So, without further ado, here is the policy that I have developed for EZproxy on RHEL6/CentOS6.
ezproxy.te:
policy_module(ezproxy,1.0.20)
########################################
#
# Declarations
#
type ezproxy_t;
type ezproxy_exec_t;
init_daemon_domain(ezproxy_t, ezproxy_exec_t)
type ezproxy_script_exec_t;
init_script_file(ezproxy_script_exec_t)
type ezproxy_rw_t;
files_type(ezproxy_rw_t)
gen_require(`
type initrc_exec_t;
type sysctl_kernel_t;
type proc_t;
type fs_t;
type tmpfs_t;
type usr_t;
type port_t;
type dns_port_t;
type public_content_t;
type public_content_rw_t;
')
########################################
#
# ezproxy local policy
#
allow ezproxy_t self:capability { dac_read_search dac_override chown ipc_owner kill sys_resour
ce setgid setuid };
allow ezproxy_t self:fifo_file rw_file_perms;
allow ezproxy_t self:unix_stream_socket create_stream_socket_perms;allow ezproxy_t self:shm { create unix_read read setattr getattr associate unix_write write de
stroy };
# Init script handling
init_domtrans(ezproxy_t)
domain_use_interactive_fds(ezproxy_t)
allow ezproxy_t sysctl_kernel_t:dir { search read };
allow ezproxy_t sysctl_kernel_t:file read;
allow ezproxy_t self:process { setrlimit execmem };
allow ezproxy_t fs_t:filesystem getattr;
allow ezproxy_t tmpfs_t:file { read write };
allow ezproxy_t usr_t:file { read getattr open };
allow ezproxy_t proc_t:file { read open };
allow ezproxy_t initrc_t:process { signull sigkill };
allow ezproxy_t self:process { signull sigkill };
allow ezproxy_t initrc_t:shm { unix_read unix_write };
files_read_etc_files(ezproxy_t)
libs_use_ld_so(ezproxy_t)
libs_use_shared_libs(ezproxy_t)
miscfiles_read_localization(ezproxy_t)
allow ezproxy_t ezproxy_exec_t:file execute_no_trans;
allow ezproxy_t ezproxy_rw_t:file { manage_file_perms read write };allow ezproxy_t ezproxy_rw_t:dir { search create_dir_perms read write add_name remove_name ope
n };
# Allow the document directory to be a symlink into the ftp directory
allow ezproxy_t ezproxy_rw_t:lnk_file read;
allow ezproxy_t public_content_rw_t:lnk_file read;
allow ezproxy_t public_content_rw_t:dir { search read open };
allow ezproxy_t public_content_rw_t:file { getattr read open };
allow ezproxy_t public_content_t:lnk_file read;
allow ezproxy_t public_content_t:dir { search read };
allow ezproxy_t public_content_t:file { getattr read open };
allow ezproxy_t dns_port_t:udp_socket name_bind;
allow ezproxy_t dns_port_t:tcp_socket name_bind;
sysnet_dns_name_resolve(ezproxy_t)
corenet_all_recvfrom_unlabeled(ezproxy_t)
allow ezproxy_t self:tcp_socket create_stream_socket_perms;
allow ezproxy_t port_t:tcp_socket name_bind;
corenet_tcp_sendrecv_all_if(ezproxy_t)
corenet_tcp_sendrecv_all_nodes(ezproxy_t)
corenet_tcp_sendrecv_all_ports(ezproxy_t)
corenet_tcp_bind_all_nodes(ezproxy_t)
corenet_tcp_connect_all_ports(ezproxy_t)
corenet_tcp_bind_http_port(ezproxy_t)
auth_use_nsswitch(ezproxy_t)
dev_read_rand(ezproxy_t)
dev_read_urand(ezproxy_t)
ezproxy.fc:
/opt/ezproxy/ezproxy -- gen_context(system_u:object_r:ezproxy_exec_t,s0)
/etc/init.d/ezproxy -- gen_context(system_u:object_r:ezproxy_script_exec_t,s0)
/opt/ezproxy(/.*)? gen_context(system_u:object_r:ezproxy_rw_t,s0)
/opt/ezproxy/docs(/.*)? gen_context(system_u:object_r:public_content_t,s0)
Save those, make sure you have the SELinux development environment installed, and you should be able to just run "make -f /usr/share/selinux/devel/Makefile" to generate the ezproxy.pp file.
I have only used that in proxy-by-hostname configuration, so since I have not really tested proxy-by-port, there may be some gremlins in port-based setups.
No comments:
Post a Comment