squid: Allow net_raw capability when squid_use_tproxy is enabled

fedora-selinux / selinux-policy-contrib

Fedora Policy Contributions

39 stars 66 forks source link

squid: Allow net_raw capability when squid_use_tproxy is enabled #315

Closed romanofski closed 4 years ago

romanofski commented 4 years ago

When the SELinux boolean squid_use_tproxy is enabled, this module allows Squid net_admin capabilities. However net_raw will be denied. The capability however is needed when squid acts as a transparent proxy in circumstances also outlined in the capabilites(7) man page:

CAP_NET_RAW

   * Use RAW and PACKET sockets;
   * bind to any address for transparent proxying.

This patch adds net_raw to the capabilities which will be allowed if squid_use_tproxy is enabled.

romanofski commented 4 years ago

PS: In case this patch is acceptable, don't merge right away. I'd like to compile and test first.

zpytela commented 4 years ago

@romanofski, could you share the current status of this PR? The content looks reasonable to me, but you mentioned some testing.

romanofski commented 4 years ago

Dear @zpytela sorry for the late reply and the missing follow up comment. When I implemented I checked that I didn't run into any regressions with the system under test. I don't have access to the original system any more, but would think the patch's impact to be small.

zpytela commented 4 years ago

@romanofski to say it clear: this PR is ready to merge, right?

romanofski commented 4 years ago

@zpytela yes. Merge ho!

zpytela commented 4 years ago

@romanofski thank you, merging.