1squid_selinux(8) SELinux Policy squid squid_selinux(8)
2
3
4
6 squid_selinux - Security Enhanced Linux Policy for the squid processes
7
9 Security-Enhanced Linux secures the squid processes via flexible manda‐
10 tory access control.
11
12 The squid processes execute with the squid_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep squid_t
19
20
21
23 The squid_t SELinux type can be entered via the squid_exec_t file type.
24
25 The default entrypoint paths for the squid_t domain are the following:
26
27 /usr/sbin/squid, /usr/libexec/squid/cache_swap.sh
28
30 SELinux defines process types (domains) for each process running on the
31 system
32
33 You can see the context of a process using the -Z option to ps
34
35 Policy governs the access confined processes have to files. SELinux
36 squid policy is very flexible allowing users to setup their squid pro‐
37 cesses in as secure a method as possible.
38
39 The following process types are defined for squid:
40
41 squid_t, squid_cron_t, squid_script_t
42
43 Note: semanage permissive -a squid_t can be used to make the process
44 type squid_t permissive. SELinux does not deny access to permissive
45 process types, but the AVC (SELinux denials) messages are still gener‐
46 ated.
47
48
50 SELinux policy is customizable based on least access required. squid
51 policy is extremely flexible and has several booleans that allow you to
52 manipulate the policy and run squid with the tightest access possible.
53
54
55
56 If you want to determine whether squid should have access to snmp port,
57 you must turn on the squid_bind_snmp_port boolean. Disabled by default.
58
59 setsebool -P squid_bind_snmp_port 1
60
61
62
63 If you want to determine whether squid can connect to all TCP ports,
64 you must turn on the squid_connect_any boolean. Enabled by default.
65
66 setsebool -P squid_connect_any 1
67
68
69
70 If you want to determine whether squid can run as a transparent proxy,
71 you must turn on the squid_use_tproxy boolean. Disabled by default.
72
73 setsebool -P squid_use_tproxy 1
74
75
76
77 If you want to dontaudit all daemons scheduling requests (setsched,
78 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
79 Enabled by default.
80
81 setsebool -P daemons_dontaudit_scheduling 1
82
83
84
85 If you want to allow all domains to execute in fips_mode, you must turn
86 on the fips_mode boolean. Enabled by default.
87
88 setsebool -P fips_mode 1
89
90
91
92 If you want to allow confined applications to run with kerberos, you
93 must turn on the kerberos_enabled boolean. Enabled by default.
94
95 setsebool -P kerberos_enabled 1
96
97
98
99 If you want to allow system to run with NIS, you must turn on the
100 nis_enabled boolean. Disabled by default.
101
102 setsebool -P nis_enabled 1
103
104
105
107 SELinux defines port types to represent TCP and UDP ports.
108
109 You can see the types associated with a port by using the following
110 command:
111
112 semanage port -l
113
114
115 Policy governs the access confined processes have to these ports.
116 SELinux squid policy is very flexible allowing users to setup their
117 squid processes in as secure a method as possible.
118
119 The following port types are defined for squid:
120
121
122 squid_port_t
123
124
125
126 Default Defined Ports:
127 tcp 3128,3401,4827
128 udp 3401,4827
129
131 The SELinux process type squid_t can manage files labeled with the fol‐
132 lowing file types. The paths listed are the default paths for these
133 file types. Note the processes UID still need to have DAC permissions.
134
135 cluster_conf_t
136
137 /etc/cluster(/.*)?
138
139 cluster_var_lib_t
140
141 /var/lib/pcsd(/.*)?
142 /var/lib/cluster(/.*)?
143 /var/lib/openais(/.*)?
144 /var/lib/pengine(/.*)?
145 /var/lib/corosync(/.*)?
146 /usr/lib/heartbeat(/.*)?
147 /var/lib/heartbeat(/.*)?
148 /var/lib/pacemaker(/.*)?
149
150 cluster_var_run_t
151
152 /var/run/crm(/.*)?
153 /var/run/cman_.*
154 /var/run/rsctmp(/.*)?
155 /var/run/aisexec.*
156 /var/run/heartbeat(/.*)?
157 /var/run/pcsd-ruby.socket
158 /var/run/corosync-qnetd(/.*)?
159 /var/run/corosync-qdevice(/.*)?
160 /var/run/corosync.pid
161 /var/run/cpglockd.pid
162 /var/run/rgmanager.pid
163 /var/run/cluster/rgmanager.sk
164
165 faillog_t
166
167 /var/log/btmp.*
168 /var/log/faillog.*
169 /var/log/tallylog.*
170 /var/run/faillock(/.*)?
171
172 krb5_host_rcache_t
173
174 /var/tmp/krb5_0.rcache2
175 /var/cache/krb5rcache(/.*)?
176 /var/tmp/nfs_0
177 /var/tmp/DNS_25
178 /var/tmp/host_0
179 /var/tmp/imap_0
180 /var/tmp/HTTP_23
181 /var/tmp/HTTP_48
182 /var/tmp/ldap_55
183 /var/tmp/ldap_487
184 /var/tmp/ldapmap1_0
185
186 root_t
187
188 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
189 /
190 /initrd
191
192 security_t
193
194 /selinux
195
196 squid_cache_t
197
198 /var/lib/ssl_db(/.*)?
199 /var/lightsquid(/.*)?
200 /var/squidGuard(/.*)?
201 /var/cache/squid(/.*)?
202 /var/spool/squid(/.*)?
203 /etc/squid/ssl_db(/.*)?
204
205 squid_log_t
206
207 /var/log/squid(/.*)?
208 /var/log/squidGuard(/.*)?
209
210 squid_tmp_t
211
212
213 squid_tmpfs_t
214
215 /dev/shm/squid-*
216
217 squid_var_run_t
218
219 /var/run/squid.*
220
221
223 SELinux requires files to have an extended attribute to define the file
224 type.
225
226 You can see the context of a file using the -Z option to ls
227
228 Policy governs the access confined processes have to these files.
229 SELinux squid policy is very flexible allowing users to setup their
230 squid processes in as secure a method as possible.
231
232 EQUIVALENCE DIRECTORIES
233
234
235 squid policy stores data with multiple different file context types un‐
236 der the /var/log/squid directory. If you would like to store the data
237 in a different directory you can use the semanage command to create an
238 equivalence mapping. If you wanted to store this data under the /srv
239 directory you would execute the following command:
240
241 semanage fcontext -a -e /var/log/squid /srv/squid
242 restorecon -R -v /srv/squid
243
244 STANDARD FILE CONTEXT
245
246 SELinux defines the file context types for the squid, if you wanted to
247 store files with these types in a different paths, you need to execute
248 the semanage command to specify alternate labeling and then use re‐
249 storecon to put the labels on disk.
250
251 semanage fcontext -a -t squid_exec_t '/srv/squid/content(/.*)?'
252 restorecon -R -v /srv/mysquid_content
253
254 Note: SELinux often uses regular expressions to specify labels that
255 match multiple files.
256
257 The following file types are defined for squid:
258
259
260
261 squid_cache_t
262
263 - Set files with the squid_cache_t type, if you want to store the files
264 under the /var/cache directory.
265
266
267 Paths:
268 /var/lib/ssl_db(/.*)?, /var/lightsquid(/.*)?, /var/squid‐
269 Guard(/.*)?, /var/cache/squid(/.*)?, /var/spool/squid(/.*)?,
270 /etc/squid/ssl_db(/.*)?
271
272
273 squid_conf_t
274
275 - Set files with the squid_conf_t type, if you want to treat the files
276 as squid configuration data, usually stored under the /etc directory.
277
278
279 Paths:
280 /etc/squid(/.*)?, /etc/lightsquid(/.*)?, /usr/share/squid(/.*)?
281
282
283 squid_content_t
284
285 - Set files with the squid_content_t type, if you want to treat the
286 files as squid content.
287
288
289
290 squid_cron_exec_t
291
292 - Set files with the squid_cron_exec_t type, if you want to transition
293 an executable to the squid_cron_t domain.
294
295
296
297 squid_exec_t
298
299 - Set files with the squid_exec_t type, if you want to transition an
300 executable to the squid_t domain.
301
302
303 Paths:
304 /usr/sbin/squid, /usr/libexec/squid/cache_swap.sh
305
306
307 squid_htaccess_t
308
309 - Set files with the squid_htaccess_t type, if you want to treat the
310 file as a squid access file.
311
312
313
314 squid_initrc_exec_t
315
316 - Set files with the squid_initrc_exec_t type, if you want to transi‐
317 tion an executable to the squid_initrc_t domain.
318
319
320
321 squid_log_t
322
323 - Set files with the squid_log_t type, if you want to treat the data as
324 squid log data, usually stored under the /var/log directory.
325
326
327 Paths:
328 /var/log/squid(/.*)?, /var/log/squidGuard(/.*)?
329
330
331 squid_ra_content_t
332
333 - Set files with the squid_ra_content_t type, if you want to treat the
334 files as squid read/append content.
335
336
337
338 squid_rw_content_t
339
340 - Set files with the squid_rw_content_t type, if you want to treat the
341 files as squid read/write content.
342
343
344
345 squid_script_exec_t
346
347 - Set files with the squid_script_exec_t type, if you want to transi‐
348 tion an executable to the squid_script_t domain.
349
350
351 Paths:
352 /usr/share/lightsquid/cgi(/.*)?, /usr/lib/squid/cachemgr.cgi
353
354
355 squid_tmp_t
356
357 - Set files with the squid_tmp_t type, if you want to store squid tem‐
358 porary files in the /tmp directories.
359
360
361
362 squid_tmpfs_t
363
364 - Set files with the squid_tmpfs_t type, if you want to store squid
365 files on a tmpfs file system.
366
367
368
369 squid_var_run_t
370
371 - Set files with the squid_var_run_t type, if you want to store the
372 squid files under the /run or /var/run directory.
373
374
375
376 Note: File context can be temporarily modified with the chcon command.
377 If you want to permanently change the file context you need to use the
378 semanage fcontext command. This will modify the SELinux labeling data‐
379 base. You will need to use restorecon to apply the labels.
380
381
383 semanage fcontext can also be used to manipulate default file context
384 mappings.
385
386 semanage permissive can also be used to manipulate whether or not a
387 process type is permissive.
388
389 semanage module can also be used to enable/disable/install/remove pol‐
390 icy modules.
391
392 semanage port can also be used to manipulate the port definitions
393
394 semanage boolean can also be used to manipulate the booleans
395
396
397 system-config-selinux is a GUI tool available to customize SELinux pol‐
398 icy settings.
399
400
402 This manual page was auto-generated using sepolicy manpage .
403
404
406 selinux(8), squid(8), semanage(8), restorecon(8), chcon(1), sepol‐
407 icy(8), setsebool(8), squid_cron_selinux(8), squid_script_selinux(8)
408
409
410
411squid 23-12-15 squid_selinux(8)