The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
The following types are used with
squid. Different types allow you to configure flexible access:
- This type is used for utilities such as
cachemgr.cgi, which provides a variety of statistics about squid and its configuration.
- Use this type for data that is cached by squid, as defined by the
/etc/squid/squid.conf. By default, files created in or copied into
/var/spool/squid/are labeled with the
squid_cache_ttype. Files for the squidGuard URL redirector plugin for
squidcreated in or copied to
/var/squidGuard/are also labeled with the
squid_cache_ttype. Squid is only able to use files and directories that are labeled with this type for its cached data.
- This type is used for the directories and files that
squiduses for its configuration. Existing files, or those created in or copied to
/usr/share/squid/are labeled with this type, including error messages and icons.
- This type is used for the squid binary,
- This type is used for logs. Existing files, or those created in or copied to
/var/log/squidGuard/must be labeled with this type.
- This type is used for the initialization file required to start
squidwhich is located at
- This type is used by files in
/var/run/, especially the process id (PID) named
/var/run/squid.pidwhich is created by squid when it runs.