The main permission control method used in SELinux targeted policy to provide advanced process isolation is Type Enforcement. All files and processes are labeled with a type: types define a SELinux domain for processes and a SELinux type for files. SELinux policy rules define how types access each other, whether it be a domain accessing a type, or a domain accessing another domain. Access is only allowed if a specific SELinux policy rule exists that allows it.
The following types are used with Squid. Different types allow you to configure flexible access:
- This type is used for utilities such as
cachemgr.cgi, which provides a variety of statistics about Squid and its configuration.
- Use this type for data that is cached by Squid, as defined by the
/etc/squid/squid.conf. By default, files created in or copied into the
/var/spool/squid/directories are labeled with the
squid_cache_ttype. Files for the squidGuard URL redirector plug-in for
squidcreated in or copied to the
/var/squidGuard/directory are also labeled with the
squid_cache_ttype. Squid is only able to use files and directories that are labeled with this type for its cached data.
- This type is used for the directories and files that Squid uses for its configuration. Existing files, or those created in or copied to the
/usr/share/squid/directories are labeled with this type, including error messages and icons.
- This type is used for the
- This type is used for logs. Existing files, or those created in or copied to
/var/log/squidGuard/must be labeled with this type.
- This type is used for the initialization file required to start
squidwhich is located at
- This type is used by files in the
/var/run/directory, especially the process id (PID) named
/var/run/squid.pidwhich is created by Squid when it runs.