[squid-users] CentOS 6.x and SELinux enforcing with Squid 3.5.x (thanks to Eliezer Croitoru for the RPM)
Garri Djavadyan
garryd at comnet.uz
Tue Oct 18 11:31:19 UTC 2016
On Tue, 2016-10-18 at 13:02 +0200, Walter H. wrote:
> Hello,
>
> just in case anybody wants to run Squid 3.5.x on CentOS
> with SELinux enforcing,
>
> here is the semodule
>
> <squid_update.tt>
> module squid_update 1.0;
>
> require {
> type squid_conf_t;
> type squid_t;
> type var_t;
> class file { append open read write getattr lock
> execute_no_trans };
> }
>
> #============= squid_t ==============
> allow squid_t squid_conf_t:file execute_no_trans;
> allow squid_t var_t:file { append open read write getattr lock };
> </squid_update.tt>
>
> and do the following:
>
> checkmodule -M -m -o squid_update.mod squid_update.tt
> semodule_package -o squid_update.pp -m squid_update.mod
> semodule -i squid_update.pp
Hi,
Have you tried to use default policy and relabel target dirs/files
using types dedicated for squid? For example:
# semanage fcontext -l | grep squid
/etc/squid(/.*)? all
files system_u:object_r:squid_conf_t:s0
/var/run/squid.* all
files system_u:object_r:squid_var_run_t:s0
/var/log/squid(/.*)? all
files system_u:object_r:squid_log_t:s0
/usr/share/squid(/.*)? all
files system_u:object_r:squid_conf_t:s0
/var/cache/squid(/.*)? all
files system_u:object_r:squid_cache_t:s0
/var/spool/squid(/.*)? all
files system_u:object_r:squid_cache_t:s0
/usr/sbin/squid regular
file system_u:object_r:squid_exec_t:s0
/etc/rc\.d/init\.d/squid regular
file system_u:object_r:squid_initrc_exec_t:s0
/usr/lib/squid/cachemgr\.cgi regular
file system_u:object_r:httpd_squid_script_exec_t:s0
/usr/lib64/squid/cachemgr\.cgi regular
file system_u:object_r:httpd_squid_script_exec_t:s0
More information about the squid-users
mailing list