1squid_selinux(8) SELinux Policy squid squid_selinux(8)
2
6 squid_selinux - Security Enhanced Linux Policy for the squid processes
7
9 Security-Enhanced Linux secures the squid processes via flexible manda‐
10 tory access control.
11 The squid processes execute with the squid_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep squid_t
19
23 The squid_t SELinux type can be entered via the squid_exec_t file type.
24 The default entrypoint paths for the squid_t domain are the following:
26 /usr/sbin/squid, /usr/libexec/squid/cache_swap.sh
28
30 SELinux defines process types (domains) for each process running on the
31 system
32 You can see the context of a process using the -Z option to ps
34 Policy governs the access confined processes have to files. SELinux
36 squid policy is very flexible allowing users to setup their squid pro‐
37 cesses in as secure a method as possible.
38 The following process types are defined for squid:
40 squid_t, squid_cron_t, squid_script_t
42 Note: semanage permissive -a squid_t can be used to make the process
44 type squid_t permissive. SELinux does not deny access to permissive
45 process types, but the AVC (SELinux denials) messages are still gener‐
46 ated.
47
50 SELinux policy is customizable based on least access required. squid
51 policy is extremely flexible and has several booleans that allow you to
52 manipulate the policy and run squid with the tightest access possible.
53 If you want to determine whether squid should have access to snmp port,
57 you must turn on the squid_bind_snmp_port boolean. Disabled by default.
58 setsebool -P squid_bind_snmp_port 1
60 If you want to determine whether squid can connect to all TCP ports,
64 you must turn on the squid_connect_any boolean. Enabled by default.
65 setsebool -P squid_connect_any 1
67 If you want to determine whether squid can run as a transparent proxy,
71 you must turn on the squid_use_tproxy boolean. Disabled by default.
72 setsebool -P squid_use_tproxy 1
74 If you want to dontaudit all daemons scheduling requests (setsched,
78 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
79 Enabled by default.
80 setsebool -P daemons_dontaudit_scheduling 1
82 If you want to allow all domains to execute in fips_mode, you must turn
86 on the fips_mode boolean. Enabled by default.
87 setsebool -P fips_mode 1
89 If you want to allow confined applications to run with kerberos, you
93 must turn on the kerberos_enabled boolean. Enabled by default.
94 setsebool -P kerberos_enabled 1
96 If you want to allow system to run with NIS, you must turn on the
100 nis_enabled boolean. Disabled by default.
101 setsebool -P nis_enabled 1
103
107 SELinux defines port types to represent TCP and UDP ports.
108 You can see the types associated with a port by using the following
110 command:
111 semanage port -l
113 Policy governs the access confined processes have to these ports.
116 SELinux squid policy is very flexible allowing users to setup their
117 squid processes in as secure a method as possible.
118 The following port types are defined for squid:
120 squid_port_t
123 Default Defined Ports:
127 tcp 3128,3401,4827
128 udp 3401,4827
129
131 The SELinux process type squid_t can manage files labeled with the fol‐
132 lowing file types. The paths listed are the default paths for these
133 file types. Note the processes UID still need to have DAC permissions.
134 cluster_conf_t
136 /etc/cluster(/.*)?
138 cluster_var_lib_t
140 /var/lib/pcsd(/.*)?
142 /var/lib/cluster(/.*)?
143 /var/lib/openais(/.*)?
144 /var/lib/pengine(/.*)?
145 /var/lib/corosync(/.*)?
146 /usr/lib/heartbeat(/.*)?
147 /var/lib/heartbeat(/.*)?
148 /var/lib/pacemaker(/.*)?
149 cluster_var_run_t
151 /var/run/crm(/.*)?
153 /var/run/cman_.*
154 /var/run/rsctmp(/.*)?
155 /var/run/aisexec.*
156 /var/run/heartbeat(/.*)?
157 /var/run/pcsd-ruby.socket
158 /var/run/corosync-qnetd(/.*)?
159 /var/run/corosync-qdevice(/.*)?
160 /var/run/corosync.pid
161 /var/run/cpglockd.pid
162 /var/run/rgmanager.pid
163 /var/run/cluster/rgmanager.sk
164 faillog_t
166 /var/log/btmp.*
168 /var/log/faillog.*
169 /var/log/tallylog.*
170 /var/run/faillock(/.*)?
171 krb5_host_rcache_t
173 /var/tmp/krb5_0.rcache2
175 /var/cache/krb5rcache(/.*)?
176 /var/tmp/nfs_0
177 /var/tmp/DNS_25
178 /var/tmp/host_0
179 /var/tmp/imap_0
180 /var/tmp/HTTP_23
181 /var/tmp/HTTP_48
182 /var/tmp/ldap_55
183 /var/tmp/ldap_487
184 /var/tmp/ldapmap1_0
185 root_t
187 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
189 /
190 /initrd
191 security_t
193 /selinux
195 squid_cache_t
197 /var/lib/ssl_db(/.*)?
199 /var/lightsquid(/.*)?
200 /var/squidGuard(/.*)?
201 /var/cache/squid(/.*)?
202 /var/spool/squid(/.*)?
203 /etc/squid/ssl_db(/.*)?
204 squid_log_t
206 /var/log/squid(/.*)?
208 /var/log/squidGuard(/.*)?
209 squid_tmp_t
211 squid_tmpfs_t
214 /dev/shm/squid-*
216 squid_var_run_t
218 /var/run/squid.*
220
223 SELinux requires files to have an extended attribute to define the file
224 type.
225 You can see the context of a file using the -Z option to ls
227 Policy governs the access confined processes have to these files.
229 SELinux squid policy is very flexible allowing users to setup their
230 squid processes in as secure a method as possible.
231 EQUIVALENCE DIRECTORIES
233 squid policy stores data with multiple different file context types un‐
236 der the /var/log/squid directory. If you would like to store the data
237 in a different directory you can use the semanage command to create an
238 equivalence mapping. If you wanted to store this data under the /srv
239 directory you would execute the following command:
240 semanage fcontext -a -e /var/log/squid /srv/squid
242 restorecon -R -v /srv/squid
243 STANDARD FILE CONTEXT
245 SELinux defines the file context types for the squid, if you wanted to
247 store files with these types in a different paths, you need to execute
248 the semanage command to specify alternate labeling and then use re‐
249 storecon to put the labels on disk.
250 semanage fcontext -a -t squid_exec_t '/srv/squid/content(/.*)?'
252 restorecon -R -v /srv/mysquid_content
253 Note: SELinux often uses regular expressions to specify labels that
255 match multiple files.
256 The following file types are defined for squid:
258 squid_cache_t
262 - Set files with the squid_cache_t type, if you want to store the files
264 under the /var/cache directory.
265 Paths:
268 /var/lib/ssl_db(/.*)?, /var/lightsquid(/.*)?, /var/squid‐
269 Guard(/.*)?, /var/cache/squid(/.*)?, /var/spool/squid(/.*)?,
270 /etc/squid/ssl_db(/.*)?
271 squid_conf_t
274 - Set files with the squid_conf_t type, if you want to treat the files
276 as squid configuration data, usually stored under the /etc directory.
277 Paths:
280 /etc/squid(/.*)?, /etc/lightsquid(/.*)?, /usr/share/squid(/.*)?
281 squid_content_t
284 - Set files with the squid_content_t type, if you want to treat the
286 files as squid content.
287 squid_cron_exec_t
291 - Set files with the squid_cron_exec_t type, if you want to transition
293 an executable to the squid_cron_t domain.
294 squid_exec_t
298 - Set files with the squid_exec_t type, if you want to transition an
300 executable to the squid_t domain.
301 Paths:
304 /usr/sbin/squid, /usr/libexec/squid/cache_swap.sh
305 squid_htaccess_t
308 - Set files with the squid_htaccess_t type, if you want to treat the
310 file as a squid access file.
311 squid_initrc_exec_t
315 - Set files with the squid_initrc_exec_t type, if you want to transi‐
317 tion an executable to the squid_initrc_t domain.
318 squid_log_t
322 - Set files with the squid_log_t type, if you want to treat the data as
324 squid log data, usually stored under the /var/log directory.
325 Paths:
328 /var/log/squid(/.*)?, /var/log/squidGuard(/.*)?
329 squid_ra_content_t
332 - Set files with the squid_ra_content_t type, if you want to treat the
334 files as squid read/append content.
335 squid_rw_content_t
339 - Set files with the squid_rw_content_t type, if you want to treat the
341 files as squid read/write content.
342 squid_script_exec_t
346 - Set files with the squid_script_exec_t type, if you want to transi‐
348 tion an executable to the squid_script_t domain.
349 Paths:
352 /usr/share/lightsquid/cgi(/.*)?, /usr/lib/squid/cachemgr.cgi
353 squid_tmp_t
356 - Set files with the squid_tmp_t type, if you want to store squid tem‐
358 porary files in the /tmp directories.
359 squid_tmpfs_t
363 - Set files with the squid_tmpfs_t type, if you want to store squid
365 files on a tmpfs file system.
366 squid_var_run_t
370 - Set files with the squid_var_run_t type, if you want to store the
372 squid files under the /run or /var/run directory.
373 Note: File context can be temporarily modified with the chcon command.
377 If you want to permanently change the file context you need to use the
378 semanage fcontext command. This will modify the SELinux labeling data‐
379 base. You will need to use restorecon to apply the labels.
380
383 semanage fcontext can also be used to manipulate default file context
384 mappings.
385 semanage permissive can also be used to manipulate whether or not a
387 process type is permissive.
388 semanage module can also be used to enable/disable/install/remove pol‐
390 icy modules.
391 semanage port can also be used to manipulate the port definitions
393 semanage boolean can also be used to manipulate the booleans
395 system-config-selinux is a GUI tool available to customize SELinux pol‐
398 icy settings.
399
402 This manual page was auto-generated using sepolicy manpage .
403
406 selinux(8), squid(8), semanage(8), restorecon(8), chcon(1), sepol‐
407 icy(8), setsebool(8), squid_cron_selinux(8), squid_script_selinux(8)
408squid 23-12-15 squid_selinux(8)