(8), semanage(8), restorecon(8), chcon(1), sepol‐
385 icy(8), setsebool(8), squid_cron_selinux(8), squid_script_selinux(8)
386
387
388
389squid 23-02-03 squid_selinux(8)