20.4. Configuration Examples

20.4.1. Squid Connecting to Non-Standard Ports

The following example provides a real-world demonstration of how SELinux complements Squid by enforcing the above Boolean and by default only allowing access to certain ports. This example will then demonstrate how to change the Boolean and show that access is then allowed.
Note that this is an example only and demonstrates how SELinux can affect a simple configuration of Squid. Comprehensive documentation of Squid is beyond the scope of this document. See the official Squid documentation for further details. This example assumes that the Squid host has two network interfaces, Internet access, and that any firewall has been configured to allow access on the internal interface using the default TCP port on which Squid listens (TCP 3128).
  1. Confirm that the squid is installed:
    ~]$ rpm -q squid
    package squid is not installed
    
    If the package is not installed, use the yum utility as root to install it:
    ~]# yum install squid
  2. Edit the main configuration file, /etc/squid/squid.conf, and confirm that the cache_dir directive is uncommented and looks similar to the following:
    cache_dir ufs /var/spool/squid 100 16 256
    
    This line specifies the default settings for the cache_dir directive to be used in this example; it consists of the Squid storage format (ufs), the directory on the system where the cache resides (/var/spool/squid), the amount of disk space in megabytes to be used for the cache (100), and finally the number of first-level and second-level cache directories to be created (16 and 256 respectively).
  3. In the same configuration file, make sure the http_access allow localnet directive is uncommented. This allows traffic from the localnet ACL which is automatically configured in a default installation of Squid on Red Hat Enterprise Linux. It will allow client machines on any existing RFC1918 network to have access through the proxy, which is sufficient for this simple example.
  4. In the same configuration file, make sure the visible_hostname directive is uncommented and is configured to the host name of the machine. The value should be the fully qualified domain name (FQDN) of the host:
    visible_hostname squid.example.com
    
  5. As root, enter the following command to start the squid daemon. As this is the first time squid has started, this command will initialise the cache directories as specified above in the cache_dir directive and will then start the daemon:
    ~]# systemctl start squid.service
    Ensure that squid starts successfully. The output will include the information below, only the time stamp will differ:
    ~]# systemctl status squid.service
    squid.service - Squid caching proxy
       Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled)
       Active: active (running) since Thu 2014-02-06 15:00:24 CET; 6s ago
    
  6. Confirm that the squid process ID (PID) has started as a confined service, as seen here by the squid_var_run_t value:
    ~]# ls -lZ /var/run/squid.pid 
    -rw-r--r--. root squid unconfined_u:object_r:squid_var_run_t:s0 /var/run/squid.pid
    
  7. At this point, a client machine connected to the localnet ACL configured earlier is successfully able to use the internal interface of this host as its proxy. This can be configured in the settings for all common web browsers, or system-wide. Squid is now listening on the default port of the target machine (TCP 3128), but the target machine will only allow outgoing connections to other services on the Internet through common ports. This is a policy defined by SELinux itself. SELinux will deny access to non-standard ports, as shown in the next step:
  8. When a client makes a request using a non-standard port through the Squid proxy such as a website listening on TCP port 10000, a denial similar to the following is logged:
    SELinux is preventing the squid daemon from connecting to network port 10000
    
  9. To allow this access, the squid_connect_any Boolean must be modified, as it is disabled by default:
    ~]# setsebool -P squid_connect_any on

    Note

    Do not use the -P option if you do not want setsebool changes to persist across reboots.
  10. The client will now be able to access non-standard ports on the Internet as Squid is now permitted to initiate connections to any port, on behalf of its clients.